Hi Klaus,
Hi Franck, still tomcat moans that the keystore was tampered or
password was incorrect.
I am not sure about the password. With all questions, I gave my own
and allways the same. Was that correct?
Yes, use your own password. 'Changeit' is only an example which is
principally used for tests.
Don't give up!
-- Franck
Klaus
Franck Borel schrieb:
Sorry to disturb you again, but all the entries in my server.xml do
not seem to be the problem.
*At present, TOMCAT states, that my .keystore was tampered or my
password was incorrect.*
But I did everything over and over again, and right!
My trouble is that there are lots of descriptions of how to produce
keys and certificates. One describes the signing of a key, the other
descibes how to write a keystore. But all of them do not really fit
together. Is there any step-by-step document for the full process?
I found a script which looks like:
------------------------------------------------------------------------------------------
openssl req -new -out server.csr
openssl rsa -in privkey.pem -out server.key
openssl x509 -in server.csr -out server.crt -req -signkey server.key
-days 365
To get the keystore, I added:
java/bin/keytool -import -keystore /root/.keystore -file server.crt
-alias wt24ca
------------------------------------------------------------------------------------------
Do I need the keystore, or can I go with the server.ke and server.crt?
Please help, I am working around and around ...
Klaus
Ok, Klaus. I think the problem is that Tomcat don't accept your
openssl crt. Tomcat operates only with JKS or PKCS12 (--> OpenSSL)
format keystores and there are some limitations on the support for
PKCS12. So, try this:
1) keytool -genkey -alias tomcat -keyalg RSA -keystore
/opt/tomcat/bin/.keystore --> creates key
2) keytool -export -alias tomcat -file tomcat-server.crt -keystore
/opt/tomcat/bin/.keystore --> creates certificate and signs it with
your key
3) keytool -import -file tomcat-server.crt -keystore
/opt/tomcat/conf/cacerts --> creates a Keystore cacerts and add your
certificate
Now, edit your server.xml:
<Connector port="443"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookup="false"
acceptCount="100"
debug="0"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile = "conf/.keystore"
keystorePass = "secret"
truststoreFile = "conf/cacerts"/>
This should work.
-- Franck
Franck Borel schrieb:
Hi Klaus,
Hi Franck,
thank you for your hint. But I am not sure, which parameter is
which file.
To make things clear, here my procedure:
------------------------------------------------------------------------
> openssl req -x509 -newkey rsa:512 -keyout
./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -days 1095
> openssl genrsa -out ./key.pem 512 -days 1095
> openssl req -new -key ./key.pem -out ./req.pem -days 1095
> openssl ca -in ./req.pem -out ./cert.pem -days 1095
> chown -R root:root ./cert
> chmod -R 700 ./cert
then I cleaned cet.pem by hand (take out text before "-------BEGIN
CERTIFICATE-----------"
The final step:
../java/bin/keytool -import -keystore ../tomcat/conf/.keystore
-file ./cert.pem -alias wt24ca
----------------------------------------------------------------------
Setting up SSL is described in diffent documents so differenly,
that it is hard to be sure of what to do. The above, I extraced
from several descriptions.
Could cou please tell me, which file from the above is used in
server.xml?
You made a mix with to different tools (openssl and Java Keytool).
I don't now if this is working. Anyway, here is an example of the
element Connector with your values:
<Connector port="443"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookup="false"
acceptCount="100"
debug="0"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"/>
Don't forget to edit your /webapps/web.xml:
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
-- Franck
------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
====================================================================
Dipl.-Hyd. Franck Borel Universitaetsbibliothek Freiburg
EMail: [EMAIL PROTECTED] EDV-Dezernat
Tel. : +49-761 / 203-3908 Werthmannplatz 2 | Postfach 1629
Fax : +49-761 / 203-3987 79098 Freiburg | 79016 Freiburg
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]