Bill.
I have followed the recommendations in that document but did not succeed.
So I have a set of self-generated (using OpenSSL) credentials. OpenSSL server
and client work fine (connect) using these credentials with authentication both
ways.
Following the instructions in
(http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html) I have done:
openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey
/etc/pki/tls/private/localhost.key -out mycert.p12 -name tomcat -CAfile
/etc/pki/tls/cacert.pem -caname root -chain
I have used the password changeit.
Next I have edited server.xml to have these strings:
<!-- Define a server-auth SSL HTTP/1.1 Connector on port 8442 -->
<Connector port="8442" maxHttpHeaderSize="8192" SSLEnabled="true"
keystoreFile="conf/mycert.p12" keystorePass="changeit"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
<!-- Define a mutual-auth SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"
keystoreFile="conf/mycert.p12" keystorePass="changeit"
truststoreFile="conf/mycert.p12" truststorePass="changeit"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS" />
Then I started server and used Firefox trying to open https://localhost:8442 or
https:/localhost:8443 with no success (failed to connect page).
Catalina log file shows "java.io.exception: Invalid keystore format."
What have I done wrong?
Thanks
Vadim.
-----Original Message-----
From: news [mailto:n...@ger.gmane.org] On Behalf Of Bill Barker
Sent: Friday, December 04, 2009 7:25 PM
To: users@tomcat.apache.org
Subject: Re: JSSE question
"Vadim Letitchevski" <vletitchev...@teledyne.com> wrote in message
news:e17da276f9a0c84fad22739de29c389005dafc3...@entmail01.tad.teledyne.com...
>I am confused. Can Tomcat use only JKS keystore or it can also use pem
>or some other certificate storages?
>
In the Tomcat docs (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html),
it shows how to use a PKCS12 keystore. At some point that should be updated to
include an example for using a PKCS11 keystore.
The actual answer is that the JSSE Connector can use any keystore format that
is supported by your Java vendor. In particular, with the Sun JVM, you can't
use PEM (however the APR Connector does use PEM). However, it is usually
pretty easy to convert PEM to PKCS12 (see the link above for an example).
>
> Thanks
> Vadim.
> (310)765-3812
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
