Hi,
Hello. I'm setting up SSL. I have Tomcat 5.5.16. The error that I'm getting
is that it can't locate my keystore file. I have using the keystorefile
attribute but its still not working. Can anyone help?
A more detailed email explaining what you tried would be needed to be
able to help you. Are you using apache as a front-end? Because apache
could be use to handle the ssl stuff.
Anyway you will find below a working "four-steps" process explaining
how to implement non only ssl encryption but also client
authentication using self-signed certificates. I don't have so much
time, so I just copy-paste from my documentation, so change the
various names according to your server
As I said, adding support for SSL or TLS in Tomcat can be divided in
four general steps:
1 – Setting up the CA
- Create /home/lams/openssl to hold the CA keys, server keys and (as
we want to use SSL client authentication) the client keys.
- Create a private key and certificate request for our CA:
openssl req -new -newkey rsa:1024 -nodes -out ca.csr –keyout ca.key
- Create a CA's self-signed certificate:
openssl x509 -trustout -signkey ca.key -days 365 -req –in ca.csr -out ca.pem
- Import the CA certificate into the JDK certificate authorities
keystore:
$JAVA_HOME/bin/keytool -import -keystore
£JAVA_JOME/lib/security/cacerts –file ca.pem -alias itcilo_ca
- Create a file to hold the CA's serial numbers. This file starts
with the number "2":
echo "02" > ca.srl
2 – Setting the web server
- Create /etc/tomcat to contain both the keystore and the truststore
files (Truststore is a keystore in which reside all the certificates
with which a user can authenticate hisself on the server).
- Create a keystore for the tomcat server.
$JAVA_HOME/bin/keytool -genkey -alias map-test -keyalg RSA -keysize
1024 –keystore /etc/tomcat/server-keystore2.jks -storetype JKS
- Create a certificate request for the web server.
$JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias map-test –file
map-test.csr -keystore /etc/tomcat/server-keystore2.jks
You need to edit the certificate request file slightly. Open it up in
a text editor and amend the text which reads "NEW CERTIFICATE REQUEST"
to "CERTIFICATE REQUEST"
- Have your CA sign your certificate request:
openssl x509 -CA ca.pem -CAkey ca.key –CAserial ca.srl -req -in
map-test.csr –out map-test.crt -days 365
- Import your CA certificate into your server keystore:
This step is necessary because we want to use SSL client authentication.
$JAVA_HOME/bin/keytool -import -alias itcilo_ca –keystore
/etc/tomcat/server-keystore2.jks -trustcacerts -file ca.pem
- Import the signed server certificate into the server keystore:
$JAVA_HOME/bin/keytool -import -alias map-test –keystore
/etc/tomcat/server-keystore2.jks -trustcacerts -file map-test.crt
You should see a message "Certificate reply was installed in keystore".
3 - Setting up the ssl client
- Create a client certificate request:
openssl req -new -newkey rsa:512 -nodes -out santiago.req –keyout santiago.key
- Have the CA sign the client certificate.
openssl x509 -CA ca.pem -CAkey ca.key –CAserial ca.srl -req -in
santiago.req –out santiago.pem -days 365
- Import the CA certificate into the truststore:
$JAVA_HOME/bin/keytool -import -alias itcilo_ca –keystore
/etc/tomcat/truststore-itcilo2.jks -trustcacerts -file ca.pem
- Import the client certificate into the truststore:
$JAVA_HOME/bin/keytool -import -alias santiago –keystore
/etc/tomcat/truststore-itcilo2.jks -trustcacerts -file santiago.pem
- Generate a PKCS12 file containing the client key and certificate:
openssl pkcs12 -export -clcerts -in santigao.pem –inkey santiago.key
-out santiago.p12 –name "virgilio_certificate"
- Import the PKCS12 file into the web browser to use as the client
certificate and key (tools – internet options – contents –
certificates, verify by clicking in "advanced" that "client
authentication" is checked)
4 – Configure tomcat for ssl
The following lines must be added to server.xml. The clientAuth
parameter must be set to true as we want Tomcat to require all SSL
clients to present a client Certificate in order to use this socket.
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="/etc/tomcat/sever-keystore.jks"
keystorePass="password"
truststoreFile="/etc/tomcat/truststore-itcilo.jks"
truststorePass="password" />
Regards,
Gaël
