• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

tomcat ssl

 
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi,
i wish to configure https on tomcat.i have done as below:
keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/pki/keystore ;the keystore password as tomcat password is changeit.
in server.xml
<Connector
protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/etc/pki/keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>

<Host name="www.test.com" appBase="webapps"
unpackWARs="true" autoDeploy="true">
</Host>

ido not have inlib the libtcnative library.

then i try https://www.test.com:8443/ and i am not able to connect/
thanks
marius
 
Saloon Keeper
Posts: 22273
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Marius!

Have you used the "netstat" program to see if port 8443 has been opened for listening? If so, will your firewall permit traffic through port 8443?
 
marius tanislav
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,

i ran iptables -F,so the firewall is fine.
netstat -tulp output is:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:ssh *:* LISTEN 1461/sshd
tcp 0 0 localhost:ipp *:* LISTEN 1345/cupsd
tcp 0 0 localhost:smtp *:* LISTEN 1601/master
tcp 0 0 *:ssh *:* LISTEN 1461/sshd
tcp 0 0 localhost:ipp *:* LISTEN 1345/cupsd
tcp 0 0 localhost:mxi *:* LISTEN 2111/java
tcp 0 0 *:8009 *:* LISTEN 2111/java
tcp 0 0 *:webcache *:* LISTEN 2111/java
udp 0 0 *:bootpc *:* 1340/dhclient
udp 0 0 *:ipp *:* 1345/cupsd


so no port 8443 open.how i will be able to open it?in rest what i have done is correct?thanks.
marius
 
Tim Holloway
Saloon Keeper
Posts: 22273
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's better to run netstat with the "-n" option turned on. First of all, because it's faster, secondly, because we can see the true port number. The symbolic port (service) is determined by looking up the number in a file which may or may not accurately reflect the true usage of that port.

I see Tomcat's control port: 8009. But I don't see Tomcat's stock HTTP port (8080). I can't tell if it's open, but being identified as something else, or if it's not open at all.

A good place to look for error messages for stuff like this is the Tomcat localhost log file. Sometimes stuff goes there instead of to the Tomcat catalina.out log.
 
marius tanislav
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,
The output of netstat -tulpn:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1504/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1355/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1613/master
tcp 0 0 :::22 :::* LISTEN 1504/sshd
tcp 0 0 ::1:631 :::* LISTEN 1355/cupsd
tcp 0 0 :::8443 :::* LISTEN 2207/java
tcp 0 0 ::ffff:127.0.0.1:8005 :::* LISTEN 2207/java
tcp 0 0 :::8009 :::* LISTEN 2207/java
tcp 0 0 :::8080 :::* LISTEN 2207/java
udp 0 0 0.0.0.0:68 0.0.0.0:* 1349/dhclient
udp 0 0 0.0.0.0:631 0.0.0.0:* 1355/cupsd

so tomcat listen on 8443,8009,8080.
when i try to connect from browser like : https://www.vucni.com:8446 the error is "Issuer certificate is invalid" (error code: sec_error_ca_cert_invalid).
the output of ls -l keynew
-rw-r--r--. 1 root root 2181 Apr 23 10:10 /root/keynew

curl -LI https://www.vucni.com:8443/ gives:

curl (77) problem with SSL CA cert (path? access right?)

catalina.out
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'KeystorePassword' to 'changeit' did not find a matching property.
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server version: Apache Tomcat/7.0.59
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server built: Jan 28 2015 15:51:10 UTC
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server number: 7.0.59.0
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: OS Name: Linux
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: OS Version: 2.6.32-504.el6.i686
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Architecture: i386
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Java Home: /jdk1.7.0_79/jre
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: JVM Version: 1.7.0_79-b15
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: JVM Vendor: Oracle Corporation
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: CATALINA_BASE: /root/apache-tomcat-7.0.59
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: CATALINA_HOME: /root/apache-tomcat-7.0.59
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.util.logging.config.file=/root/apache-tomcat-7.0.59/conf/logging.properties
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.endorsed.dirs=/root/apache-tomcat-7.0.59/endorsed
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dcatalina.base=/root/apache-tomcat-7.0.59
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dcatalina.home=/root/apache-tomcat-7.0.59
Apr 24, 2015 9:03:50 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.io.tmpdir=/root/apache-tomcat-7.0.59/temp
Apr 24, 2015 9:03:50 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/i386:/lib:/usr/lib
Apr 24, 2015 9:03:51 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8080"]
Apr 24, 2015 9:03:51 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8443"]
Apr 24, 2015 9:03:52 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
Apr 24, 2015 9:03:52 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3976 ms
Apr 24, 2015 9:03:52 AM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Apr 24, 2015 9:03:52 AM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.59
Apr 24, 2015 9:03:52 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /root/apache-tomcat-7.0.59/u/ROOT
Apr 24, 2015 9:03:54 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /root/apache-tomcat-7.0.59/u/ROOT has finished in 1,932 ms
Apr 24, 2015 9:03:54 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /root/apache-tomcat-7.0.59/webapps/ROOT
Apr 24, 2015 9:03:55 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /root/apache-tomcat-7.0.59/webapps/ROOT has finished in 507 ms
Apr 24, 2015 9:03:55 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /root/apache-tomcat-7.0.59/webapps/examples
Apr 24, 2015 9:03:57 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /root/apache-tomcat-7.0.59/webapps/examples has finished in 2,083 ms
Apr 24, 2015 9:03:57 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /root/apache-tomcat-7.0.59/webapps/docs
Apr 24, 2015 9:03:57 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /root/apache-tomcat-7.0.59/webapps/docs has finished in 243 ms
Apr 24, 2015 9:03:57 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /root/apache-tomcat-7.0.59/webapps/host-manager
Apr 24, 2015 9:03:58 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /root/apache-tomcat-7.0.59/webapps/host-manager has finished in 325 ms
Apr 24, 2015 9:03:58 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /root/apache-tomcat-7.0.59/webapps/manager
Apr 24, 2015 9:03:58 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /root/apache-tomcat-7.0.59/webapps/manager has finished in 324 ms
Apr 24, 2015 9:03:58 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Apr 24, 2015 9:03:58 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Apr 24, 2015 9:03:58 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-8009"]
Apr 24, 2015 9:03:58 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 5856 ms





