aspose file tools*
The moose likes Tomcat and the fly likes Not able to configure SSL on tomcat 7 In CentOS VM Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Not able to configure SSL on tomcat 7 In CentOS VM" Watch "Not able to configure SSL on tomcat 7 In CentOS VM" New topic
Author

Not able to configure SSL on tomcat 7 In CentOS VM

Rajesh Vasudevan
Greenhorn

Joined: Jul 24, 2013
Posts: 5
Hi All,

I did all the explained steps that is specified @ http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#comment_1516

1. I created a Keystore
2. Update my Connector

<Connector port="8443" SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="/usr/local/apache-tomcat-7.0.35/conf/.keystore"
keystorePass="myPass"/>

3. I tried with Different Protocol also in the Connector.

What ever i do, i am unable to access the https. As my machine is a AWS VM (CentOS) i will be accessing the https externally. But some how my http URL is accessible where as i couldn't acess https.

I am struck with this small issue from 5 days, i tried creating Key's and CRT using Open SSL as well. But nothing worked Out.
I even tried accepting 8443 on IPtables No Luck.

Some one please help me out, i could set up https successfully by following the above steps, but my development server is deployed VM on AWS running on CentOS

Please help me out in this situation, Thanks in advance
-Cheers
Rajesh
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16305
    
  21

Welcome to the JavaRanch, Rajesh!

You should be seeing messages in your catalina.out logfile that indicate why SSL isn't coming up.


Customer surveys are for companies who didn't pay proper attention to begin with.
Rajesh Vasudevan
Greenhorn

Joined: Jul 24, 2013
Posts: 5
Hi Tim,

Thanks for the response, There is no error that is getting logged in log file,

Jul 24, 2013 11:25:33 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Jul 24, 2013 11:25:33 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8080"]
Jul 24, 2013 11:25:33 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-nio-8443"]
Jul 24, 2013 11:25:34 AM org.apache.tomcat.util.net.NioSelectorPool getSharedSelector
INFO: Using a shared selector for servlet write/read
Jul 24, 2013 11:25:34 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
Jul 24, 2013 11:25:34 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1500 ms
Jul 24, 2013 11:25:34 AM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Jul 24, 2013 11:25:34 AM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.35
Jul 24, 2013 11:25:34 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive /usr/local/apache-tomcat-7.0.35/webapps/uploader-0.0.1-SNAPSHOT.war
Jul 24, 2013 11:25:34 AM org.apache.catalina.loader.WebappClassLoader validateJarFile
INFO: validateJarFile(/usr/local/apache-tomcat-7.0.35/webapps/uploader-0.0.1-SNAPSHOT/WEB-INF/lib/servlet-api-2.5.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class
Jul 24, 2013 11:25:34 AM org.apache.jasper.EmbeddedServletOptions <init>
SEVERE: The scratchDir you specified: /usr/local/apache-tomcat-7.0.35/work/Catalina/localhost/uploader-0.0.1-SNAPSHOT is unusable.
Jul 24, 2013 11:25:34 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive /usr/local/apache-tomcat-7.0.35/webapps/eps-1.0.war
Jul 24, 2013 11:25:35 AM org.apache.catalina.loader.WebappClassLoader validateJarFile
INFO: validateJarFile(/usr/local/apache-tomcat-7.0.35/webapps/eps-1.0/WEB-INF/lib/servlet-api-2.5.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class
log4j:WARN No appenders could be found for logger (org.springframework.web.servlet.DispatcherServlet).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
Jul 24, 2013 11:25:43 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /usr/local/apache-tomcat-7.0.35/webapps/icons
Jul 24, 2013 11:25:43 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /usr/local/apache-tomcat-7.0.35/webapps/examples
Jul 24, 2013 11:25:43 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /usr/local/apache-tomcat-7.0.35/webapps/backup
Jul 24, 2013 11:25:43 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /usr/local/apache-tomcat-7.0.35/webapps/host-manager
Jul 24, 2013 11:25:43 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /usr/local/apache-tomcat-7.0.35/webapps/docs
Jul 24, 2013 11:25:43 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /usr/local/apache-tomcat-7.0.35/webapps/ROOT
Jul 24, 2013 11:25:43 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /usr/local/apache-tomcat-7.0.35/webapps/manager
Jul 24, 2013 11:25:43 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Jul 24, 2013 11:25:43 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-nio-8443"]
Jul 24, 2013 11:25:43 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-8009"]
Jul 24, 2013 11:25:43 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 9470 ms
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16305
    
  21

Do the following:


This will show if the connector is coming up. If it is, then I'd need to know the exact error message you get when issuing an https request to the server. Also any differences you might get between issuing the request on the server machine versus what you get when issuing the request on some other machine.

