Hi Marek,
Thanks a lot for your reply.
Actually I donot want to use default keytool from java/jre1.5.0_05/bin
directory.
I have configured openSSL in Win-XP by downloading
Openssl-0.9.8d,tcnative-1.dll and runnig commands as,
openssl req -config openssl.cnf -new -out server.csr
openssl rsa -in privkey.pem -out server.key
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
Can you please tell me what I need to do for Solaris ?
Thanks
Sandip
Marek Marcola <[EMAIL PROTECTED]> wrote:
Hello,
>
> I have configured openSSL on Win-XP successfully.
> Can anyyou please tell me how to configure openSSL on solaris.I am
> using tomcat 5.5 as server.(since while configuring with windows there
> are some .dll files there which I cannot use in solaris)
Tomcat does not use OpenSSL for encryption/SSL but you may
use OpenSSL to sign Tomcat certificate or cerate PKCS12 store.
Some test work from Linux attached, hope this helps.
Best regards,
--
Marek Marcola
TOMCAT LINUX
------------
1) Keystore on FC5 for Tomcat:
/usr/share/tomcat5/.keystore
2) Keystore creation for Tomcat:
# /usr/java/jre1.5.0_05/bin/keytool -genkey -alias tomcat -keyalg RSA -sigalg
SHA1withRSA \
-keystore /usr/share/tomcat5/.keystore
Enter keystore password: changeit
What is your first and last name?
[Unknown]: nx9010.malkom.pl
What is the name of your organizational unit?
[Unknown]: Malkom Admin
What is the name of your organization?
[Unknown]: Malkom
What is the name of your City or Locality?
[Unknown]: Warsaw
What is the name of your State or Province?
[Unknown]: Warsaw
What is the two-letter country code for this unit?
[Unknown]: PL
Is CN=nx9010.malkom.pl, OU=Malkom Admin, O=Malkom, L=Warsaw, ST=Warsaw, C=PL
correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password):
# /usr/java/jre1.5.0_05/bin/keytool -list -v -keystore
/usr/share/tomcat5/.keystore
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: tomcat
Creation date: Jan 13, 2007
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=nx9010.malkom.pl, OU=Malkom Admin, O=Malkom, L=Warsaw, ST=Warsaw, C=PL
Issuer: CN=nx9010.malkom.pl, OU=Malkom Admin, O=Malkom, L=Warsaw, ST=Warsaw,
C=PL
Serial number: 45a8e69f
Valid from: Sat Jan 13 15:03:11 CET 2007 until: Fri Apr 13 16:03:11 CEST 2007
Certificate fingerprints:
MD5: FD:5A:12:A4:54:F3:1D:BE:9E:16:AF:EF:32:C5:F9:50
SHA1: 30:38:71:44:6A:C9:DE:0A:41:3A:4F:6D:55:36:08:DC:22:7B:4B:94
# /usr/java/jre1.5.0_05/bin/keytool -export -keystore
/usr/share/tomcat5/.keystore \
-alias tomcat -file /tmp/cert.der
# openssl asn1parse -in /tmp/cert.der -inform der
# openssl x509 -in /tmp/cert.der -inform der -text -noout
3) Add to /usr/bin/dtomcat5 line:
# Set standard commands for invoking Java.
JAVA_HOME=/usr/java/jre1.5.0_06
4) Activate Connector SSL in /etc/tomcat5/server.xml:
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/usr/share/tomcat5/.keystore"
keystorePass="changeit"
keystoreType="JKS"
debug="255"
/>
5) Run Tomcat:
# service tomcat5 start
# ps -ef | grep java
tomcat 6689 1 79 15:09 ? 00:00:05 /usr/java/jre1.5.0_06/bin/java ...
