From: Samuli Seppänen [mailto:[EMAIL PROTECTED]
Subject: Re: Tomcat 5.5 and SSL connector: keystore was
tampered with [SOLVED]
Tomcat SSL <Connector> entries accept the following parameters:
- keystorePass (password for the JKS (Java keystore)
- keypass (password for the key inside the JKS
- keystoreFile (keystore location in filesystem)
The problem with your analysis is that the kepass attribute is not in the
Tomcat doc, and you've misinterpreted the code. As currently implemented, the
keypass attribute is simply an internal alias for keystorePass, nothing else.
Yes, you're probably right, I didn't have time to really dig into the code.
Note the following from the SSL how-to:
"Finally, you will be prompted for the key password, which is the password
specifically for this Certificate (as opposed to any other Certificates stored in the
same keystore file). You MUST use the same password here as was used for the keystore
password itself."
"Note: your private key password and keystore password should be the same."
If you want things to work differently, submit an enhancement request
(preferably with a patch).
I've been aware of that, and I do understand the difference. My only
problem has been the requirement to use the default password "changeit".
As a sysadmin I'm against using a widely known default password for
anything, especially if it has anything to do with the Internet.
I have nothing against using the same password for the JKS _and_ for the
certificate, as long as the password is not "changeit". Anyways, please
tell me if my conserns are unfounded from a security perspective.
At least on 5.5.20 the "keystoreFile" parameters has
to be inserted straight into <Connector>, contrary to
what the Howto says.
Where else does the doc say the keystoreFile attribute can be specified? I
can't find anything other than a comment about its default location, which
seems to work fine.
Take a look at "Troubleshooting" section in
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
---
# When Tomcat starts up, I get an exception like
"java.io.FileNotFoundException: {some-directory}/{some-file} not found".
A likely explanation is that Tomcat cannot find the keystore file where
it is looking. By default, Tomcat expects the keystore file to be named
.keystore in the user home directory under which Tomcat is running
(which may or may not be the same as yours :-). If the keystore file is
anywhere else, you will need to add a keystoreFile attribute to the
<Factory> element in the Tomcat configuration file.
---
I'll verify this thing one more time to be sure and then file a
bugreport and attach a patch.
Best regards,
Samuli
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
