Ah, I am semi starting to understand now. I was able to use openssl to convert my pfx to a pem file which is part of the battle. From what I have read in the docs, I needed a .crt file as well, which I used the .txt file that the hosting co provided to me. It's nothing but a plain text PGP signature in a text file. So I navigated to https://(domain).com and low and behold it works :).
Next few questions: #1 - I have deployed an application that uses a realm and has a Login.jsp page. The Login.jsp is required and you cannot navigate anywhere in the application until you have logged in. How can I make the Login.jsp page fall under the SSL, then drop off after the authentication? https://www.(domain.com)/company1/Login.jsp ~~> [successful authentication!] ~~> http://www.(domain.com)/company1/Main.jsp (Kind of like how my gmail works) #2 - Right now when I go to https://(domain).com/company1/ it drops the HTTPS. I don't want that. Any pointers? Thanks again - Josh On Tue, Aug 11, 2009 at 10:35 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Josh, > > On 8/11/2009 4:47 PM, Josh Gooding wrote: > > ok back to the topic at hand here. I have removed httpd from my server, > > installed APR, and have gotten my cert file from my hosting company. it > is > > in pfx format. Now I found some information on the net: > > > > http://tp.its.yale.edu/pipermail/cas/2005-July/001337.html > > > > It was saying that I can just use the pfx file with tomcat 5.5, so I put > the > > file in my $CATALINA_HOME directory just as a test, modified my > server.xml > > file to accept SSL: > > > > *<Connector protocol="HTTP/1.1" > > port="443" maxThreads="200" > > scheme="https" secure="true" SSLEnabled="true" > > keystoreFile="C:/Program > > Files/[*****]/apache-tomcat-6.0.18/[*****].com.pfx" > > keystorePass="[*************]" keystoreType="pkcs12" > > clientAuth="false" sslProtocol="TLS" />* > > > > *and.... blamo I get these exceptions:* > > Not surprising. Read the documentation for the APR connector: > http://tomcat.apache.org/tomcat-5.5-doc/apr.html > > Specifically, search for the term "certificate". > > First of all, your SSL configuration is completely wrong for use with > APR. You don't use keystoreFile, keystorePass, and keystoreType. Even if > you did, telling Java that the keystore is actually a PKCS12 keystore > while providing it is a PFX-encoded SSL certificate should have tipped > you off that something was amiss. > > If you were previously following the standard SSL documentation > (http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html), you should > have seen this note at the top of the file: > > " > IMPORTANT NOTE: This Howto refers to usage of JSSE. When using APR, > Tomcat will use OpenSSL, which uses a different configuration. > " > > What you want is SSLCertificateFile and friends. SSLCertificateFile is > documented to only accept certificates in PEM format. Check out this > page for some tricks to converting your certificate files using openssl: > http://eoc.eu-eela.eu/doku.php?id=manipulate_your_certificate > > There is also a Java tool that can do thing like this called Portecle > (http://portecle.sourceforge.net/) if you don't have openssl handy. > > > *and these to boot.... says it cannot bind to port 443 (or 8443 either)* > > > > *Aug 11, 2009 4:13:51 PM org.apache.coyote.http11.Http11AprProtocol start > > SEVERE: Error starting endpoint > > java.lang.Exception: Socket bind failed: [730048] Only one usage of each > > socket address (protocol/network address/port) is normally permitted. > > Do you have multiple <Connector> elements specified? If so, check all > the port numbers. If not, make sure that Tomcat isn't already running. > If it's not, make sure Apache httpd isn't running :) Finally, make sure > IIS isn't running or using those ports. > > > So it looks like I cannot use a pfx file with tomcat 6.0.18. > > You should be able to, just not with the APR connector because openssl > doesn't grok PKCS12/PFX. > > > Am I able to use the pfx file with tomcat 6? > > Yes, just not with the APR connector. > > > The socket bind issue I have no clue, it > > looks like something is already running on port 443, but that is > > impossible. > > Really? Try running 'netstat' to find out who is bound to port 443 (or > 8443). > > > I only have the tomcat server running, IIS is disabled and > > httpd has been removed from the system completely. I also tried port > 8443 > > but I am getting the same error message. > > netstat -a -b -n -o | find "443" > > (make sure you're an administrator or you'll get no output) > > Hope that helps, > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkqCKokACgkQ9CaO5/Lv0PBBxACgjcVaS2sdKa7COzdKnSbAAHun > gl0AnRaKPC30C+und74r7tFKuN63OOmq > =QIJp > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
