Hi, We have a working tomcat 6 installation with a self-signed cert. We have received a certificate from Symantec (x509) and are trying to get it working in our tomcat 6 installation. So far, I’ve had no luck.
What I have done so far: 1) Followed instructions from https://knowledge.verisign.com/support/mpki-for-ssl-support/index?page=content&actp=CROSSLINK&id=AR124 - downloaded primary & secondary intermediate CA from Symantec - imported into a brand new keystone using keytool -import -trustcacerts -alias primaryIntermediate -keystore geneKeystore -file priimary_inter.cer keytool -import -trustcacerts -alias secondaryIntermediate -keystore geneKeystore -file secondary_inter.cer keystore didn’t exist prior to the first import above but it seemed top create it ok and prompt for passwords. - install the SSL cert from Symantec keytool -import -trustcacerts -alias myalias -keystore geneKeystore -file ssl_cert.cer - verify contents of keystone keytool -list -v -keystore geneKeystore Thie symantec instructions say to ensure the alias for the ssl cert has an Entry Type of PrivateKeyEntry. Mine DOES NOT. Instructions say if it does not, to please import the certificate in the “Private Key” alias. I’m not sure what that means. I’m assuming it does not mean to import the cert using the alias of ‘PrivateKey” as I believe the alias has to match what was in the CSR?? It also says to ensure the Certificate chain length is 4. The Symantec example shows sample output the above command with the “Certificate chain length: 4’ in the output but I don’t get that in mine. My keystone type is JKS and provider is SUN as in their example though. I do see four extensions listed under the ‘myalias’ alias; not sure if that would imply a chain length of four. As you can already guess, I’m no SSL expert (or even tomcat expert for that matter). Since I wasn’t sure what to do here I left his alone and moved on. 2) edit server.xml <Connector port=“8443” maxHttpHeaderSize=“8192” maxThreads=“150” minSpareThreads=“25” maxSpareThreads=“75” enableLookups=“false” disableUploadTimeout=“true” acceptCount=“100” scheme=“https” secure=“true” SSLEnabled=“true” clientAuth=“false” sslProtocol=“TLS” keyAlias=“myalias” keystoreFile=“/usr/share/tomcat6/certs/gene/geneKeystore” keypass=“mypassword” /> 3) restart tomcat -verified tomcat is running -verified something listening on port 8443 (netstat -an |grep 8443) -catalina.out contents below: Jan 03, 2014 8:43:43 AM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: :/usr/share/tomcat6/lib:/usr/share/tomcat6/lib:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib Jan 03, 2014 8:43:43 AM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'minSpareThreads' to '25' did not find a matching property. Jan 03, 2014 8:43:43 AM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'maxSpareThreads' to '75' did not find a matching property. Jan 03, 2014 8:43:43 AM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Jan 03, 2014 8:43:44 AM org.apache.tomcat.util.net.NioSelectorPool getSharedSelector INFO: Using a shared selector for servlet write/read Jan 03, 2014 8:43:44 AM org.apache.coyote.http11.Http11NioProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Jan 03, 2014 8:43:44 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1217 ms Jan 03, 2014 8:43:44 AM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Jan 03, 2014 8:43:44 AM org.apache.catalina.core.StandardEngine start ... Jan 03, 2014 8:43:53 AM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Jan 03, 2014 8:43:53 AM org.apache.coyote.http11.Http11NioProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Jan 03, 2014 8:43:53 AM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Jan 03, 2014 8:43:53 AM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/49 config=null Jan 03, 2014 8:43:53 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 9583 ms I’m not doing something correctly but I’m not sure what that is. If anyone can point me in the right direction I would appreciate it. Thanks, Gene PS: How does one search the archives of this list? When I browse the archive site I don’t see a search field anywhere. So I’ve been googling without coming up with a solution. it is probably out there but I don’t know enough to recognize it :-( --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