# more /var/log/tomcat5/catalina.out
# openssl s_client -connect localhost:8443
subject=/C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom Admin/CN=nx9010.malkom.pl
issuer=/C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom Admin/CN=nx9010.malkom.pl
---
No client certificate CA names sent
---
SSL handshake has read 1143 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 45A8E83DD6B1FAF2FE1A4749C1DE61DEA5C85D3E3367D2A64419E0CB89245A74
Session-ID-ctx:
Master-Key:
9350D5341E4FB7DB9BFE2C4C915876FB3BC053D91485C5A586E39037EBCEB7CAAA63D27FD88E8E04C59A2812CE876248
Key-Arg : None
Krb5 Principal: None
Start Time: 1168697405
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
6) With OpenSSL (version 1):
SSL Connector section in /etc/tomcat5/server.xml:
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/tmp/keystore.p12"
keystorePass="changeit"
keystoreType="PKCS12"
debug="255"
/>
# openssl genrsa -des3 -out key.pem 1024
Generating RSA private key, 1024 bit long modulus
...++++++
......++++++
e is 65537 (0x10001)
Enter pass phrase for key.pem:
Verifying - Enter pass phrase for key.pem:
# openssl req -new -x509 -key key.pem -out cert.pem -days 365
Enter pass phrase for key.pem:
Country Name (2 letter code) [GB]:PL
State or Province Name (full name) [Berkshire]:Warsaw
Locality Name (eg, city) [Newbury]:Warsaw
Organization Name (eg, company) [My Company Ltd]:Malkom1
Organizational Unit Name (eg, section) []:Malkom1 Admin
Common Name (eg, your name or your server's hostname) []:nx9010m.malkom.pl
Email Address []:
# openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 -name
tomcat
Enter pass phrase for key.pem:
Enter Export Password:
Verifying - Enter Export Password:
# service tomcat5 stop
# service tomcat5 start
# openssl s_client -connect localhost:8443
subject=/C=PL/ST=Warsaw/L=Warsaw/O=Malkom1/OU=Malkom1 Admin/CN=nx9010m.malkom.pl
issuer=/C=PL/ST=Warsaw/L=Warsaw/O=Malkom1/OU=Malkom1 Admin/CN=nx9010m.malkom.pl
---
No client certificate CA names sent
---
SSL handshake has read 1380 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 45A8ECC3C4D599F123F366F90389782F9CB28FF6717FD8631558C62CF1C006E7
Session-ID-ctx:
Master-Key:
AF05FCD32DC1F626C4EEED8E27AA5B401909AC0E3E3299FF1F5D426D0185DFA4477238B51364E17C2F3AAC2B0E2854DD
Key-Arg : None
Krb5 Principal: None
Start Time: 1168698563
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
7) With OpenSSL (version 2):
# /usr/java/jre1.5.0_05/bin/keytool -certreq -alias tomcat -keyalg RSA -sigalg
SHA1withRSA \
-keystore /usr/share/tomcat5/.keystore -file /tmp/certreq.csr
Enter keystore password: changeit
# openssl ca -config openssl.cnf -in certreq.csr
# /usr/java/jre1.5.0_05/bin/keytool -import -alias root -keystore
/usr/share/tomcat5/.keystore \
-trustcacerts -file cacert.pem
Enter keystore password: changeit
Owner: [EMAIL PROTECTED], CN=Malkom Certificate Authority, OU=Malkom CA,
O=Malkom, L=Warsaw, ST=Warsaw, C=PL
Issuer: [EMAIL PROTECTED], CN=Malkom Certificate Authority, OU=Malkom CA,
O=Malkom, L=Warsaw, ST=Warsaw, C=PL
Serial number: 8e9a987a73b72f2e
Valid from: Thu Nov 23 00:03:28 CET 2006 until: Sun Nov 20 00:03:28 CET 2016
Certificate fingerprints:
MD5: 64:76:4D:41:21:2A:DE:61:4F:E8:EB:C2:EA:34:98:61
SHA1: EC:ED:91:F8:5D:AB:38:50:80:04:F9:3D:D3:94:B3:62:C0:9D:8C:EA
Trust this certificate? [no]: yes
Certificate was added to keystore
# /usr/java/jre1.5.0_05/bin/keytool -import -alias tomcat -keystore
/usr/share/tomcat5/.keystore \
-trustcacerts -file new_cert.pem
Enter keystore password: changeit
Certificate reply was installed in keystore
# /usr/java/jre1.5.0_05/bin/keytool -list -keystore /usr/share/tomcat5/.keystore
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
root, Jan 13, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 64:76:4D:41:21:2A:DE:61:4F:E8:EB:C2:EA:34:98:61
tomcat, Jan 13, 2007, keyEntry,
Certificate fingerprint (MD5): FC:FE:3E:E1:B7:CF:7A:E5:73:52:27:3E:0F:DE:42:F9
# openssl s_client -connect localhost:8443
subject=/C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom Admin/CN=nx9010.malkom.pl
issuer=/C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom CA/CN=Malkom Certificate
Authority/[EMAIL PROTECTED]
---
No client certificate CA names sent
---
SSL handshake has read 2554 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 45A8F19EB4CA05586F15E12B0380E026B0DFFAB2DF38A40E6880714E50CEC661
Session-ID-ctx:
Master-Key:
A479C4D95491CE613AF5E5249209AE11238031092BCD0A8A08A58019A722C245DC8A2D668C698E3E17AB17F2BCBD103A
Key-Arg : None
Krb5 Principal: None
Start Time: 1168699806
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
---------------------------------
Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel
and lay it on us.
