from:"paul.leo"

Tomcat 9.0.56 Windows - Assistance with using cert and key generated using MS AD Cert Server for internal use

2022-02-09 Thread paul.leo

All,

 

Could someone point me to a how to SSL configuration using cert and key
generated using MS AD Cert server for internal use?

 

I have attempted to follow examples in Tomcat docs, as well as examples
found through internet searches.

 

I have attempted various configurations using either
http11.Http11NioProtocol, or org.apache.coyote.http11.Http11AprProtocol
connectors.

I have attempted this with OpenSSL and tcnative, using JSSE or OpenSSL.

I get a variety of different error messages.

 

I think we can be pretty agnostic for particular approach.

 

Am happy to provide the configurations I've tried and the resulting error
messages. 

I thought it might be better if I first was able to obtain an example.  

It seems like it might be better than listing all configurations and errors.
But am happy to do that as well.

 

Best,

 

 


 
 

Paul Leo, Software Engineer

  paul@stgconsulting.com

RE: Tomcat 9.0.56 Windows - Assistance with using cert and key generated using MS AD Cert Server for internal use

2022-02-10 Thread paul.leo

Chris,
Appreciate your guidance.
 Will post errors, if there are any.
Best
Paul

-Original Message-
From: Christopher Schultz  
Sent: Thursday, February 10, 2022 1:15 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat 9.0.56 Windows - Assistance with using cert and key
generated using MS AD Cert Server for internal use

Paul,

On 2/9/22 13:41, paul@stgconsulting.com wrote:
> Could someone point me to a how to SSL configuration using cert and 
> key generated using MS AD Cert server for internal use?

Assuming that "MS AD Cert Server" generates normal X.509 certificates, it
shouldn't matter that you are using that particular tool.

What format is your certificate in once created? Note that you'll need both
the private key and the certificate. If MS AD Cert Server doesn't trust you
with the private keys, then you won't be able to use that tool.

> I have attempted to follow examples in Tomcat docs, as well as 
> examples found through internet searches.
> 
> I have attempted various configurations using either 
> http11.Http11NioProtocol, or 
> org.apache.coyote.http11.Http11AprProtocol
> connectors.

You shouldn't have to specify any specific connector. The defaults should be
enough.

> I have attempted this with OpenSSL and tcnative, using JSSE or OpenSSL.
> 
> I get a variety of different error messages.
> 
> I think we can be pretty agnostic for particular approach.
> 
> Am happy to provide the configurations I've tried and the resulting 
> error messages.
> 
> I thought it might be better if I first was able to obtain an example.
> 
> It seems like it might be better than listing all configurations and 
> errors. But am happy to do that as well.

These command should generate a key + certificate you should be able to use:

$ openssl ecparam -name prime256v1 -genkey -out server.key $ openssl req
-new -x509 -nodes -sha512 -key server.key -out server.crt -days 365

This will create an Elliptic-Curve key, unencrypted, and then generate a
self-signed certificate using that key. Enter whatever you want when OpenSSL
asks you all those questions, but the "CN" (or "Common Name") should be the
hostname of the server you are configuring. For a real site, you'll want to
make sure that the Subject Alternative Name (SAN) fields are specified
correctly so browsers don't complain (these days, CN is essentially ignored
and SAN is essentially required).

Anyhow, now you have two files. Configure your :

This should be enough to get you started.

If the above doesn't work, please post whatever errors you get.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to configure Tomcat 8.5.x to run in with a different windows service user, and what are minimum permissions

2022-06-22 Thread paul.leo

Hello all,

 

I been tasked with researching options for running Tomcat 8.5.x as a windows
service, but with a different user.  

I need to know what minimum rights for user would be, and also how to pass
user & password.  I think I see how to pass user and password.  I don't see
how to encrypt password though.

Other options would be appreciated as well.

 

Best,

Paul

RE: How to configure Tomcat 8.5.x to run in with a different windows service user, and what are minimum permissions

2022-06-22 Thread paul.leo

After a quick meeting with client this may be a moot point.
On this page:
https://tomcat.apache.org/tomcat-8.5-doc/windows-service-howto.html
I  saw command line references (and as I'm reviewing, it's becoming more
clear that I'm not understanding use)  for:

-User   User account used for running executable. It is used only
for StartMode java or exe and enables running applications as service under
account without LogonAsService privilege.
--Password  Password for user account set by --User parameter

It looks like this is when you install the service.
I was thinking that I would have to specify password somewhere.  I don't
think that's the case.

Sorry to be a little misinformed.

-Original Message-
From: Mark Thomas  
Sent: Wednesday, June 22, 2022 10:33 AM
To: users@tomcat.apache.org
Subject: Re: How to configure Tomcat 8.5.x to run in with a different
windows service user, and what are minimum permissions

On 22/06/2022 17:02, paul@stgconsulting.com wrote:
> Hello all,
> 
> I been tasked with researching options for running Tomcat 8.5.x as a 
> windows service, but with a different user.
> 
> I need to know what minimum rights for user would be, and also how to 
> pass user & password.  I think I see how to pass user and password.  I 
> don't see how to encrypt password though.
> 
> Other options would be appreciated as well.

Any reason running as the default (assuming a recent Tomcat version)
LocalService isn't sufficiently secure?

The minimum permissions would depend on the app but off the top of my head
that will be at least:
- file permissions as documented in the security guide
- run as service
- network access

Exactly where are you looking to encrypt the password?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 9.0.56 Windows - Assistance with using cert and key generated using MS AD Cert Server for internal use

RE: Tomcat 9.0.56 Windows - Assistance with using cert and key generated using MS AD Cert Server for internal use

How to configure Tomcat 8.5.x to run in with a different windows service user, and what are minimum permissions

RE: How to configure Tomcat 8.5.x to run in with a different windows service user, and what are minimum permissions

4 matches

Site Navigation

Mail list logo

Footer information