John Ellis
405.285.2500 office
http://biz-e.io
-----Original Message-----
From: Peter Kreuser [mailto:l...@kreuser.name]
Sent: Wednesday, September 27, 2017 3:43 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: tomcat ssl setup
John,
> Am 27.09.2017 um 18:08 schrieb John Ellis <john.el...@lsgsolutions.com>:
>
>
>
> John Ellis
>
> 405.285.2500 office
>
>
>
>
> http://biz-e.io
>
>
> -----Original Message-----
> From: l...@kreuser.name [mailto:l...@kreuser.name]
> Sent: Tuesday, September 26, 2017 3:26 PM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: tomcat ssl setup
>
> John,
>
>
>
>> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>:
>>
>> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is
>> what Jira and/or Confluence would use so I did that and it worked fine on
>> http port of 8080. I then edited the server.xml file again for the SSL port
>> and got the same result as before; never gets to a webpage login using the
>> secure port of 8443 but I can still get the webpage on port 8080. When I
>> look at the Tomcat 8 Catalina log file I see several lines where it says-
>> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been
>> googling that error and found a couple of posts saying to change from JKS to
>> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA
>> for the algorithm. Can someone provide me with the proper keytool commands
>> that I need to use to create an SSL certificate for Tomcat?
>>
>> John Ellis
>>
>> 405.285.2500 office
>>
>>
>
>
> We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride
> a dead horse, also SSL setup has changed quite a bit in 8.5/9.0.
>
> So my setup is as follows:
>
> server.xml:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> allowTrace="false"
> maxThreads="150"
> SSLEnabled="true"
> compression="off"
> scheme="https"
> server="Apache Tomcat"
> secure="true"
> defaultSSLHostConfigName=“ localhost” >
> <SSLHostConfig
> hostName="localhost"
> honorCipherOrder="true"
> certificateVerification="none"
> protocols="TLSv1.2"
>
> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
> <Certificate
> certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
> certificateKeystorePassword="changeit"
> certificateKeyAlias="tomcat"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
>
> https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
>
> <https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl>
>
> I use openssl to create the certs (as let’s encrypt for an official cert will
> generate the same structure) and then convert to JKS:
>
> openssl genrsa -aes256 -out server.key 4096 -subj
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
> openssl req -new -key server.key -out server.csr -sha512 -subj
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com"
> #there is more to it to get SAN extensions, but that’s not necessary to get
> it running
>
> openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out
> server.crt # you may need your own ca and a signing-process to make this work
> in all browsers
>
> #Verify Server Cert
> openssl x509 -in server.crt -text -noout
>
> openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts
> -name tomcat keytool -list -v -keystore jssecacerts -storepass changeit
>
>
> Hope this helps for a start.
>
> Regards
>
> Peter
>
> Peter I have never seen entries in the "</SSLHostConfig>" part of the
> server.xml file. Does that have to be in there for SSL to work in Tomcat?
>
That's the way you define one Connector on one port with different certificates
in TC 8.5 and 9.0.
I guess that's one of the important new features!
>
>
>
> Peter I ran the keytool commands again to create all new keystore files,
> submitted & got back a certificate from Cacert.org and here is how my
> server.xml file looks now; at least the main parts that I have edited; based
> on what your looks like-
<!--Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
hostName="localhost"
honorCipherOrder="true"
certificateVerification="none"
ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
certificateKeystorePassword="lsg4ora"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https" secure="true"
SSLEnabled="true"
SSLCertificateFile="/home/tomcat9.0.0.M26/apache-tomcat-9.0.0.M26/conf/tomcat.pem"
SSLCertificateKeyFile="/home/tomcat9.0.0.M26/apache-tomcat-9.0.0.M26/conf/tomcat"
SSLPassword="lsg4ora"
SSLCertificateChainFile="/home/tomcat9.0.0.M26/apache-tomcat-9.0.0.M26/conf/root.pem"
keyAlias="tomcat"
SSLProtocol="TLSv1" />
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
