Hi again.
My server.xml:
<Connector
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/user/.keystore" keystorePass="mypassword" />
-->
I run Tomcat as "user".
I followed this guide:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
Maybe my cert password is not the same as keystore??
I thougt my keystore containing the cert was created with
"keytool -genkey -alias tomcat -keyalg RSA" ??
Thanks everyone!!
On Wed, 2009-11-04 at 17:47 +0100, Ognjen Blagojevic wrote:
> Torleif wrote:
> > By "default place" I mean /home/user/.keystore
>
> /home/user/.keystore? That's strange. Is it maybe
> /home/tomcat/.keystore? Or you have a user "user" on your system? Under
> what user did you create .keystore file?
>
>
> > If I choose a different password and modify "server.xml" accordingly it does
> > not work.
>
> Did you choose the same password for bot keystore AND certificate, as
> pointed in the Tomcat docs?
>
>
> > maybe I shuld use this command instead? ( "keytool -genkey -alias tomcat
> > -keyalg RSA -keystore /home/user/.keystore
> > -storepass mypassword" ) ??
>
> No, that is not the source of the problem.
>
>
> > I am ok with using "changeit" as password if this is no security risk. No
> > one
> > has access to my computer, but can they get access through https if they
> > know
> > the "changeit" password?
>
> Well, anyone could access to you webapps (not to the entire file system)
> regardless of the keystore password.
>
>
> > I also have a mailserver on the same ip "citadel" witch uses "webcit" for
> > webmail.
> >
> > The ports on my mailserver and Tomcat are different.
>
> Then you can use different certificates.
>
>
> Regards,
> Ognjen
>
>
> >
> >
> >
> > Thanks again for all help!!
> >
> >
> >
> > Torleif
> >> Wed Nov 04 2009 10:28:22 CET from "Ognjen Blagojevic"
> >> <ogn...@etf.bg.ac.rs> Subject: Re: tomcat https
> >>
> >> Torleif wrote:
> >>
> >>> I am trying to set up tomcat to use https.
> >>> I used "keytool -genkey -alias tomcat -keyalg RSA"
> >>> If I use "changeit" as password for keystore everything works ok.
> >>> If I use a different password it does not work.
> >>> I have modified "server.xml" with keystorePass="newpassword"
> >>> My .keystore is located in default place.
> >>>
> >>>
> >
> >> It could help if you tell us what Tomcat version, OS and version are you
> >> using and what is "default place".
> >>
> >> .keystore file should be on the home directory of the user running
> >> Tomcat. E.g. /home/tomcat on Linux, or "C:\Documents and
> >> Settings\ognjen\" on Windows XP.
> >>
> >> Also note: "Finally, you will be prompted for the key password, which is
> >> the password specifically for this Certificate (as opposed to any other
> >> Certificates stored in the same keystore file). You MUST use the same
> >> password here as was used for the keystore password itself. (Currently,
> >> the keytool prompt will tell you that pressing the ENTER key does this
> >> for you automatically.)" (tomcat SSL docs)
> >>
> >>
> >>
> >>> If I use "changeit" as password, will this be a security risk since this
> >>> is a widely known password?
> >>>
> >>>
> >
> >> The way I see it, the security risk is not too big. .keystore file will
> >> most probably have the same access rights as your server.xml where the
> >> keystore password is stored in cleartext. So, if the unauthorized user
> >> is able to access .keystore file it will also be able to access the
> >> server.xml, and read the keystore password.
> >>
> >> However, if your configuration, backup strategy, or anything else
> >> introduces the possibility for unauthorized person to access only the
> >> .keystore file (and not server.xml) - or you are simply paranoid - you
> >> should change the default password.
> >>
> >>
> >>
> >>> Also I run a mailserver with https web interface.
> >>> Can I use a different https certificate in tomcat or must it be the same
> >>> as my mailserver?
> >>>
> >>>
> >
> >> It really depends of your configuration.
> >>
> >> Are both webmail and Tomcat on the same port? Do you run webmail
> >> application under Tomcat or not? Do you use httpd or not? Do you have
> >> more than one IP address available for the server?
> >>
> >> If you use two servers, two different IP addresses OR two different
> >> ports on the same IP address, you can have different certificates. In
> >> other cases, you can't.
> >>
> >> Regards,
> >> Ognjen
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
