Re: Enable two way SSL in Apache Tomcat 10 Version 10.0.27

Sun, 20 Aug 2023 03:55:25 -0700 

Kaushal,

please check the new configuration method with SSLHostConfig - your's is 
probably from an older version, right? In the working version you already use 
it. 

see my (redacted) config:

 <Connector port="8443"
           protocol="org.apache.coyote.http11.Http11Nio2Protocol"
           
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
           allowTrace="false"
           maxThreads="150"
           SSLEnabled="true"
           compression="off"
           scheme="https"
           server="Apache Tomcat"
           secure="true"
           defaultSSLHostConfigName="example.com" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" 
compression="on" />
    <SSLHostConfig
              hostName="example.com"
              honorCipherOrder="true"
              protocols="+TLSv1.2,+TLSv1.3"
              certificateVerification="required"
<!-- optional              
certificateRevocationListFile="${catalina.base}/conf/ssl/ca-bundle-client.crl" 
-->
              truststoreFile="${catalina.base}/conf/ssl/cacerts.jks"
              truststorePassword="changeit"
              
ciphers="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
       <Certificate 
certificateKeystoreFile="${catalina.base}/conf/ssl/tomcat.p12"
                    certificateKeystorePassword="changeit"
                    certificateKeyAlias="tomcat"
                    type="RSA" />
    </SSLHostConfig>
</Connector>


