aspose file tools*
The moose likes Sockets and Internet Protocols and the fly likes configuring Tomcat for SSL Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Sockets and Internet Protocols
Bookmark "configuring Tomcat for SSL" Watch "configuring Tomcat for SSL" New topic
Author

configuring Tomcat for SSL

hossein arabi
Greenhorn

Joined: Jan 15, 2009
Posts: 20
Dear All,
I have created a Keystore that contains the self signed certificate and the private key.
then I have configured the Server.XML :

what else I have to do that I can see the HTTPS ?
what is the next steps?
Thank you so much...
Carey Evans
Ranch Hand

Joined: May 27, 2008
Posts: 225

If you’re not using the default JKS keystore type, you will need to tell Tomcat. Look in the documentation for keystoreType, or put your keys in a JKS keystore instead.
hossein arabi
Greenhorn

Joined: Jan 15, 2009
Posts: 20
Carey Evans wrote:If you’re not using the default JKS keystore type, you will need to tell Tomcat. Look in the documentation for keystoreType, or put your keys in a JKS keystore instead.


I am using JCE to create a PKCS12 keystore format that contain my selfsinged certificate + private key
Carey Evans
Ranch Hand

Joined: May 27, 2008
Posts: 225

hossein arabi wrote:I am using JCE to create a PKCS12 keystore format that contain my selfsinged certificate + private key

Since you've chosen not to use a JKS keystore, you need to configure Tomcat to tell it what kind of keystore you are using.
hossein arabi
Greenhorn

Joined: Jan 15, 2009
Posts: 20
thanks....
I had mention the type of the certificate in server.xml:


and now the problem is that I cannot open the https with browser except with netscape browser and it makes me confuse...
1. the question is that how I can view the https from IE because I am gonna use that browser( when I use .jks format for keystore everything goes well but since I have to use client certificate it should be .pfx format)
and tomcat is running well...(
thank you so much :P
Carey Evans
Ranch Hand

Joined: May 27, 2008
Posts: 225

If it works with JKS, why can't you use that? The JCA Reference Guide explains that PKCS #12 doesn't support trusted certificates yet, which JKS does, so this may be the problem. You can still use PKCS #12 for the client key, and JKS for the server key and trusted client certificate.
hossein arabi
Greenhorn

Joined: Jan 15, 2009
Posts: 20
so it means that the format can be different?
I can use jks for the server and PFX (pkcs12) for the client?

and one more question is that is it for the client authentication also I need to create key store or just the certificate is enough?
thanks....
Carey Evans
Ranch Hand

Joined: May 27, 2008
Posts: 225

Well, you would use JKS for Java code, and PFX to supply a key for the browser to import into its own keystore, which is different for Internet Explorer and Firefox.

If you're using SSL to authenticate the client, it needs a private key, which can be exported to and imported from a PFX file. If you're using a password to authenticate the client, and only using SSL to authenticate the server, all the client needs is the server certificate.
hossein arabi
Greenhorn

Joined: Jan 15, 2009
Posts: 20
I wanna use mutual authentication...so both server and client authentication is needed...
till now I could manage to do the server authentication...
the only thing left is the client authentication which I don have any clue that :
1. how to request the client certificate from server
2. is it just a client certificate or is a keystore that contains the client cert+private key?
thanks for guiding me ....
Carey Evans
Ranch Hand

Joined: May 27, 2008
Posts: 225

For mutual authentication, each end needs its own private key in its keystore, and a certificate from the other end in its truststore; this certificate could be from the other key, or a CA which has signed it. Tomcat makes the truststore the same as the keystore by default, which can be confusing. You also need to configure Tomcat to ask for the other end’s certificate with the clientAuth setting.

Java 6 also doesn't support a PKCS #12 (PFX or P12) file for the truststore, only JKS or JCEKS.

The browser can get the remote certificate into its trusted certificates from a .CER file. Its private key can be imported from a PKCS #12 file, or it can generate one itself and get it signed online by a CA. You can run your own CA using EJBCA, or one that comes with your OS.

Note that you don’t need to issue the certificates for the browsers yourself. If your users get their client certificates from Brand X CA, you can add Brand X CA’s root certificate to your server’s trust store to accept the client certificates.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: configuring Tomcat for SSL
 
Similar Threads
Load Balancing and HTTPS
post an xml document to a https:// address
HTTP Posting Using MIME
Struts/ssl/https
Cannot connect to https://localhost:8443