Tomcat 5.5 and SSL connector: keystore was tampered with

Tue, 29 Jan 2008 08:51:05 -0800 

Hi!
I migrated from Tomcat 5.0 to Tomcat 5.5. I had SSL working in Tomcat 5.0 with both a self-created certificate and a signed (trusted) certificate, both inside a Java keystore (JKS). 


Now, with Tomcat 5.5 the SSL connector refuses to start with the dreaded 
"keystore was tampered with" error. This only happens _if_ I change the 
keystore password to anything else than "changeit".



I already searched the mailinglist archives, Tomcat Wiki, Tomcat Howto's 
and Google. No definitive answers. Just lots of contradicting 
information. I also read the Tomcat 5.5 SSL HOWTO carefully so I'm 
positive I did miss anything.


Anyways, the process in a nutshell:

First I create a new Java keystore (JKS) with keytool, like this:

 keytool -genkey -alias tomcat -keyalg RSA -keystore /root/newkeystore


Next I move on to modifying the server.xml. No matter what I do, I can't 
get Tomcat to use the correct password. The 
"keystoreFile="/root/newkeystore" in the <Connector> statement works as 
it should (I straced Tomcat startup). The "keystorePass", however, does 
not work whether it's inside <Connector> or inside <Factory> (which is 
inside the <Connector>. The "keyAlias" entry  did not help either.



I can open my Java keystore just fine with keytool an with the defined 
password, so  it seems that Tomcat is just not using the password that's 
defined in server.xml and therefore reverts to default.



Does anyone have a functional Tomcat 5.5 SSL/https connector definition 
which I could use? Or does someone have an idea what's happening here? 
I'd be really happy if this thing gets sorted out!


Best regards to all,

Samuli

---

Btw. The Tomcat 5.5 SSL-Howto seems to have an error in it:


"If the keystore file is anywhere else, you will need to add a 
keystoreFile attribute to the <Factory>  element in the Tomcat 
configuration file."



I straced Tomcat startup and if the keystoreFile was defined in 
<Connector> element, strace showed that Tomcat was trying to open 
keystorefile from that location. Adding it to <Factory> did not work.



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to