RE: SSL Best Practices

Wed, 20 Mar 2013 12:58:44 -0700 

> -----Original Message-----
> From: Jeffrey D. Fisher [mailto:jeff.fisher12...@cox.net]
> Sent: Tuesday, March 19, 2013 9:34 AM
> To: 'Tomcat Users List'; mgai...@hotmail.com
> Subject: RE: SSL Best Practices
> 
> Yes, I do have a CA-issued certificate with a chain to a trusted CA.
> I've imported it to the keystore.  I am close to a solution.  When I
> attempt to open the default Apache web page using "https:" I get an
> error page that says that the server cannot open the page.  It opens
> with "http:" just fine.
> I have configured the normal ports i.e. "80" and "443" to redirect to
> "8443".  The reason for this is that the users having to include the
> port numbers (8080 or 8443) would not be acceptable.  They need only
> enter the DNS name into the browser and DNS does the rest.

This is a little overkill.  Set up the "443" connector as the SSL connector and 
dump the "8443" connector as unneeded.
The "80" connector should redirect to "443". 
And make sure that you are not using the APR, aka "native", library. Either 
comment out the listener for it, or remove the lib file from the bin directory, 
or both (best).
As others have suggested, make sure you mark the 443 connector as 
secure="true", and verify the other settings.
Here's the connectors I use for all my servers.
  
    <Connector address="[IP_ADDRESS]" port="80" maxHttpHeaderSize="8192"
               maxThreads="50" enableLookups="false" redirectPort="443" 
acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" 
compression="off" />
    <Connector address="[IP_ADDRESS]" port="443" maxHttpHeaderSize="8192"
               maxThreads="150" enableLookups="false" acceptCount="100" 
               connectionTimeout="20000" disableUploadTimeout="true" 
compression="off"
               scheme="https" secure="true" SSLEnabled="true"
               SSLCertificateFile="path"
               SSLCertificateKeyFile="path"
               SSLCertificateChainFile="path"
               SSLPassword="password" />

Note this is for Tomcat 6 using the native lib.  You'll have to replace the 
last 4 lines with the properties for the Java keystore, and there are probably 
some other changes needed for Tomcat 7.

> 
> I am missing something in the configuration of SERVER.XML, WEB.XML or
> both to get the server to answer to an https connection.  I cannot find
> what it is that I have not done or I have missed!
> 
> Any input would be appreciated.
> 
> Best...

There are web.xml tags -- security-constraint tree -- that also govern *when* 
to switch to using the SSL port.
Jeff


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to