localhost.log

Apr 24, 2015 9:03:57 AM org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()
Apr 24, 2015 9:03:57 AM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextInitialized()
Apr 24, 2015 9:03:57 AM org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: attributeAdded('org.apache.jasper.compiler.TldLocationsCache', 'org.apache.jasper.compiler.TldLocationsCache@cd634')

thanks,
marius
 
Tim Holloway
Saloon Keeper
Posts: 22273
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ah yes, I've seen that one before.

Try using the keytool to list what you've got stored in the keystore. Make SURE that you're referencing a CERT and not a cert-request or other non-cert entity (I think I've forgotten the proper name )

Also make sure that you have the full certificate chain properly stored. Your own personal cert may need a higher-level cert to vouch for it, and that one in turn may need an even higher-level one until you get to the level of the certs that were built into your browser. You should have received instructions on how to install them, if needed.

Clicking on the "lock" icon in your URL navigation control in FireFox may get you a display of the security credential environment. Probably other browsers have similar diagnostic abilities as well, but I know Firefox does.
 
marius tanislav
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim.


wget https://www.vucni.com:8443

--2015-04-25 06:48:24-- https://www.vucni.com:8443/
Resolving www.vucni.com... 192.168.77.139
Connecting to www.vucni.com|192.168.77.139|:8443... connected.
ERROR: cannot verify www.vucni.com’s certificate, issued by “/C=o/ST=o/L=o/O=o/OU=o/CN=www.vucni.com”:
Self-signed certificate encountered.
To connect to www.vucni.com insecurely, use ‘--no-check-certificate’.

So the connection is made but the error tells that i have an Self-signed certificate.
fine,in this case https on 8443 will not works?i saw many articles were they write that https on 8443 should works.
i MUST have an signed certificate from an CA ?


other question is when i create :
keytool -genkey -alias tomcat -keyalg RSA
what is your first and last name: HERE IF I WRITE "mt" AND NOT WWW.VUCNI.COM,when i perform wget like below,


i have the error:-ERROR: certificate common name “mt” doesn't match requested host name “www.vucni.com”.

so at "what is your last and first name?" what should i write?

wget https://www.vucni.com:8443
--2015-04-25 06:52:51-- https://www.vucni.com:8443/
Resolving www.vucni.com... 192.168.77.139
Connecting to www.vucni.com|192.168.77.139|:8443... connected.
ERROR: cannot verify www.vucni.com’s certificate, issued by “/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=mt”:
Self-signed certificate encountered.
ERROR: certificate common name “mt” doesn't match requested host name “www.vucni.com”.
To connect to www.vucni.com insecurely, use ‘--no-check-certificate’.

the output of keytool -list -v keystore

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Apr 25, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=www.vucni.com, OU=o, O=o, L=o, ST=o, C=o
Issuer: CN=www.vucni.com, OU=o, O=o, L=o, ST=o, C=o
Serial number: 6a3d3daa
Valid from: Sat Apr 25 06:29:43 PDT 2015 until: Fri Jul 24 06:29:43 PDT 2015
Certificate fingerprints:
MD5: 3D:E9:67:A1:12:96:26:D7:BC:E0:36:55:58:5D:81:62
SHA1: 5A:8D:22:45:64:59:48:43:ED:61:7E:AF:8D:23:8B:B9:D2:80:4E:F4
SHA256: BC:C8:37:C9:E0:12:F1:1F:E9:BC:81:11:C1:5C:6F:E3:65:11:77:31:24:B8:05:01:84:0D:09:0C:D2:93:F6:52
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9C A7 63 CE 70 9A 7F EF B2 5E 96 84 55 76 FF 85 ..c.p....^..Uv..
0010: 71 78 DF C7 qx..
]
]



