• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

How do I copy SSL certificate to another server?

 
Leonid Pavlov
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Tomcat profis!

I am new to tomcat. 6 months ago I have configured a tomcat 9.0.22 on linux with ssl (with help of google). Now the application schold be run on the another linux server. There I have already installed tomcat 9.0.41 and edited the servers.xml and web.xml files like on the old server. It works well with http.
But I don't know if it possible to simple copy the certificate filed from one server to another, and how to make this?
With simply copy the certificate files from one server to another I get following errors in the log file while starting of tomcat:

22-Jan-2021 18:25:19.422 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]
22-Jan-2021 18:25:20.146 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
22-Jan-2021 18:25:20.223 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8443"]
22-Jan-2021 18:25:20.225 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-443"]
22-Jan-2021 18:25:20.227 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1042)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:558)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
Caused by: java.net.SocketException: Permission denied
at sun.nio.ch.Net.bind0(Native Method)
at sun.nio.ch.Net.bind(Unknown Source)
at sun.nio.ch.Net.bind(Unknown Source)
at sun.nio.ch.ServerSocketChannelImpl.bind(Unknown Source)
at sun.nio.ch.ServerSocketAdaptor.bind(Unknown Source)
at org.apache.tomcat.util.net.NioEndpoint.initServerSocket(NioEndpoint.java:228)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:211)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1159)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1172)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:592)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1039)
... 13 more
22-Jan-2021 18:25:20.229 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-0:0:0:0:0:0:0:1-8009"]
22-Jan-2021 18:25:20.231 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[AJP/1.3-8009]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1042)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:558)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
Caused by: java.net.SocketException: Protocol family unavailable
at sun.nio.ch.Net.bind0(Native Method)
at sun.nio.ch.Net.bind(Unknown Source)
at sun.nio.ch.Net.bind(Unknown Source)
at sun.nio.ch.ServerSocketChannelImpl.bind(Unknown Source)
at sun.nio.ch.ServerSocketAdaptor.bind(Unknown Source)
at org.apache.tomcat.util.net.NioEndpoint.initServerSocket(NioEndpoint.java:228)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:211)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1159)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1172)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:592)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1039)
... 13 more

What is here wrong?

What is the reason for following INFO message:
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]

The tomcat log file on the old server (tomcat 9.0.22) does not contain this message.
Do I get the java exceptions because of the Apache Tomcat Native library (which native library, the file name???) was not found on the java.library.path (why not found)? Or do I get the java exceptions because of the wrong ssl certificates, which I simple copied from one server to another?

Is this the Tomcat 9.0.41 issue?

If it is not possible to simply copy files from one server to another, then I would like to know how it is possible to copy the certificates to another server.
Or should I create on the new server the certificate request, send it to the certificate authority (GlobalSign) and so one?

Best regards and many thanks!
 
Tim Holloway
Saloon Keeper
Posts: 24287
167
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to the Ranch, Leonid!

This looks like your problem:


Are you attempting to use SSL on port 443? Because if you are, Tomcat must be run as an administrator user. Which is not a secure thing to do. That's why the default https Connector uses port 8443.

Actually, I have found that the easiest way to work with SSL on Tomcat is not to do so. Instead I use a reverse proxy server such as Apache or Nginx and let the proxy server handle the SSL and use a proxy connector (such as Apache's mod_proxy) to talk to Tomcat using the coyote (ajp) protocol.

It's a lot easier to set up SSL for Apache or Nginx (or presumably IIS) and you can run port 443 without elevated security on Tomcat. The one thing that is a little troublesome is that Tomcat uses a different certificate format than these servers, but Tomcat's certs are messier anyhow.

 
Leonid Pavlov
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:Welcome to the Ranch, Leonid!


Thank you, Tim!

Here are some entries from the configuration files:

servers.xml:
========

<Service name="Catalina">

...

   <Connector port="8080" protocol="HTTP/1.1" <br />               connectionTimeout="20000" <br />               redirectPort="443" />
   <Connector port="8443" protocol="HTTP/1.1" <br />           enableLookups="false" <br />           redirectPort="443" />

...

   <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" <br />               maxThreads="150" SSLEnabled="true" <br />               compression="on" scheme="https" secure="true" <br />               keystoreFile="/home/tomcat/dir/portalcert.p12" <br />               keystoreType="PKCS12" <br />               keystorePass="mypassword" <br />               SSLVerifyClient="none" SSLProtocol="TLSv1.2" />

...

   <Connector port="8009" protocol="AJP/1.3" address="::1" redirectPort="443" /> <!-- on the old server with tomcat 9.0.22: without address="::1" -->

web.xml:
======
On the bottom of file:

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>HTTPSOnly</web-resource-name>
           <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
   </security-constraint>

</web-app>

Some clients of my application cannot use the port 8443 in the URL, some clients cannot use the port 443 because of the organisation firewall rules. Therefore the configuration must support both calls:
https://myportal.myorg.de:8443/app/f?p=101
and
https://myportal.myorg.de/app/f?p=101

I don't understand what file or directory causes the "permission denied" message in the tomcat log file. But I have deleted all default tomcat applications (such as manager, docs, ROOT, and so one) from the tomcat webapps directory. Can these cause this problem?
On the old server these apps are deleted too, but this causes no problems in the log file...

Thank you very much!
 
Tim Holloway
Saloon Keeper
Posts: 24287
167
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I see. There's your problem.

The operating system absolutely forbids any non-administrative user from listening on any port lower than 4096. That includes both ports 80 and 443. Tomcat cannot alter that. Servers such as Apache HTTP and Nginx deal with that by starting themselves up as administrative users and then downshifting to ordinary users once the ports are open. The mechanisms that they use to do that are not "write once/run anywhere", so Java apps such as Tomcat cannot do likewise.

There are 3 options I can suggest.

1. Run Tomcat under an administrative account. This is extremely dangerous, because if an attacker can take over Tomcat, the attacker then pwns the entire machine.

2. There is, I believe some sort of auxiliary launcher available for Tomcat that can somehow kludge its way past the OS limitations on usable port numbers, I've never really studied it, though and I don't know what operating systems it supports. As I said, the ability to shift user identities is not available in Java itself. I've not used it because it's limited to Tomcat and my site is more complex than that, which is why I prefer the third option:

3. Use a reverse proxy, which is the method I suggested earlier. This is the cleanest and most flexible solution because it can allow you to listen on as many different ports and URLs/IP addresses as you want, plus you can host both Java and non-Java (for example, Python and PHP) all under the same external connections.

Setting up a reverse proxy is not hard. I like Nginx myself because it is especially easy as well as being designed for high performance, but a lot of people use Apache, as did I before I discovered Nginx. IIS works well also, although I haven't touched IIS since the previous millenium. There are likely other servers less well known. The Squid proxy server supposedly can do this, and I use squid for caching inbound data, although it's not as simple to configure as Nginx.

 
Leonid Pavlov
Greenhorn
Posts: 3
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Tim,

thank you very much!
I have solved my problem with following entries in iptables:

iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT
iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443

Best regards,

Leonid
 
Tim Holloway
Saloon Keeper
Posts: 24287
167
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I forgot about that one! I don't know what Windows users would do to get that effect, though.
 
Onion rings are vegetable donuts. Taste this tiny ad:
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
reply
    Bookmark Topic Watch Topic
  • New Topic