• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

SSL Question

 
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My website has the format of "mysite.com" (no special HOST name).

Trying to understand what type of SSL certificate I need for Tomcat 8 from namecheap.com.

I would want to SSL-secure both my website and Tomcat.

Now, since they're both the same domain, as in:

WEBSITE: mysite.com

TOMCAT: mysite.com:8080/webapp1, ....

Do I just need a single regular (non multi-site, non wildcard) certificate I install in two places (one copy of the cert files for Website, the other copy of the cert files (the same cert files) for Tomcat?

I don't want to pay for a multi-site SSL or a wild-card SSL if not necessary.

Thanks very much in advance.

- mike

P.S. Suggestions on a good certificate to use from namecheap.com would also be appreciated.
 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The cert format for Apache and the cert format for Tomcat are different. You can convert between them, but it's a pain.

More commonly, just get a cert and install it in Apache, use Apache as a reverse proxy to Tomcat (port 8009), and then Tomcat doesn't need SSL set up as long as both Tomcat and Apache are on the same secured LAN (or the same machine).
 
Sheriff
Posts: 22781
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I agree with Tim. SSL on Tomcat is usually only required if Tomcat is directly accessible to the outside world. If you put Apache in front of it using mod_ajp, SSL is not even used. If you put Apache in front of it using mod_proxy, having SSL will only add unnecessary slowness.
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:The cert format for Apache and the cert format for Tomcat are different. You can convert between them, but it's a pain.

More commonly, just get a cert and install it in Apache, use Apache as a reverse proxy to Tomcat (port 8009), and then Tomcat doesn't need SSL set up as long as both Tomcat and Apache are on the same secured LAN (or the same machine).



Thanks Tim.

By Apache, in my case, it's Mac OS Server.

Are there instructions for doing a "reverse" proxy to Tomcat from Apache? I have no idea how to do that.

If there aren't step-by-step instructions, I'm probably better off trying to get the cert files that Tomcat can understand (same cert as Apache) and just slog though it.

I think NameCheap will send you different cert file formats if you need them.

Thanks,

- mike
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Rob Spoor wrote:I agree with Tim. SSL on Tomcat is usually only required if Tomcat is directly accessible to the outside world. If you put Apache in front of it using mod_ajp, SSL is not even used. If you put Apache in front of it using mod_proxy, having SSL will only add unnecessary slowness.



If I have a website like: mysite.com:8080/website1  (this works now)

That site is available to the outside world directly, right?

I'm not an Apache guru. Thus I'm confused by your posting and I don't know enough about Apache on Mac OS Server to do what you're suggesting ("mod_proxy", for example) without step by step instructions, video, or whatever.

I did find this link:  https://stackoverflow.com/questions/25179628/apache-as-front-to-tomcat-with-proxy-with-mod-proxy-ajp-on-mavericks-mac#25236787

So, it sounds like I just need a certificate for the Mac OS Server and then mess around with this proxy stuff but no separate cert config is necessary.

Thanks,

- mike
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't know what the standard HTTP server for MacOS is, although Apache is popular on all OS's. I use Nginx these days, since it's easier to configure and supposed to be less overhead.

Port 8080 is only visible to the outside world if your firewall permits it. SSL (https) direct to Tomcat is conventionally configured to port 8443, and like all TCP/IP ports, also requires firewall permission.

However, if you are running both Apache/IIS/Nginx or whatever for non-J2EE webapps and Tomcat, it's simpler to let your front-end webapp server (Apache or whatever) handle ALL web requests, both http and https. That allows you to run Tomcat apps without the "8080" or "8443".

To get Apache to reverse-proxy for Tomcat, you'd use either mod_jk or mod_proxy. I prefer mod_proxy, but a lot of people here are using mod_jk. Either one works.

You can get certs for free from letsenrypt.org, but they expire every 3 months. It's fairly easy to keep them renewed, though.
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
MacOS Server uses Apache.

So, once I get the reverse proxy working, I wouldn't need to do a port reference at all.

So, https://mysite.com:8080/tomcatwebapp

becomes

https://mysite.com/tomcatwebapp

Correct?

There are lots of settings, virtual hosts, and other nasty configuration items that will probably cause me problems, but I'll give it a try.  For example, I'm not sure if I need to have an explicit VirtualHost for each web app or how I do the reverse proxy to specify port 80 for Tomcat requests mapped to the Apache SSL ports, etc. Seemingly very complicated initially.

---

Since my domain name is already with namecheap.com, it'll probably be simpler to get the cert from them. $9.99/year for the cheapest.

Thanks Tim!