Hope this helps

Peter


> Am 20.08.2023 um 05:47 schrieb Kaushal Shriyan <kaushalshri...@gmail.com>:
> 
> Hi,
> 
> I am attaching both server.xml for one way SSL and Two Way SSL 
> 
> One way SSL /opt/tomcat10/conf/server.xml -> 
> tomcat10serverworkingonewaytls.xml (working)
> Two way SSL /opt/tomcat10/conf/server.xml -> 
> tomcat10serverworkingtwowaytls.xml (Not working) 
> 
> Please comment. Thanks in advance.
> 
> Best Regards,
> 
> Kaushal
> 
> On Sun, Aug 20, 2023 at 6:48 AM Kaushal Shriyan <kaushalshri...@gmail.com 
> <mailto:kaushalshri...@gmail.com>> wrote:
>> 
>> 
>> On Thu, Aug 10, 2023 at 11:29 AM Christopher Schultz 
>> <ch...@christopherschultz.net <mailto:ch...@christopherschultz.net>> wrote:
>>> Kaushal,
>>> 
>>> On 8/7/23 22:23, Kaushal Shriyan wrote:
>>> > Hi,
>>> > 
>>> > I have gone through 
>>> > https://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html.
>>> > Is there a way to enable two way SSL (mutual) in Apache Tomcat 10 Version
>>> > 10.0.27?
>>> > 
>>> > Please guide me.
>>> > 
>>> > Thanks in Advance.
>>> 
>>> I see you have "gone through" the SSL Howto, but could you be specific 
>>> about what you have actually done? For example, what does your 
>>> <Connector> in server.xml look like, what does your web.xml look like, 
>>> and what files do you have on the disk?
>>> 
>>> -chris
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
>>> <mailto:users-unsubscr...@tomcat.apache.org>
>>> For additional commands, e-mail: users-h...@tomcat.apache.org 
>>> <mailto:users-h...@tomcat.apache.org>
>>> 
>> 
>> 
>> Hi Chris,
>> 
>> Apologies for the delay in replying. Thanks in advance. I am trying to 
>> enable Mutual two way SSL using tomcat 10.0.27 on Red Hat Enterprise Linux 
>> release 8.8 (Ootpa). Currently I am encountering the below issue. 
>> 
>> 20-Aug-2023 06:40:25.183 SEVERE [main] 
>> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to 
>> initialize component [Connector[HTTP/1.1-10443]]
>> org.apache.catalina.LifecycleException: Protocol handler initialization 
>> failed 
>> 
>> Caused by: java.lang.IllegalArgumentException: No SSLHostConfig element was 
>> found with the hostName [_default_] to match the defaultSSLHostConfigName 
>> for the connector [https-openssl-nio-10443] 
>> 
>> #cat /etc/redhat-release
>> Red Hat Enterprise Linux release 8.8 (Ootpa)
>> # /opt/tomcat10/bin/version.sh
>> Using CATALINA_BASE:   /opt/tomcat10
>> Using CATALINA_HOME:   /opt/tomcat10
>> Using CATALINA_TMPDIR: /opt/tomcat10/temp
>> Using JRE_HOME:        /usr
>> Using CLASSPATH:       
>> /opt/tomcat10/bin/bootstrap.jar:/opt/tomcat10/bin/tomcat-juli.jar
>> Using CATALINA_OPTS:
>> Server version: Apache Tomcat/10.0.27
>> Server built:   Oct 3 2022 14:18:31 UTC
>> Server number:  10.0.27.0
>> OS Name:        Linux
>> OS Version:     4.18.0-477.15.1.el8_8.x86_64
>> Architecture:   amd64
>> JVM Version:    1.8.0_382-b05
>> JVM Vendor:     Red Hat, Inc.
>> #
>> 
>> #cat catalina.out
>> 20-Aug-2023 06:40:24.753 WARNING [main] 
>> org.apache.tomcat.util.digester.SetPropertiesRule.begin Match 
>> [Server/Service/Connector] failed to set property [clientAuth] to [want]
>> 20-Aug-2023 06:40:24.756 WARNING [main] 
>> org.apache.tomcat.util.digester.SetPropertiesRule.begin Match 
>> [Server/Service/Connector] failed to set property [sslProtocol] to [TLS]
>> 20-Aug-2023 06:40:24.756 WARNING [main] 
>> org.apache.tomcat.util.digester.SetPropertiesRule.begin Match 
>> [Server/Service/Connector] failed to set property [keystoreFile] to 
>> [/opt/tomcat10/ssl/keystore.jks]
>> 20-Aug-2023 06:40:24.756 WARNING [main] 
>> org.apache.tomcat.util.digester.SetPropertiesRule.begin Match 
>> [Server/Service/Connector] failed to set property [keystorePass] to [apigee]
>> 20-Aug-2023 06:40:24.757 WARNING [main] 
>> org.apache.tomcat.util.digester.SetPropertiesRule.begin Match 
>> [Server/Service/Connector] failed to set property [truststoreFile] to 
>> [/opt/tomcat10/ssl/clienttrustore.jks]
>> 20-Aug-2023 06:40:24.757 WARNING [main] 
>> org.apache.tomcat.util.digester.SetPropertiesRule.begin Match 
>> [Server/Service/Connector] failed to set property [truststorePass] to 
>> [apigee]
>> 20-Aug-2023 06:40:24.809 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log Server version name:   
>> Apache Tomcat/10.0.27
>> 20-Aug-2023 06:40:24.809 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log Server built:          
>> Oct 3 2022 14:18:31 UTC
>> 20-Aug-2023 06:40:24.809 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log Server version number: 
>> 10.0.27.0
>> 20-Aug-2023 06:40:24.809 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log OS Name:               
>> Linux
>> 20-Aug-2023 06:40:24.810 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log OS Version:            
>> 4.18.0-477.15.1.el8_8.x86_64
>> 20-Aug-2023 06:40:24.810 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log Architecture:          
>> amd64
>> 20-Aug-2023 06:40:24.810 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log Java Home:             
>> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64/jre
>> 20-Aug-2023 06:40:24.810 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           
>> 1.8.0_382-b05
>> 20-Aug-2023 06:40:24.810 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            
>> Red Hat, Inc.
>> 20-Aug-2023 06:40:24.810 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         
>> /opt/tomcat10
>> 20-Aug-2023 06:40:24.810 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         
>> /opt/tomcat10
>> 20-Aug-2023 06:40:24.811 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
>> -Djava.util.logging.config.file=/opt/tomcat10/conf/logging.properties
>> 20-Aug-2023 06:40:24.811 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
>> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
>> 20-Aug-2023 06:40:24.811 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
>> -Djdk.tls.ephemeralDHKeySize=2048
>> 20-Aug-2023 06:40:24.811 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
>> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
>> 20-Aug-2023 06:40:24.811 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
>> -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
>> 20-Aug-2023 06:40:24.811 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
>> -Dignore.endorsed.dirs=
>> 20-Aug-2023 06:40:24.811 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
>> -Dcatalina.base=/opt/tomcat10
>> 20-Aug-2023 06:40:24.811 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
>> -Dcatalina.home=/opt/tomcat10
>> 20-Aug-2023 06:40:24.811 INFO [main] 
>> org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
>> -Djava.io.tmpdir=/opt/tomcat10/temp
>> 20-Aug-2023 06:40:24.816 INFO [main] 
>> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache 
>> Tomcat Native library [1.2.35] using APR version [1.6.3].
>> 20-Aug-2023 06:40:24.817 INFO [main] 
>> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR 
>> capabilities: IPv6 [true], sendfile [true], accept filters [false], random 
>> [true], UDS [true].
>> 20-Aug-2023 06:40:24.819 INFO [main] 
>> org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL 
>> successfully initialized [OpenSSL 1.1.1k  FIPS 25 Mar 2021]
>> 20-Aug-2023 06:40:25.161 INFO [main] org.apache.coyote.AbstractProtocol.init 
>> Initializing ProtocolHandler ["http-nio-8080"]
>> 20-Aug-2023 06:40:25.181 INFO [main] org.apache.coyote.AbstractProtocol.init 
>> Initializing ProtocolHandler ["https-openssl-nio-10443"]
>> 20-Aug-2023 06:40:25.183 SEVERE [main] 
>> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to 
>> initialize component [Connector[HTTP/1.1-10443]]
>> org.apache.catalina.LifecycleException: Protocol handler initialization 
>> failed
>> at org.apache.catalina.connector.Connector.initInternal(Connector.java:1055)
>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>> at 
>> org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>> at 
>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:747)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:769)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at 
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
>> Caused by: java.lang.IllegalArgumentException: No SSLHostConfig element was 
>> found with the hostName [_default_] to match the defaultSSLHostConfigName 
>> for the connector [https-openssl-nio-10443]
>> at 
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:76)
>> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:206)
>> at 
>> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1192)
>> at 
>> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1205)
>> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:583)
>> at 
>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:79)
>> at org.apache.catalina.connector.Connector.initInternal(Connector.java:1052)
>> ... 13 more
>> 20-Aug-2023 06:40:25.184 INFO [main] 
>> org.apache.catalina.startup.Catalina.load Server initialization in [567] 
>> milliseconds
>> 20-Aug-2023 06:40:25.213 INFO [main] 
>> org.apache.catalina.core.StandardService.startInternal Starting service 
>> [Catalina]
>> 20-Aug-2023 06:40:25.213 INFO [main] 
>> org.apache.catalina.core.StandardEngine.startInternal Starting Servlet 
>> engine: [Apache Tomcat/10.0.27]
>> 20-Aug-2023 06:40:25.222 INFO [main] 
>> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web 
>> application directory [/opt/tomcat10/webapps/docs]
>> 20-Aug-2023 06:40:25.489 INFO [main] 
>> org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web 
>> application directory [/opt/tomcat10/webapps/docs] has finished in [267] ms
>> 20-Aug-2023 06:40:25.490 INFO [main] 
>> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web 
>> application directory [/opt/tomcat10/webapps/examples]
>> 20-Aug-2023 06:40:25.677 INFO [main] 
>> org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web 
>> application directory [/opt/tomcat10/webapps/examples] has finished in [186] 
>> ms
>> 20-Aug-2023 06:40:25.677 INFO [main] 
>> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web 
>> application directory [/opt/tomcat10/webapps/host-manager]
>> 20-Aug-2023 06:40:25.696 INFO [main] 
>> org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web 
>> application directory [/opt/tomcat10/webapps/host-manager] has finished in 
>> [19] ms
>> 20-Aug-2023 06:40:25.696 INFO [main] 
>> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web 
>> application directory [/opt/tomcat10/webapps/ROOT]
>> 20-Aug-2023 06:40:25.707 INFO [main] 
>> org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web 
>> application directory [/opt/tomcat10/webapps/ROOT] has finished in [11] ms
>> 20-Aug-2023 06:40:25.707 INFO [main] 
>> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web 
>> application directory [/opt/tomcat10/webapps/manager]
>> 20-Aug-2023 06:40:25.722 INFO [main] 
>> org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web 
>> application directory [/opt/tomcat10/webapps/manager] has finished in [15] ms
>> 20-Aug-2023 06:40:25.726 INFO [main] 
>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler 
>> ["http-nio-8080"]
>> 20-Aug-2023 06:40:25.745 INFO [main] 
>> org.apache.catalina.startup.Catalina.start Server startup in [561] 
>> milliseconds 
>> 
>> cat /opt/tomcat10/conf/server.xml
>> 
>>  <Connector port="10443" protocol="HTTP/1.1" SSLEnabled="true"
>>                 maxThreads="150" scheme="https" secure="true"
>>                 clientAuth="want" sslProtocol="TLS"
>>                 keystoreFile="/opt/tomcat10/ssl/keystore.jks"
>>                 keystorePass="apigee"
>>                 truststoreFile="/opt/tomcat10/ssl/clienttrustore.jks"
>>                 truststorePass="apigee" />
>> 
>> I am attaching the server.xml for your reference. Please comment. Thanks in 
>> advance.
>> 
>> Best Regards,
>> 
>> Kaushal
> <tomcat10serverworkingtwowaytls.xml><tomcat10serverworkingonewaytls.xml>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to