This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
I am trying to configure a Tomcat 6.0.13 server with client authentication (corporate CA and each user has PKI certs installed into their browser). I have built a default keystore in the user's directory where the Tomcat server is running and installed the server cert there. I have installed a global keystore in the Java 5 JRE into which I have loaded the trusted chain.
When I start tomcat the log gets filled with repeated SEVER messages as follows:
Socket Accept Failed java.net.SocketException:SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310) at java.lang.Thread.run(Thread.java.595)
You need to pased your server.xml on the Connector section where you configure SSL.
My guess is that you have the key name not matching what you added to your keystore.
If you cont to have problem, print the output of how you add your keys and created your keystore will get you faster answers.
Joined: Jul 09, 2008
indeed you are on to the solution.
I moved my server cert from the truststore to the default keystore I then modified the connector to have the key alias and key password Then things began to work correctly.
One oddity was observed; I noticed that after shutting down Tomcat, it takes a while before the ports it configured are truly released. If tomcat is restarted before the ports are cleared other errors crop up. So to make sure a clean server is obtained use netstat -a | grep <configured port> checking all the ports tomcat cares about. When they are all released start the server with the current changes.
I’ve looked at a lot of different solutions, and in my humble opinion Aspose is the way to go. Here’s the link: http://aspose.com