 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Technically, you still have a port reference, but the default port for http is 80 and the default port for https is 443. DNS cannot return port numbers, only IP addresses, so when you address a server listening on a non-default port for the protocol (like Tomcat's http port 8080) you have to put that number in the URL explicitly. That information is used by the client app to know what port to send to.

You can front Tomcat apps by assigning them to virtualhosts or you can remap a URL path to be proxied to Tomcat (or both at once). As long as you have Apache's configuration set up correctly, Tomcat will not know the difference between http://tomcat.myhost.com and http://www.myhost.com/tomcat as proxies.
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Tim.

- mike
 
Marshal
Posts: 4491
572
VSCode Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:DNS cannot return port numbers, only IP addresses, so when you address a server listening on a non-default port for the protocol (like Tomcat's http port 8080) you have to put that number in the URL explicitly.


Technically, DNS can return port numbers using SRV resource records

    _http._tcp           SRV   0 10 8080 mysite.example.org.
    _https._tcp          SRV   0 10 8443 mysite.example.org.
    mysite.example.org.  A     10.10.0.34


but since this is not included in the HTTP RFCs, no will browser support it.

Proposals for SRV support for HTTP go back to the year 2000, but have never been incorporated in to the evolving HTTP RFCs apparently because of the concern that performing an extra lookup for SRV records would slow down the responsiveness of the browser.

 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
While I appreciate all the technical replies, what I really need are step by step examples. I'm a Java dev not a network admin.

I found a site that has some information on how to front Tomcat with Apache:

https://stackoverflow.com/questions/25179628/apache-as-front-to-tomcat-with-proxy-with-mod-proxy-ajp-on-mavericks-mac#25236787

This is about the right level, but I'm sure I'll have problems and will post back.

Thanks to all.

- mike
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK, made some changes, and, as expected, not quite there...

In the httpd_server_app.conf

I added this section in the httpd_server_app.conf file:



---

From server.xml in Tomcat 8 CONF directory, it already appears that the 8009 redirector is already uncommented:

<!-- Define an AJP 1.3 Connector on port 8009 -->
   <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

---

So, trying to do a URL like this: https://www.mysite.com:8080/  assuming everything above is correct, I'm still getting a "Secure Connection Failed" message.
   Error code: SSL_ERROR_RX_RECORD_TOO_LONG

   The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
   Please contact the website owners to inform them of this problem.

--

The URL http://mysite.com:8080/index.html still works, but not the https.

---

Suggestions?

- mike
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Your URL told your client (browser) to contect the server using the https protocol (SSL). However, Tomcat's default assignment usage for port 8080 is http, not https. It's like speaking greek to a person who can only understand latin. That's what that message actually means.

You wouldn't user either port 8080 or 8443 if you used Apache reverse proxy. Instead, you'd map designated virtualhost/URL patterns to forward to Tomcat port 8009 (the ajp port). For SSL, the virtualhost would listen on "*:443" (or something like that) for https requests. And the virtualhost would have to define the SSL cert and key files (as well as general configuration of mod_ssl) in order to properly decypt incoming traffic.

Side note to Ron - DNS isn't the only way to find a webserver's address. Most OS's stack multiple resolvers. So even if DNS itself did return a port, that wouldn't help with the servers that, for example, I have defined in /etc/hosts file.
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK, so using this link and the information in it...

https://stackoverflow.com/questions/25179628/apache-as-front-to-tomcat-with-proxy-with-mod-proxy-ajp-on-mavericks-mac#25236787

What would be a working VirtualHost config and a URL that works?

I'm having trouble decoding your higher-level-than-I'm-ready-for replies.

BTW, I though the whole idea of using the reverse proxy was to avoid the SSL configuration in the first place. I don't see at the moment how this approach is any better than a manual Tomcat SSL configuration.

Thanks,

- mike
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No, the point of using a reverse proxy isn't to avoid using SSL. It's to to allow ALL incoming SSL (https) requests to be able to come in via a single (SSL) port: port 443, which is the default ("well-known" in IETF specification terms) for https, just as port 80 is the default port for http. As I said earlier, only one app in a server may listen on a given port ID, and Apache is listening on ports 80 and 443, so it has to forward (proxy) anything that's intended to be handled by Tomcat.

The reverse proxy is the mechanism that allows incoming SSL requests that are aimed at the Tomcat backend server to be forwarded from Apache (which is what the client connected to) to Tomcat's port 8009. By doing this, you avoid having to set up a separate SSL mechanism in Tomcat itself.
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK, but again I don't see any real advantage here over configuring Tomcat separately with a certificate. Putting Apache in the mix just seems to make things more difficult.

