RE: Error configuring tomcat with ssl certificates

Wed, 06 Mar 2013 01:42:13 -0800 

Thanks Brijesh,

The certificate that I am using is RSA based certificate,  I tried listing the 
RSA based ciphers in the server the xml, however it still gave me the same 
error.
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
                 maxThreads="150"  scheme="https" secure="true" 
keystoreFile="/tmp/.keystore"  keystorePass="changeit" enableLookups="false"  
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"
  clientAuth="false" sslProtocol="TLS" />

Any idea what else could be going wrong?
Thanks,
Siddhi

-----Original Message-----
From: Brijesh Deo [mailto:[email protected]]
Sent: Wednesday, March 06, 2013 12:25 PM
To: Tomcat Users List
Subject: RE: Error configuring tomcat with ssl certificates


-----Original Message-----
From: Siddhi Borkar [mailto:[email protected]]
Sent: 06 March 2013 12:15
To: [email protected]
Subject: Error configuring tomcat with ssl certificates



Hi,

I need help configuring tomcat 6 will ssl certificates. I have been provided 
with the following
cacert.pem
prvkey.key
and sslcert.crt

I tried the following steps:

1)      Generated a keystore using java keytool and the certificate file using 
the following command.

keytool -import -trustcacerts -alias tomcatcert -file sslcert.crt -keystore 
keystore

2)      Added the .pem file to the keystore
                              keytool -import -trustcacerts -alias root -file 
cacert.pem-keystore keystore

3)      Start the tomcat server

4)      After starting the server, the following error was seen in the logs.



Mar 4, 2013 10:52:22 PM org.apache.coyote.http11.Http11Protocol start

SEVERE: Error starting endpoint

java.io.IOException: jsse.invalid_ssl_conf

        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)

        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)

        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)

        at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)

        at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)

        at 
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)

        at org.apache.catalina.connector.Connector.start(Connector.java:1107)

        at 
org.apache.catalina.core.StandardService.start(StandardService.java:531)

        at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)

        at org.apache.catalina.startup.Catalina.start(Catalina.java:593)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:616)

        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)

        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)

Caused by: javax.net.ssl.SSLException: No available certificate or key 
corresponds to the SSL cipher suites which are enabled.

        at 
sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327)

        at 
sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272)

        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751)

        ... 15 more



Can someone help on this?
Thanks


Siddhi,
You might want to check your ciphers attribute value in the Connector 
definition in server.xml file. Generally, the list of ciphers that you include 
here are based upon the type of your certificate. If you have RSA based 
certificate, you need to enlist RSA based ciphers (ones with _RSA in the cipher 
suite name) and similarly for DSA based certificate you should have 
corresponding cipher suites (ones with _DSS in the cipher suite names). May be 
you have this mismatched and that is the problem.

The other way round would be to generate or use a certificate based upon the 
cipher suites that you want or are supported in your ciphers attribute value.

Brijesh Deo
Dell | SonicWALL


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]


DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy, print, distribute or 
use this message. If you have received this communication in error, please 
notify the sender and delete all copies of this message. Persistent Systems 
Ltd. does not accept any liability for virus infected mails.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to