*******************************************
*******************************************




thanks,
marius


 
Tim Holloway
Saloon Keeper
Posts: 22273
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There's nothing wrong with using a self-signed certificate. Some tools may require assurance that you're willing to accept https responses that haven't been vouched for by "respectable" authorities, but in the case of a browser client, that's usually just a matter of responding to a security alert dialog.

I'm pretty sure that your problem is that you've got a PrivateKeyEntry instead of a proper certificate in your keystore. Your original cert might not have been in Tomcat-friendly form (Tomcat's cert format and Apache's are different). There's a nice gui utility that can do conversions between the different formats, though if you don't have the proper one.

One thing to note is that there are 2 components to SSL/TLS. The public cert and the private key. In Tomcat, the private key is pretty much inaccessible, whereas in Apache httpd, they're actually 2 distinct files in most configurations.

Forgive me for not having a cookbook solution, but I have to slog through this stuff myself every time I install a cert and I've never bothered to record the details.
 
marius tanislav
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,
i wish to close this thread,but before just a thing.
i installed tomcat again and netstat -tulpn shows that tomcat not listen on port 8443.how could i start port 8443 with tomcat?


Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1459/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1342/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1568/master
tcp 0 0 :::22 :::* LISTEN 1459/sshd
tcp 0 0 ::1:631 :::* LISTEN 1342/cupsd
tcp 0 0 ::ffff:127.0.0.1:8005 :::* LISTEN 2104/java
tcp 0 0 :::8009 :::* LISTEN 2104/java
tcp 0 0 :::8080 :::* LISTEN 2104/java
udp 0 0 0.0.0.0:68 0.0.0.0:* 1339/dhclient
udp 0 0 0.0.0.0:631 0.0.0.0:* 1342/cupsd


<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the BIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
SSLCertificateFile="/root/apache-tomcat-7.0.61/cert.pem"
SSLCertificateKeyFile="/root/apache-tomcat-7.0.61/key.pem"
SSLPassword="ousor11" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
</Host>

i think after i uncomment the connector 8443 and restart tomcat,i should see port 8443 open but i am not able to see it.why?
thanks,
marius
 
Tim Holloway
Saloon Keeper
Posts: 22273
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As long as you have a Connector defined (and not commented out!) for port 8443, then Tomcat should open and listen on port 8443. If it does not, there should be a log message telling you why.

Incidentally, I had to update a Tomcat cert just yesterday. I'm not going to be buying certs from that vendor anymore - they brag about their outstanding support, but if you're not hosting on their servers, then all they do is point you to someone else's outdated web pages and send lists of certs don't reflect the actual certs they sent. And since they use multiple intermediate cert layers, it's not a fun experience.

But so much for whinging about poor service from well-known vendors - what you wanted to know was how to install your cert.

The tool I have found useful for this kind of stuff has changed names several times, but these days, it seems to be named "portecle" and can be found at sourceforge.net. It may be launched directly from your web browser using the "jnlp" feature of Java. It's a stand-alone GUI app and you can use it to import certs and view their chains. It also converts. I was given certs in X509 format, but the Tomcat keystore wants jks, and this app handles that automatically.
 
marius tanislav
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
before to close this thread just something.
in server.xml how do i know what kind of conector(jsse or apr) i should configure?i mean what command should i use to see it?
i created an jks keystore with keytool -keygen -alias "name" -keygen RSA and i used within the connector as in my first page of this thread.should i use instead an pem format of keystore?
thanks,
marius
 
Tim Holloway
Saloon Keeper
Posts: 22273
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
APR promises more throughput out of Tomcat, especially for the non-Java aspects such as static asset services. However it requires doing a custom Tomcat build, and nobody has ever posted stats demonstrating why it's better to add the extra cost of doing all that to the support budget. So I've never bothered using it. As a rule, I figure that if Tomcat is running that close to the wire, I should be looking at other ways of tuning Tomcat.

Tomcat requires JKS keystore, not X509. I'm fairly sure that its internal routines are hard-wired to use that format. It's a nuisance, since that means Apache HTTP and Apache Tomcat use 2 different encodings, but there are some tools that can make the conversion less painful.
 
marius tanislav
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i do not see the solved button.
 
Tim Holloway
Saloon Keeper
Posts: 22273
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The "solved" button should be a a little checkmark button right below the bottom message in the thread (lower left).
 
    Bookmark Topic Watch Topic
  • New Topic