There's no "even" to opening port 8443 on iptables, though. If you don't do it, external clients cannot use it.
Rajesh Vasudevan
Greenhorn

Joined: Jul 24, 2013
Posts: 5
Hi Tim,

I am getting the response as mentioned below.

[root@i~]# netstat -ln | grep 8443
tcp 0 0 :::8443 :::* LISTEN
[root@ ~]#

And on opening the 8443, i made the Iptable to accept 8443 and open for outside world. I am not sure where i can capture the error log. As mine is a deployed VM i don't have UI to Hit the https locally, but when i try hitting the https externally from my machine then it is not responding. where as for the same IP i am able to access 8080 - http

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16305
    
  21

In my firewall, I keep a "-j LOG" rule right before the final (DROP) rule so I can see who is offending me.

There are several ways to check a webserver locally on a machine with no GUI interface. You can use the "links" (or "lynx") character-mode browser, if it is installed. You can use wget. You can use curl. For simple plain-text protocols such as http, you can even use telnet.
Rajesh Vasudevan
Greenhorn

Joined: Jul 24, 2013
Posts: 5
Hi Tim,

I tried hitting the https external URL, it is getting timed out.

When i tried wget https://localhost:8443

i get the following response,

[root@i ~]# wget https://localhost:8443
--2013-07-24 12:56:24-- https://localhost:8443/
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:8443... connected.
ERROR: cannot verify localhostâs certificate, issued by â/C=us/ST=eps/L=eps/O=eps/OU=eps/CN=epsâ
Self-signed certificate encountered.
ERROR: certificate common name âepsâlocalhostâ
To connect to localhost insecurely, use â--no-check-certificateâ.
[root@i ~]#
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16305
    
  21

That narrows it down to one of 4 things, I think:

1. Your remote client isn't actually talking to the machine you think it is (wrong IP address)

2. Your firewall isn't really open for port 8443

3. Your client is making an IPV4 request, but Tomcat is only listening to IPV6 traffic (some JVMs would do this by default).

4. Your client is making an IPV6 request, but you have only opened the IPV4 firewall for 8443.

In theory, netstat would show if condition 3 is the problem, but on my CentOS server, it's a little ambiguous these days.
Rajesh Vasudevan
Greenhorn

Joined: Jul 24, 2013
Posts: 5
Hi Tim,

Thanks for the response. In the below mentioned point we can remove point 1, as i tried the IP with 8080 (Http) on wget, i am getting the response. On other three i guess the machine is using iptables not ip6tables. Just to calrify about the iptables and ip6tables, i see only iptables inside systemconfig where i can add port exception script or even driectly run iptable accept command . Then is that means that my server is using Iptables not ip6tables right. Sorry to ask the basic questions, i am pretty new to Linux world.

Please direct me with some examples.

Thanks a lot
-Cheers
Rajesh
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16305
    
  21

Sometimes people are talking to a Tomcat, but not the Tomcat they think they're talking to, which is why I listed point #1.

The presence or absence of ip6tables has nothing to do with whether any given server on the machine is listening on IPV6. Also, IPV6 and IPV4 are not mutually exclusive. A server can listen to both. Which is why I couldn't be certain of what I saw on my own netstat listing.

However, if your client is making an IPV6 request and the ip6tables firewall blocks it or the server isn't listening on IPV6, it will fail.

Likewise, if your client makes an IPV4 request and the server is only listening on IPV6, it will fail. This is a common case, since, as I said, some JVM versions would only listen to IPV6 by default and had to be conditioned via a command-line option to listen on IPV4.

You might try installing an Oracle Java 7 release and setting your Tomcat's JAVA_HOME to reference it. I haven't noticed any problems there.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Not able to configure SSL on tomcat 7 In CentOS VM