And, I can't find a single resource that describes in any detail what you're saying at this explanatory-only level.

There are separate instructions for Tomcat SSL

I'll just get another $9.99 cert and use those I guess.

Thanks Tim.

- mike
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you are running ONLY Tomcat, then technically a reverse proxy through Apache is not needed and you'd only need a Tomcat (keystore) friendly SSL cert. However, since ports 80 and 443 are privileged ports (as are all ports lower than 4096), the only way that Tomcat could use them directly would be to run Tomcat as a privileged user (which is a security risk). The alternative is to require users to include non-privileged ports IDs (8080 and 8443), which isn't considered especially friendly. Apache has a trick that allows it to run most of its logic as an unprivileged user, which is why it can safely use ports 80 and 443.

Many shops, are running a mix of applications, not just J2EE ones, so Apache as the primary web face is a good option. I'm using ngnix these days, but it's operating almost exclusively as a reverse proxy and not hosting any webapps itself. For example:

http://www.mousetech.com is routed to a Docker instance running Apache on a VM and my own apps and static resources. This used to be a full VM itself, but I downsized it, since it never needed that many resources.
http://blog.mousetech.com is routed to a different Docker instance that runs Apache with Wordpress.
https://nexus.mousetech.com is routed to a dedicated Tomcat server in a Docker VM running the Nexus Maven repository.
https://jenkins.mousetech.com is routed to a different Tomcat server/Docker instance running the Jenkins build management system.
https://nagios.mousetech.com is routed to an Apache server on the same hardware machine that Ngnix is running. But I don't believe that that particular URL is visible outside the mousetech LAN right now.

And various other servers and services also get proxied through the same Nginx server, all of them using ports 80 and 443 on 96.90.14.153 and 96.90.14.154 (mirror server). The routing to the backend servers is done according to URL virtualhost and URL definitions that I provision via Puppet.
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Tim.

Please don't take this the wrong way, but there isn't anything here that helps me other than to understand high level concepts.

Moreover, there isn't, as I've searched, a single source that actually describes "HOW" to do what you're only speaking about in knowledgeable yet only conceptual terms.

As in...

1. Do this.
2. Do that.
3. Do this other thing in this file.
4. Reboot.
5. Viola.

Based on no available resources with working "how to set this stuff up", I'll abandon this effort for now.

Thanks,

- mike
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
For learning purposes or in-house encrypted stuff, getting an SSL cert for Tomcat is all you need. For something more professional, you'd be more likely to go the proxy route.

Just as a crude diagram:


A MacOS specific step-by-step for this can be found at https://gist.github.com/4np/5270037 which references Andy Hunt's blog for how to obtain and install an SSL cert into Apache.
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Tim.  I really appreciate that link.

I'm now trying to understand keystores since web services like SparkJava use them for encryption.

Not sure if I can just import a certificate into a keystore or what.

Madness! ;)

I'll get to write code again one of these days...

Thanks again!

- mike
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A keystore is a database containing security information. It's a general concept, not just something for Tomcat.

A keystore contains both public certs and private keys. Because the certificate is sent out to anyone requiring SSL, the private key has to be available inside the server system to match it. That may not be the best explanation, but you should be able to google something better if you want to.

A keystore also defines a chain of trust. Anyone could send out a cert and have it used for encryption, but the cert also certifies that the server is really who you think it is. That is, you go to www.microsoft.com and no one has secretly re-routed you to www.virus.com. So every cert has a parent cert that verifies that that cert is legitimate. The chain extends back up until you reach a well-known root certificate. The root certificates are pre-stored in your keystore and in the client systems so that they can be matched up.

So when you register for a cert, you'll typically receive a cert, a keyfile, and at least one parent cert. Parent certs have to be added to the keystore in sequence, because the keystore won't accept a cert unless there's a parent in the keystore that will vouch for it. Actually, I think you generate the keyfile and the certificate authority generates the cert based on that, but my memory is a bit hazy there.
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Back to my specific example...I did not use the keytool to generate the CSR at all. I got the certificate independently and want to "import" that certficiate into my keystore.

Using the portecle utility, I created a keystore and imported the CRT file into it. Looks OK and is listed in there now.

However, using JavaSpark with this syntax:



Gives me a server error.

Not sure why.

Thanks,

- mike


 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The CSR is a Certificate Signing Request. When you generate a certificate, you then send it to your chosen Certificate Authority (CA) and they digitally sign it which links it to their Chain of Trust.

You can also self-sing a certificate, but since there is no Chain of Trust, visitors will be asked by their web client whether they want to trust your site when they visit it.
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Tim,

Maybe this posting is getting too long at this point, but I already, independently (not using Java keytool) got a certificate (generated a CSR, etc.).

