2015-10-15 20:48 GMT+03:00 Beyer, Gregory L <gregory.be...@business.gatech.edu>: > > Hello, > > I'm trying to get my web app, which is otherwise running fine on port 80 to > respond on SSL. Sorry if this is a resend. I only just started getting > list messages so my first may not have gone. Don't intend to bump. > > Scenario: > > The server in question is a Windows12 web application host running Tomcat > 8.0.26. Running on Tomcat is a java application which accepts port 80 > connections from another host across the 'net. I have firewall rules > configured to allow port 80 and 443 traffic between the servers. 80 This is > working fine. I'm not running IIS - only Tomcat. > > However, we don't want to have our data stream exposed clear text over the > internet - we need to use SSL. > > I have used %JAVA_HOME%\bin\keytool to generate a keystore and then have > configured the InBound SSL Settings in my apps config.properties file with > the path to the keystore and the password. The # lines are variations on the > path to the truststore that I have attempted unsuccessfully. I'm using the > default certificate, below. Webclients will not be connecting so we don't > need a commercial certificate. This is a server to server web call. > > ############################## > # Inbound SSL Settings > ############################## > > org.apache.felix.https.enable=true > org.osgi.service.http.port.secure=443 > org.apache.felix.https.keystore=E:\keystore\scilexcon > #org.apache.felix.https.keystore=./keystore/scilexcon > org.apache.felix.https.keystore.password=redacted > org.apache.felix.https.keystore.key.password= redacted > org.apache.felix.https.truststore=E:\keystore\scilexcon > #org.apache.felix.https.truststore=C:\Program > Files\Java\jre1.8.0_60\lib\security\cacerts > #org.apache.felix.https.truststore=./keystore/scilexcon > org.apache.felix.https.truststore.password= redacted >
1) Is above a *.properties file? If so then '\' works as an escape symbol and must be doubled (\\). Usually people just use '/' instead, it usually works with Java. > ./keystore/scilexcon 2) "." is the current directory when you start a program. It may be different depending on you you start it. (E.g. for Tomcat started explicitly via startup.bat vs started as a service it may be different). > I've also configured the java runtime of my application with the trustore > path: > > -Djavax.net.ssl.trustStore=E:\keystore\scilexcon > > > > An http connect to my connect runtime is successful. http://<hostname> > https://<hostname> times out > > Netstat -a reveals that port 443 is listening on <hostname> > > > Documents I have used so far is one documenting the Inbound SSL connections > of my apps config file, and the SLL documentation of Apache Tomcat > http://<hostname>8080/docs/ssl-howto.html > > In my server.xml, I've unremmed the connector section and changed the > connector port to 443: > > > <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" /> > > > Define an AJP 1.3 Connector on port 8009 --> > <Connector port="8009" protocol="AJP/1.3" redirectPort="443" /> > > I've looked through my logs, but don't find anything to indicate why it just > clocks until timing out. Maybe I'm missing something? > > Having read the SSL howto, I don't think I've missed anything. 3) https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario Try connecting with a web browser or a standard tool (like wget, openssl client) to check that HTTPS works. Look into an access log. Take a series of thread dumps (for your client as well). 4) Is Java trusing your self-signed server certificate (so that it is able to connect to it)? Old versions of Java (Java 6) use SSLv2Hello when initialing a HTTPS connection. That protocol is disabled by default in current versions of Tomcat. https://wiki.apache.org/tomcat/Security/POODLE Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
