Hi Andre I installed a new download of tomcat 9, established one application with php/java bridge (need php and java access). Set the SSL port to an unused port, 443, and ran my app who's only out put is an H1 message. This time I get the expected error from Chrome with the red warning about bad certificate. However, the redirect went to https://localhost/Financial/ index.php - i.e. NO port number and of course drilling down couldn't find my app which is at port 443, I believe.
Progress, but still no cigar. The tomcat logs only showed a 302. - 0:0:0:0:0:0:0:1 - - [27/Sep/2017:05:08:12 -0400] "GET /Financials/index.php?XDEBUG_SESSION_START=netbeans-xdebug HTTP/1.1" 302 - Don't know what my next step should be - any suggestions. Your help to this point has been great. I greatly appreciate the help you are giving me. Also, I'm sure you have seen, another user, John Ellis, is having somewhat similar problems. Don On Mon, Sep 25, 2017 at 10:26 AM, André Warnier (tomcat) <a...@ice-sa.com> wrote: > On 25.09.2017 15:57, Don Flinn wrote: > >> Andre, >> >> I've attached the output from netstat -a. I see 8080 listening, but not >> 8443. I've also >> attached the screen shot of the result of running my "protected" >> application in Tomcat. >> > > This list removes most attachments, so we did not get the screenshot. > You have ti post it to dropbox or so, for us to have a look. > > But you should definitely look in the tomcat logfiles (in the subdirectory > inventively named "logs"), to see why it did not open port 8443 when > supposedly told to do so. > > As I mentioned, when I have Norton Security and it shuts down Windows >> firewall and runs >> its own firewall. >> > > Yes, but if port 8443 is not open and listening, that's a secondary > consideration now. The first is why tomcat does not open that port. > > P.S. There are additional options to netstat, which will also print the > name of the process which "owns" that port. Makes it easier to scan the > list, because it will say > "tomcat" next to the ones opened by tomcat. > > >> Don >> >> On Sun, Sep 24, 2017 at 5:52 PM, André Warnier (tomcat) <a...@ice-sa.com >> <mailto:a...@ice-sa.com>> wrote: >> >> On 24.09.2017 16 <tel:24.09.2017%2016>:08, Don Flinn wrote: >> >> Andre, >> >> I apologize for not giving all my information. As you perceived, >> I'm >> running Windows. Other info, Windows 10, Tomcat 9, java >> 1.8.0_144. As you >> suggested, using netstat and telnet I found that port 8443 is not >> open. >> Looking further Windows firewall is controlled by Norton >> security. I am >> now trying to find out how to open ports in Norton security using >> the >> Norton blog. >> >> Thank you for your help. As is obvious, I'm a newbee in low >> level admin >> work. I'm hoping that when I get port 8443 open things will >> work. I'll >> let you know. >> >> Maybe wait just a second more, before you go digging in the firewall. >> You say that you found out that "the port is not open". >> That is not the same thing as >> - the port /is/ open >> - but it cannot be connected to >> If netstat shows the port open and listening, but you cannot connect >> to it with >> telnet, it is probably a firewall issue. >> But if the port is not open, then it is a tomcat issue. >> Provided that you configured tomcat properly, the port should be >> open, firewall or no >> firewall. (A firewall can only block access by a client, to a server >> port that is >> open. It cannot prevent a server process to open that port for >> listening.) >> If it isn't open, the tomcat logs should tell you why. >> >> >> >> >> >> Don >> >> >> >> On Sun, Sep 24, 2017 at 6:44 AM, André Warnier (tomcat) < >> a...@ice-sa.com >> <mailto:a...@ice-sa.com>> >> wrote: >> >> On 24.09.2017 02 <tel:24.09.2017%2002>:36, Don Flinn wrote: >> >> I'm trying to use a self signed certificate generated in >> keytool. When I >> run the application Chrome, Firefox and internet Explorer >> using >> localhost:8080/<myapp> all the browsers do a redirect to >> localhost:8443 >> and >> then return This site can’t be reachedL*ocalhost* refused >> to connect. >> There is no red lined out protocol in any of the >> browsers. All the Tomcat >> logs show no errors or warnings. I can access >> applications that are not >> protected and tomcat itself. >> >> >> I would suggest that you first re-read what you wrote above, >> line by line, >> and reflect quietly on what each line is telling you. >> >> 1) you say "localhost". That means that you are using a >> browser as client, >> on the same machine as the one which is running the server. >> 2) you also say that one of the browsers is IE. >> 3) (1) and (2) together imply that the host in a Windows >> server (and the >> client also of course). >> 4) you are not saying which version of Tomcat you are using, >> neither which >> version of Java, neither which version of Windows. That >> makes helping you >> more complicated and time-consuming, and delays any help, >> because now we >> have to ask you, and you