wood burning stoves*
The moose likes Tomcat and the fly likes [Update - Success] Adding SSL  certificate to Server.xml Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "[Update - Success] Adding SSL  certificate to Server.xml" Watch "[Update - Success] Adding SSL  certificate to Server.xml" New topic
Author

[Update - Success] Adding SSL certificate to Server.xml

Marty Finn
Greenhorn

Joined: Aug 24, 2007
Posts: 7
Preface: I know nothing about web servers as you will soon understand but still I am the one that has to get this done. I am walking into this blind.

I am trying to update our Server.xml as per these instructions. But our Server.xml file doesn't have this section to uncomment. I will post or Server.xml below.

___________________________________________
Open the server.xml file.
After uncommenting the SSL/TLS connector from server.xml, locate the following text section:
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" />
Add the "keystoreFile" and "keystorePass directives:
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="/full/path/to/tomcat.keystore" keystorePass="changeit" />
Restart Tomcat.
________________________________________________




Any help really appreciated. I am totally lost. I have been reading at apache.tomcat.org and have tried to paste some examples in but then Tomcat Service won't start.

[ August 27, 2007: Message edited by: Marty Finn ]
[ August 27, 2007: Message edited by: Marty Finn ]
Rene Larsen
Ranch Hand

Joined: Oct 12, 2001
Posts: 1179

You can read about the configuration here SSL Configuration HOW-TO

It look like an easy job just take the section that should have been uncomment from the documentation (see above) and copy/paste to server.xml below <Service name="Catalina">


Regards, Rene Larsen
Dropbox Invite
Marty Finn
Greenhorn

Joined: Aug 24, 2007
Posts: 7
Yes I did read that yesterday and tried to paste that in right where you mentioned but afterwards the Tomcat service would not load.
Rene Larsen
Ranch Hand

Joined: Oct 12, 2001
Posts: 1179

Which version of Tomcat do you have 4.0.x or 4.1.x?

Your first post show a description for 4.0.x (<Factory className="or...), but your server.xml is from a Tomcat v4.1.x to v6.x
Marty Finn
Greenhorn

Joined: Aug 24, 2007
Posts: 7
5.0 I think..
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

With 5, you don't need the <factory ..> tag.
You only need to enter the keystoreFile and keystorePass attributes.



Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Marty Finn
Greenhorn

Joined: Aug 24, 2007
Posts: 7
Thank you. Am I supposed to close this with </Connector>? When I do the service won't start. When I dont it starts but Https:// to the site does not work.

How can I tell if I have the .java components running that are needed to facilitate this?

-Sorry for being a total noob
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

It's an XML document so each tag has to be closed.
The example above has no body and doesn't need a separate closing tag.

Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by Marty Finn:

How can I tell if I have the .java components running that are needed to facilitate this?


If you have a valid certificate, all you need to do is tell Tomcat where it is and it should work. You don't need any .java components.
Marty Finn
Greenhorn

Joined: Aug 24, 2007
Posts: 7
Thanks again.
I feel like I am getting closer. This is what I have in my server.xml.

I have tried to put the tomcat.keystore in different locations. Can it be copied from where it was created by the keytool commands? The certificate we got from GoDaddy.com had 2 options for creating the .keystore file.
Use the following OpenSSL command to combine the ca bundle (gd_bundle.crt) and your SSL certificate:

openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in <name of your certificate> -inkey <name of your certificate private key file> -out keystore.tomcat -name tomcat -passout pass:changeit
OR
Installing Root and Intermediate Certificates
Root:
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file valicert_class2_root.crt.

First intermediate (gd_cross_intermediate.crt):
keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt

Second intermediate (gd_intermediate.crt):
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt
I chose the second option because "OPENSSL" was an invalid command.

Anyways this is the error I now get in the stdout.log


Thanks Again
[ August 27, 2007: Message edited by: Marty Finn ]
Marty Finn
Greenhorn

Joined: Aug 24, 2007
Posts: 7
OK thanks for all the help. I was importing the certificates into the wrong .keystore file.

When I now go to https://localhost:8443 I am prompted about certificate and our webpage loads. However from outside the just going to https://ourwebsite.com gives "page cannot be displayed" but plain http:// works.

Any ideas on my next step?
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by Marty Finn:
OK thanks for all the help. I was importing the certificates into the wrong .keystore file.

When I now go to https://localhost:8443 I am prompted about certificate and our webpage loads. However from outside the just going to https://ourwebsite.com gives "page cannot be displayed" but plain http:// works.

Any ideas on my next step?


Congrats with the keystore file.
TIP: Document what you did. You won't remember this stuff a year from now when you need to do it again.


If Tomcat is serving up your pages under SSL from within your network or on the local machine, it's working.
Check your firewall settings and/or your port forwarding to make sure that 8443 is both open to the outside world and pointing to the correct machine.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: [Update - Success] Adding SSL certificate to Server.xml