To wit..

I have the .CRT and related files already. I did not generate the CSR using the Java keytool.

I have imported the CRT file into the Java Keystore I created. (I can view it, etc.)

I have moved that keystore on the server where "mysite.com" exists.

I have the code in the webservice (spark Java) that should be able to access the keystore:



I get a Server Error in response with this URL:

https://mysite.com:4567/secureHello

--

I also tried adding the keystorefilename (third parameter above) and the "thePassword" again (fourth parameter), but made no difference.

Also posted a message on StackOverflow, but it doesn't seem anyone understands the problem or maybe Java Spark isn't that popular (no responses). Dunno.

Do you see any problems with what I posted here in this specific context?

-- mike
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't know anything about Java Spark, but if you want to use SSL with Tomcat URL requests, then you have to configure the keystore in Tomcat's server.xml file. The application code would not access the keystore. The SSL is handled by Tomcat automatically, and Tomcat SSL logic needs the keystore for its security database because that's what Tomcat was coded to use.

How you generate your certs and keyfiles doesn't matter. What does matter is that they are in the form that Tomcat can use in a place that Tomcat can use (keystore) and that their linkages are correct.
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
JavaSpark is totally removed from Tomcat, but OK, I have sent the developers an email.

---

Regarding Tomcat...

I made the following changes to the server.xml (Tomcat conf folder).



But when I try to connect to the server, on say:

https://mysite.com:8443

It's asking for a login and password.

Do you see any issues with my server.xml changes?

Thanks Tim.

- mike
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You have 2 separate Connector elements defined as using port 8443. Only one Connector may own a port. The way I read what you provided is that you should comment or remove that first 8443 Connector, since the important stuff is all defined on the second Connector.

In Tomcat, if a port cannot be acquired, Tomcat will simply not configure it but it will continue on bringing up as much of the rest of Tomcat as it can. So it's very important to look at the localhost and catalina.out logs when you have problems.
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's a good catch.

So now, I just have:
 

Your suggestion about checking the logs is always something I forget to do. So much good info there!

OK, so hopefully this extra info will be useful so you can help me spot the problem.

BOTH these ports (8009, 8443) are failing since they are "already in use".

After I start Tomcat, only "lsof | grep 8009" (like NetStat in Windows) shows an active java Listener. 8443 is nowhere to be seen in the ports list (before or after tomcat loading).

---

Here's the confusing catalina.out (why the heck are these ports 'already in use'?):


I'm guessing these problems are culprits?

What would you look at at this point?

Thanks,

 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In Linux, the command "netstat -lnp" will identify the processes and their ports. Since 8080 and 8443 are not commonly used, you probably have another copy of Tomcat running.
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:In Linux, the command "netstat -lnp" will identify the processes and their ports. Since 8080 and 8443 are not commonly used, you probably have another copy of Tomcat running.



No, there's only one copy of Tomcat on this machine. And, on Mac, it doesn't have an auto-start like Windows.

However, after rebooting, now only port 8443 is reporting 'already in use'.

netstat | grep 8443


and

lsof  | grep 8443

return nothing before/after Tomcat loaded.

--

In the server.xml configuration above, there are two places where 8443 is shown. I'm assuming you don't believe this is the problem, correct?

Thanks Tim.

- mike
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No, that definitely WOULD be a problem. Only one app in the OS can own given a port. Only one Connector in Tomcat can own a given port. Multiple attempts to gain that port will cause the second and subsequent attempts to fail. First come is the one and only winner.
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:No, that definitely WOULD be a problem. Only one app in the OS can own given a port. Only one Connector in Tomcat can own a given port. Multiple attempts to gain that port will cause the second and subsequent attempts to fail. First come is the one and only winner.



But, this is what's in the documentation:

<Connector port="8080" protocol="HTTP/1.1"
              connectionTimeout="20000"
              redirectPort="8443" />
.
.
.          
               
<!-- ** ADDED ** july 11, 2017 -->              
 <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
      <Connector
         protocol="org.apache.coyote.http11.Http11NioProtocol"
            port="8443" maxThreads="200"
            scheme="https" secure="true" SSLEnabled="true"
            keystoreFile="/path_to_keystore_directory/keystore.jks" keystorePass="thePassword"
            keystoreType="JKS"

In any case, I changed the port in the lower one to 9443 and the reference to 8443->9443 in the upper one.

Now, I don't get any in use errors.

I think it's back to the problem with the keystore.

No idea.

