aspose file tools*
The moose likes Tomcat and the fly likes issue with tomcat over SSL Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "issue with tomcat over SSL" Watch "issue with tomcat over SSL" New topic
Author

issue with tomcat over SSL

David Dyck
Greenhorn

Joined: Jul 13, 2012
Posts: 4
Hi guys, new to the forum here.

A few months ago I was tasked with setting up a LAMP server to run Apache Tomcat, and ODK Aggregate. The installation went fairly smoothly, considering it was my first having to deal with tomcat.

About a week ago our developer decided he wants to use SSL for his tomcat traffic. I have spent several days studying and following various online tutorials on how to accomplish this, but so far, no luck.

My setup so far: Debian Squeeze, apache2, tomcat6 running fine with ODK Aggregate, the only app running in tomcat so far.

I have the following lines in pointing to my certificate files in /etc/apache2/sites-available/default-ssl

SSLCertificateFile /etc/apache2/ssl/test.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/test.com.key
SSLCACertificateFile /etc/apache2/ssl/thawte_Server_CA.pem

Both http://test.com and https://test.com display the home page, and I get the green lock icon next to "https" in the browser's address bar, so I think we're good so far.

The problem starts when I try to run my tomcat apps over SSL. After several step-by-step guides that failed at some point or another, the last thing I tried was:

# keytool -import -alias root -keystore tomcat.p12 -trustcacerts -file thawte_Server_CA.pem

# keytool -import -alias tomcat -keystore tomcat.p12 -file test.com.crt

From what I've gathered, at this point I'm supposed to have both Thawte's Root (thawte_Server_CA.pem) and my Thawte-issued certificate (test.com.crt) in tomcat.p12.

My tomcat connectors in server.xml are as follows (the first one is unmodified):

<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />

<Connector port="8443"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="true"
disableUploadTimeout="true"
acceptCount="100"
debug="0"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="/etc/apache2/ssl/tomcat.p12"
keystorePass="_mypassword_" />

I can pull up test.com:8080 and test.com:8443 over http, but when I try https://test.com:8443, I get "Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error."

Any help would be much appreciated. Thanks in advance!
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16228
    
  21

Welcome to the JavaRanch, David!

A little quick googling makes it appear that this particular message comes from the Chrome browser, so you might want to try another browser and see if you can get a more informative message.

I think you know this, but it never hurts to remind people: The security cert formats are not the same for Tomcat and Apache httpd. Which is a real pain. Not only can you not share the certs directly, but the process of format conversion can be really annoying.


Customer surveys are for companies who didn't pay proper attention to begin with.
David Dyck
Greenhorn

Joined: Jul 13, 2012
Posts: 4
Thanks Tim. Perhaps I should have mentioned this in my initial post, but I did quite a bit of google searching (as I always do) before posting. I did see the issue with Chrome coming up, but I'm getting errors in all browsers (IE and Firefox), so I'm inclined to believe the issue is with the server, not the browser. Here's what I get in Firefox:

Secure Connection Failed
An error occurred during a connection to test.com:8443.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

Does that shed any light on the issue?
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16228
    
  21

Indeed it does.

Most probably you are sending a http (non-encrypted) request to the https port, despite your intentions of sending it https-format.

How it's getting sent without the encryption isn't obvious to me at the moment, though.
David Dyck
Greenhorn

Joined: Jul 13, 2012
Posts: 4
That kinda makes sense. After reading your last post, I got an idea to try both https://test.com:8080 and https://test.com:8443. As I suspected, they both return the same error. So apparently, Tomcat is listening on both ports in http only, even though in the configuration I have scheme="https", secure="true", and sslProtocol="TLS" for 8443.

Is it possible that Tomcat tries to load the SSL info for port 8443, finds something wrong in the config or maybe the certificate and then just fails over to regular http? I'll check my Catalina logs again...
David Dyck
Greenhorn

Joined: Jul 13, 2012
Posts: 4
After much frustration, I decided to try generating a self-signed certificate. After doing so, telling server.xml where to find it, restarting tomcat, I noticed the following in my catalina log:

SEVERE: Error starting endpoint
java.io.FileNotFoundException: /etc/apache2/selfssl/keystore.jks (Permission denied)

Aha!!! so after

# chmod 755 /etc/apache2/selfssl/keystore.jks

and another tomcat restart, it now runs SSL on port 8443!

Somewhere in the many tutorials I've studied in the course of setting this up, I remember someone saying that permissions on all certificate files should be set to 400, which is what I've been doing.

Clearly this doesn't work (at least not if root is the owner), but 755 does.

Of course, I still want to be able to use the Thawte certificate I paid for, so my next question is: How should I set permissions in my certificate files to allow tomcat to read them, but still keep them secure?

-- btw thanks Tim Holloway for stimulating some ideas and helping me along this far. I will post my findings and my working SSL connector once I get everything working.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16228
    
  21

The keystore isn't a certificate file, it's a database. To access the certs, you have to invoke a retrieval process that must be given a password, and beyond that there are 2 levels of passwords available for the exceptionally paranoid.

I noticed that the actual rights I have set on my test system are 664, although I suspect that 600 would probably be more appropriate. Why write access? Not sure, but there may be some history that needs updating when the keystore is accessed.

If you're serious about securing the keystore, several additional things can help. First, place it in location that's more generally secured and out of harm's way. On Linux, that would be in the /etc directory, although /etc has its public aspects. Secondly, you could consider using the selinux security system to limit access to the keystore on a fine-grained basis. That's not a trivial process, but it's an effective one.



 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: issue with tomcat over SSL