have to respond. >> 5) "refused to connect" : before any kind of SSL dialog can >> even take >> place, the browser must be able to establish a TCP connection >> to the >> host:port in question. >> "refused to connect" seens to indicate that this is not the >> case. >> 6) the logs do not show anything : that would seem to >> corroborate (5) : >> tomcat does not even see this connection. iow, there is no >> connection. >> >> There are several possible reasons for this. >> a) Tomcat never opens the port 8443 for listening on it. >> That can be checked, with tomcat running, with the "netstat" >> utility >> program, included in Windows. With the proper arguments >> (which I will leave >> to you as an exercise)(but "netstat -h" will help), netstat >> will show you >> on which ports tomcat is listening locally. If this does not >> include a >> ":8443" port, then it is not listening on that port, and >> certainly the logs >> of tomcat will tell you why. >> b) tomcat does listen on port 8443, but something else is >> blocking access >> to that port. >> Then you probably have to check your local firewall settings >> (or whatever >> else in whatever version of Windows may be blocking >> connections to a port). >> >> Another quick way to check if tomcat (or anything) is >> listening on port >> 8443 (and/or something is blocking it) would be, in a command >> window, to >> run the following command : >> telnet localhost 8443 >> (also with tomcat running) >> If it also tells you "no connection", then (a) or (b) above >> would be >> confirmed. >> If it connects, then you may get another message, due to the >> fact that it >> expects an SSL connection. (If it did not expect an SSL >> connection, you'd >> just get a blank page until you type something else). >> Obviously, access to tomcat's port 8080 is fine, so you can >> compare the >> responses above with what happens when you substitute 8080 >> for 8443. >> >> Once the above is really cleared up, then it may be worth >> looking at the >> rest of the information which you sent below. >> >> If I set <transport-guarantee> >> >> CONFIDENTIAL</transport-guarantee> to NONE everything >> works with >> localhost:8080. >> >> My SSL files in tomcat - >> >> *server.xml -* >> >> Connector >> protocol="org.apache.coyote.ht >> <http://org.apache.coyote.ht>tp11.Http11NioProtocol" >> scheme="https" >> sslImplementationName="org.apa >> che.tomcat.util.net.jsse.JSSEI >> mplementation" >> SSLEnabled="true" acceptCount="100" clientAuth="false" >> disableUploadTimeout="true" enableLookups="false" >> maxThreads="25" >> port="8443" keystoreFile="c:/temp/mkeystore2.jks" >> keystorePass="foobar" >> secure="true" sslProtocol="TLS" clientAuth="false" /> >> >> *web.xml -* >> >> <security-constraint> >> <web-resource-collection> >> <web-resource-name> >> Financials</web-resource-name> >> <url-pattern>/*</url-pattern> >> </web-resource-collection> >> <user-data-constraint> >> <transport-guarantee>CONFIDEN >> TIAL</transport-guarantee> >> </user-data-constraint> >> </security-constraint> >> >> *the output from my keystore list -* >> >> C:\Users\don\Documents\Mansurus\Security> >> "%java_home%/bin/keytool.exe" >> -list -v -keystore c:/temp/mkeystore2.jks >> Enter keystore password: >> >> Keystore type: JKS >> Keystore provider: SUN >> >> Your keystore contains 1 entry >> >> Alias name: tomcat >> Creation date: Sep 23, 2017 >> Entry type: PrivateKeyEntry >> Certificate chain length: 1 >> Certificate[1]: >> Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, >> ST=Unknown, C=Unknown >> Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, >> ST=Unknown, >> C=Unknown >> Serial number: 6b5fe428 >> Valid from: Sat Sep 23 12:57:19 EDT 2017 until: Sun Sep >> 23 12:57:19 EDT >> 2018 >> Certificate fingerprints: >> MD5: 11:9D:2C:50:4A:09:9D:17:2F:46: >> 3C:AF:AF:E5:59:EE >> SHA1: 63:EF:21:21:3C:22:82:46:21:84: >> 9C:81:C6:B0:C1:EC:0F:1C:87:31 >> SHA256: >> 4E:75:D6:6A:6C:23:84:E0:36:AF: >> CF:1E:56:7D:18:6E:A1:BE:E5:EE: >> 0B:E5:7B:2A:01:96:DF:49:CA:F1:50:C7 >> Signature algorithm name: SHA256withRSA >> Version: 3 >> >> Extensions: >> >> #1: ObjectId: 2.5.29.14 Criticality=false >> SubjectKeyIdentifier [ >> KeyIdentifier [ >> 0000: 46 C9 48 D4 54 2A 54 CE 24 1F 22 ED 1D FC 6E 14 >> F.H.T*T.$."...n.. >> 0010: BE 6F 4A 49 >> .oJI >> ] >> ] >> >> What am I doing wrong? I want to get a self-signed >> keystore working >> before >> I purchase a commercial certificate. >> >> Don >> >> >> >> ------------------------------------------------------------ >> --------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> <mailto:users-unsubscr...@tomcat.apache.org> >> For additional commands, e-mail: users-h...@tomcat.apache.org >> <mailto:users-h...@tomcat.apache.org> >> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> <mailto:users-unsubscr...@tomcat.apache.org> >> For additional commands, e-mail: users-h...@tomcat.apache.org >> <mailto:users-h...@tomcat.apache.org> >> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