Thanks,

- mike
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think something got garbled there. At one point, you had 2 different connectors with 'port="8443"'. That doesn't work. A "redirectPort="8443" is not the same thing, though.

Tomcat is made out of building blocks. The "Connector" block defines a unit that opens a TCP/IP port and listens on it. The other options customize that block. Internally, the Connector is actually a JavaBean and the attributes are bean properties that are set by digesting server.xml.

Tomcat's default Connectors and their usages are:

port 8080: http (unencrypted) URL request receiver
port 8443: https (SSL) URL request receiver
port 8009: ajp proxy request receiver
port 8005: command port receiver (allows Tomcat to be controlled by remote network commands)
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think I'm actually close. I'm using the documentation at this URL: https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

So, I have a situation where the code inside Tomcat is looking for the keystore file in: /Users/mike/.keystore

Message: "Failed to load keystore type JKS with path /Users/mike/.keystore" ... (no such file or directory).

Yet, I have the keystore.jks file loaded with a full path (in another directory) in the connector definition in server.xml. That path doesn't seem to matter since Tomcat is looking elsewhere.

I tried copying my keystore.jks file to my /Users/mike folder and renaming it to .keystore, but then I get a message that the file has either been tampered with or has the wrong password.

So I have a keystore.jks.

How do I get from my keystore.jks the magic ".keystore" that Java/Tomcat want?

Thanks again Tim.

- mike


 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I recommend giving the absolute file pathname for the keystore file, although Tomcat will accept a relative path (despite the fact that J2EE doesn't define a "current directory"). The pathname you give MUST be the actual path of the keystore file. Tomcat will not assume a filename extension (such as ".jks")

One thing you need to be careful of is that the userid/password required to open the keystore database is NOT the same as the userid/password used to access a given entry. Tomcat's default keystore userid is "tomcat". Most of the rest of what you need to know is in the Tomcat SSL docs.

It's OK to move the location of the keystore. It's self-contained, so moving it won't be considered as "tampering".
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As I said above, I had the full path to the keystore.jks file, but the error in the log was that there was a FileNotFoundException where Tomcat is looking in /Users/Mike/.keystore



There is no user id specified nor asked for whether I open the keystore manually using the "keytool" or specified above.

I can go to the /Users/Mike directory, and open the .keystore file there with the same password specified in the system.xml as shown above. No problem.

Yet, the error I get is:



So, what I'm experiencing error-wise, access-wise (no user name needed, etc.) doesn't match what you're saying at all.

Maybe I need to update Tomcat to a later version and see if that helps?

- mike

 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Update: Upgraded to Tomcat 8.5.

I now only have this new entry in the server.xml



And it is now using this full path to the keystore.jks file. No more errors where it's looking in the "/Users/mike/" folder for ".keystore".

No errors in the catalina.out or relevant errors in localhost after starting Tomcat.

--

Problem remains that when I go to https://mysite.com:9443 there is no connection.

The browser just keeps trying to connect (spinning progress wheel) until it says it can't connect to the site.

Really not sure what else to try at this point.

Any suggestions welcome, of course.

-- mike
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If it's spinning, you probably have a firewall problem. Use netstat to check, though.

Sorry about the "userid" thing. I was thinking of the "alias". There are 2 passwords, however. Common practice is to use the same password for both the keystore and the entry. The keytool encourages it.
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Right, I'm thinking the same thing.

I have 9443 open and 8009 open, but no joy.

Will keep working on this..

Thanks,

- mike
 
Mike London
Bartender
Posts: 1971
17
  • Likes 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
PROBLEM SOLVED.

Posting back to explain what was wrong: two basic issues.


1. Keystore.jks file I was using was not correct. Though I had asked about the keystore file and whether it was OK to do the CSR separately (outside the keystore process) and then just import the certificate into it, nobody (anywhere) answered that question. Turns out, from my experience, no, it's not OK.

Steps:
* You create the private key in the keystore.
*Then, you create a CSR from that key.
*Upload that CSR and do the steps with the certificate vendor to get the certificate.
*Then, when it's ready, you download and import the certificate (chain) into the keystore. (For me that was the .p7b file)
*Then, you're done.

Once I re-did the keystore (extra strength coffee is a good idea), using the keystore "process" as the only way to generate the CSR and (in my case) regenerating the certificate, all worked as expected on the server.

------------------------------

2. The problem with getting to Tomcat Remotely on port 9433 turned out to be ... the VPN I was using. Once I disabled the VPN, Tomcat and port 9443 came flying into the browser. Certificate displayed the correct information.

------------------------------

Thanks for all the suggestions and patience with my numerous postings here.

I hope this information is useful to someone.

- mike
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic