-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Daniel,
On 9/16/20 09:37, Daniel Skiles wrote: > In case anyone finds this thread in a search engine in a few > years, I was > able to get this to work. Here are some notes if you are using > JSSE. > > * The operation is addSslHostConfig on the ProtocolHandler Mbean. * > You must have org.apache.tomcat:tomcat-coyote on your classpath. * > You must create both an SSLHostConfig and SSLHostConfigCertificate object. > * Use the SSLHostConfigCertificate constructor that takes the SSLHostConfig > as an argument. * You must call addCertificate(...) on > SSLHostConfig after configuring both > objects, before calling the operation. Glad you got it working. Exposing an addSslHostConfig() method via JMX which takes a large number of String (or other) values would surely be convenient for you, but kind of a pain in the neck to support alongside the existing mechanisms. - -chris > On Mon, Sep 14, 2020 at 9:22 AM Daniel Skiles <dski...@docfinity.com> wrote: > >>> Did you try it? >> >> I've been unable to try it through JConsole or Visual VM. >> JConsole throws >> an error indicating that it can't load the remote class, and >> Visual VM disables the method. It looks like it takes a complex >> object, and I do not >> have enough experience with Tomcat, or MBeans in general, to >> even know what >> to start googling to find a solution to that. >> >> Is it something I can do programmatically, and pull Tomcat >> classes onto my >> local classpath to get around that issue? >> >> On Mon, Sep 14, 2020 at 9:08 AM Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> > Daniel, > > On 9/11/20 17:06, Daniel Skiles wrote: >>>>> I've gotten my _default_ SNI SSLHostConfig working. Thank >>>>> you for the help. > > Excellent. > >>>>>> Perhaps that method could have a better name, like >>>>>> reinitializeSSLHostConfigs. "reload" implies that it >>>>>> re-reads the server.xml which is not the case. At least >>>>>> the documentation should probably be better. >>>>> >>>>> If the server.xml isn't actually read during the >>>>> reloadSslHostConfigs operation, is there a way to add an >>>>> SSLHostConfig at runtime? I see addSslHostConfig on >>>>> ProtocolHandler, but I'm not certain that it will do what I >>>>> think it will do. > Did you try it? > > -chris > >>>>> On Fri, Sep 11, 2020 at 9:52 AM Daniel Skiles > <dski...@docfinity.com> wrote: >>>>> >>>>>>> In your case, where did you rediscover >>>>>>> reloadSslHostConfigs? >>>>>> >>>>>> To be honest, I wandered around in the JMX console until >>>>>> I found > something >>>>>> that looked promising. >>>>>> >>>>>>> You'll want to "set" the value of the attribute >>>>>>> "certificateKeyAlias". >>>>>> >>>>>> Thank you for your help. I'll give that a try. >>>>>> >>>>>> On Fri, Sep 11, 2020 at 9:44 AM Christopher Schultz < >>>>>> ch...@christopherschultz.net> wrote: >>>>>> >>>>> Daniel, >>>>> >>>>> On 9/10/20 16:39, Daniel Skiles wrote: >>>>>>>>>> Also note that calling reloadSslHostConfigs does >>>>>>>>>> NOT re-read server.xml. It re-initializes the >>>>>>>>>> existing in-memory configuration. If you want to >>>>>>>>>> e.g. change the key alias, you'll have to make a >>>>>>>>>> JMX call to update the alias and THEN call >>>>>>>>>> reloadSslHostConfigs.> >>>>>>>>> *THAT *is probably my problem. >>>>> >>>>> Perhaps that method could have a better name, like >>>>> reinitializeSSLHostConfigs. "reload" implies that it >>>>> re-reads the server.xml which is not the case. At least the >>>>> documentation should probabyl be better. >>>>> >>>>> In your case, where did you rediscover >>>>> reloadSslHostConfigs? >>>>> >>>>>>>>> Do you know which MBean and operation that is? >>>>> >>>>> It's this (you'll have to interpolate a bit of this to fir >>>>> your environment): >>>>> >>>>> Catalina:type=SSLHostConfigCertificate,ThreadPool="https-[cryptoim pl]- > >>>>> [i >>>>> >>>>> > oimpl]-[addr]-[port]",Host="[host]",name=[cert-type] >>>>> >>>>> My test one was: >>>>> Catalina:type=SSLHostConfigCertificate,ThreadPool="https-jsse-nio- 127. > >>>>> 0. >>>>> >>>>> > 0.1-12345",Host="_default_",name=EC >>>>> >>>>> Attach to Tomcat using VisualVM or your JMX browser of >>>>> choice and have a look at what's there. You'll want to >>>>> "set" the value of the attribute "certificateKeyAlias", >>>>> then call reloadSslHostConfigs. >>>>> >>>>> -chris >>>>> >>>>>>>>> On Thu, Sep 10, 2020 at 4:00 PM Christopher Schultz >>>>>>>>> < ch...@christopherschultz.net> wrote: >>>>>>>>> >>>>>>>>> Daniel, >>>>>>>>> >>>>>>>>> On 9/10/20 13:33, Daniel Skiles wrote: >>>>>>>>>>>> In this case, I didn't remove every >>>>>>>>>>>> certificate, but I did remove the certificate >>>>>>>>>>>> that was originally being referenced after >>>>>>>>>>>> adding a new certificate under a new alias. >>>>>>>>>>>> >>>>>>>>>>>> Original Keystore: Alias A Server.xml >>>>>>>>>>>> _default_ SSLHostConfig points to Alias A >>>>>>>>>>>> >>>>>>>>>>>> After Modification: Alias B Server.xml >>>>>>>>>>>> _default_ SSLHostConfig points to Alias B >>>>>>>>>>>> >>>>>>>>>>>> <Call reloadSslHostConfigs here> <Receive >>>>>>>>>>>> error> >>>>>>>>>>>> >>>>>>>>>>>> If that's not supported, I'll see if I can >>>>>>>>>>>> keep the aliases stable somehow. If there is >>>>>>>>>>>> a way to do it, I'd be interested in hearing >>>>>>>>> what it >>>>>>>>>>>> is. >>>>>>>>> >>>>>>>>> What are the real alias names? If you don't specify >>>>>>>>> the key alias, Tomcat will use the first private >>>>>>>>> key it finds in the file (which is essentially >>>>>>>>> random, as Java keystores do not guarantee any kind >>>>>>>>> of read-ordering). >>>>>>>>> >>>>>>>>> What does your <Certificate> look like in >>>>>>>>> server.xml? >>>>>>>>> >>>>>>>>> Can you also post the actual error and complete >>>>>>>>> stack trace you get? >>>>>>>>> >>>>>>>>> If you change the key's alias, you'll need to >>>>>>>>> change the alias listed in the <Certificate> unless >>>>>>>>> you are using the default first-key behavior . >>>>>>>>> >>>>>>>>> Also note that calling reloadSslHostConfigs does >>>>>>>>> NOT re-read server.xml. It re-initializes the >>>>>>>>> existing in-memory configuration. If you want to >>>>>>>>> e.g. change the key alias, you'll have to make a >>>>>>>>> JMX call to update the alias and THEN call >>>>>>>>> reloadSslHostConfigs. >>>>>>>>> >>>>>>>>> -chris >>>>>>>>> >>>>>>>>>>>> On Thu, Sep 10, 2020 at 11:34 AM Christopher >>>>>>>>>>>> Schultz < ch...@christopherschultz.net> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Daniel, >>>>>>>>>>>> >>>>>>>>>>>> On 9/10/20 09:09, Daniel Skiles wrote: >>>>>>>>>>>>>>> Is it possible to change the keystore >>>>>>>>>>>>>>> alias of the _default_ SSLHostConfig's >>>>>>>>>>>>>>> certificate while tomcat is running? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> At present, I'm trying to move the >>>>>>>>>>>>>>> _default_ certificate from one >>>>>>>>>>>>>>> certificate in my keystore, to another. >>>>>>>>>>>>>>> I modify the server.xml, then I call >>>>>>>>>>>>>>> the reloadSslHostConfigs MBean >>>>>>>>>>>>>>> operation. The operation throws an >>>>>>>>>>>>>>> error that boils down to a >>>>>>>>>>>>>>> jsse.alias_no_key_entry error that >>>>>>>>>>>>>>> comes back from the JVM. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Is this a technical limitation on >>>>>>>>>>>>>>> SNI/SSLHostConfig, or am I missing >>>>>>>>>>>>>>> something here? >>>>>>>>>>>> >>>>>>>>>>>> Did you remove all server certificates from >>>>>>>>>>>> your keystore and then try to bounce the >>>>>>>>>>>> connector? That's not going to work because >>>>>>>>>>>> the connector requires a server key and >>>>>>>>>>>> certificate. >>>>>>>>>>>> >>>>>>>>>>>> Instead of "moving" the cert, consider >>>>>>>>>>>> copying the certificate instead. >>>>>>>>>>>> >>>>>>>>>>>> -chris >>>>>>>>>>>>> >>>>>>>>>>>>> ---------------------------------------------------------- - ---- > >>>>>>>>>>>>> - ---- >>>>> >>>>>>>>>>>>> > --- >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>> >>>>>>>>>>>>> >>>>> To unsubscribe, e-mail: >>>>> users-unsubscr...@tomcat.apache.org >>>>>>>>>>>>> For additional commands, e-mail: >>>>>>>>>>>>> users-h...@tomcat.apache.org >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >>>>> >>> >>> -------------------------------------------------------------------- - - >>> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9ip0AACgkQHPApP6U8 pFjxIw//aitwWLLXvQY9zysoJU1O4pTGWaDJitDStHnXSDsTXfM++oV1m4kU2u06 6zx/7qqCdNyexjO7DuwYaR7SKVC8yTOQCZCRaL2Ic+n2g8/v4vkwf3blpZSzBs/x F29cus4fl9XvEF3LpeYlEIw9w3RllhVQ0D8D4L2WBTKX3P1ejVNJhiKtjxMpkGN4 Ktmx3foK4yhAGwGSkw46qPkGTNrYZnqpl4x51YWyGhwYto5HoZTMeovyIAKU1zo7 Do6qLyc/d9IK62CcZv1ybiYyObBaQROBhOPkGYxoujCzkfdg+KkBk3jNX/fbKdjU QhpKt3v+ZbmYhx3sO0UBZt5TGqj7e9CnlDWAAZhM6E1nIYTF+zbhANrQBfcfOzSd nKjMB0F0xkzrkAE9F6zBM8jb+t7tGLibAr6jchmSwJppECufy/K7Tws7Nj8Z557p 6OXDOwrHsceNSAMqd67p52EWhTLhOkou8FDpgiztIJK19B2IaC9LIZsUBbMyGoRy a01cNP14yyTWti/Kux2Wa+HWX2H7y4Dnn6YeEqSvoyBcSFgCntk0Xi+k4KeqM8wy Upg1wh+eKx03mg/9xdOElJZqGy+Zv3nEZU0XMgasmKb6IOsgHc0P3FvfgjVMGZdC uIC3rZ/gj2DbyLJRF0JnYxgv1asuTiv1APxitJUbqvVE9Bp3tv8= =PT7U -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
