Hi Richard,
In your Server_modified.xml up the top you've got AprListener configured with SSLEngine=on. This means Tomcat expects the APR type of SSL configuration on a Connector. (see Tomcat SSL Howto for details) http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html In short - your config is using the wrong SSL type. Either: (a) Change the connector to use the SSL under APR type, you'll need to convert your key, certificate and CA certificates (including intermediate ones) to the Open SSL PEM type. (b) Or turn off the AprListener's SSLEngine option (simpler). The APR solution is supposed to be faster since it uses the native SSL libraries compiled specifically for your system. Best Regards, Brett From: Richard da Silva [mailto:roman_s...@yahoo.com] Sent: 26 October 2010 09:09 To: Tomcat Users List; Brett Delle Grazie Cc: darryl.le...@unsw.edu.au Subject: SSL Certificate : Unable to configure Tomcat "server.xml" Thanks for your response, Darryl But, the certificate is not the problem. The Tomcat Configuration is the issue (server.xml) Richard da Silva --- On Tue, 10/26/10, Darryl Lewis <darryl.le...@unsw.edu.au> wrote: From: Darryl Lewis <darryl.le...@unsw.edu.au> Subject: RE: SSL Certificate : Unable to configure Tomcat "server.xml" To: "Tomcat Users List" <users@tomcat.apache.org>, "brett.dellegra...@intact-is.com" <brett.dellegra...@intact-is.com> Date: Tuesday, October 26, 2010, 10:26 AM Here are my notes on importing a SSL certificate in case that is the problem. I had a lot of issues and errors when I first tried. (these were compiled from suggestions on this list) Importing SSL certificates Root AddTrustExternalCARoot.crt Intermediate CA UTNAddTrustServerCA.crt Intermediate CA PositiveSSLCA.crt domain/site certificate yourdomainname.crt Location of keystore: cp .keystore /usr/share/tomcat5/.keystore Notes: default keystore is .keystore in the CWD 1. Delete default tomcat cert keytool -delete -alias "tomcat" -keystore /path/to/keystore 2. Generate new key keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore /path/to/keystore Enter keystore password: (default is changeit) What is your first and last name [Unknown]: xx What is the name of your organizational unit? [Unknown]: xx What is the name of your organization? [Unknown]: xx What is the name of your City or Locality? [Unknown]: xx What is the name of your State or Province? [Unknown]: xx What is the two-letter country code for this unit? [Unknown]: xx Is CN=yourserver.com,OU=xx, O=xx, L=xx, ST=xx, C=xx correct? [no]: y Enter key password for <tomcat> (RETURN if same as keystore password): 3. create CSR keytool -certreq -keyalg RSA -alias tomcat -file ssl.csr -keystore /path/to/keystore use this csr to order SSL certificate 4. import the certificate back into the keystore keytool -import -alias tomcat -trustcacerts -file ssl.crt -keystore /path/to/keystore -----Original Message----- From: Richard da Silva [mailto:roman_s...@yahoo.com] Sent: Tuesday, 26 October 2010 5:25 PM To: brett.dellegra...@intact-is.com Cc: users@tomcat.apache.org Subject: Re: SSL Certificate : Unable to configure Tomcat "server.xml" (a) Exists in certificate store 'cacerts' (bad idea btw). Yes it does exist. But, I took your advice, and created a separate keystore. Then imported the certificate there (b) Exists with the exact label 'tomcat' Yes, it does >From what I have seen so far, the problem does not lie with the SSL certificate itself. It's with the Tomcat configuration (and that damn server.xml file). Richard da Silva --- On Mon, 10/25/10, Brett Delle Grazie <brett.dellegra...@intact-is.com> wrote: From: Brett Delle Grazie <brett.dellegra...@intact-is.com> Subject: Re: SSL Certificate : Unable to configure Tomcat "server.xml" To: "Richard da Silva" <roman_s...@yahoo.com> Cc: users@tomcat.apache.org Date: Monday, October 25, 2010, 12:33 PM Hi, I haven't read the rest of the thread (forgive me for that) so please ignore if I'm repeating someone else's advice. Can you manually confirm (via command line tool 'keytool') that the certificate: (a) Exists in certificate store 'cacerts' (bad idea btw). (b) Exists with the exact label 'tomcat' (might be case sensitive - I don't know). (c) Verify your private key is in 'cacerts' (really bad idea btw) - what happens when you upgrade Java? Do yourself a favour and use a separate keystore for private key + certificate. One other minor detail - I think I remember reading something about only using '/' form of slash in Tomcat configs regardless of OS. But can't remember where it was (somewhere in Tomcat docs I think). Regards, Brett On Sun, 2010-10-24 at 23:47 -0700, Richard da Silva wrote: > Hi guys, > > thanks for your responses. > > Nothing seems to work so far. > > As requested, I am sending the full outlines of my "Server.xml" file. > > The first file is the original "Server.xml" (I saved a copy of it, > naturally) > > The second file --- "server.xml_modified" ---- is the file which I > modified, and the one I am now trying to use in Tomcat. > > Any helpful tips would be greatly appreciated. > > Thanks. > > > > > Richard da Silva > > > > --- On Fri, 10/22/10, Richard da Silva <roman_s...@yahoo.com> wrote: > > From: Richard da Silva <roman_s...@yahoo.com> > Subject: SSL Certificate : Unable to configure Tomcat > "server.xml" > To: users@tomcat.apache.org > Date: Friday, October 22, 2010, 3:53 PM > > Hi all, > > I've been fighting with a very silly problem all day. > > I have an instance of Sun Identity Manager (IDM) running on a > Tomcat server. > > To be able to use some of its Resources features, we have had > to create and install SSL Certificates. > > Using some of the online documentation on the installation of > SSL Certificates, I was able to successfully copy the > Certificate to the keystore. (I did not create a new keystore. > Instead, I used the default keystore which comes with the JAVA > kit : "cacerts" ) > > Everything seemed to work fine, and I got the confirmation > message saying : "Certificate installed in keystore" > > The final stage involves configuring the Tomcat "server.xml" > file, to be able to allow SSL connection, and also to pinpoint > the location of the Keystore. > > First, I commented out the "Connector Port 8080" details. And > then, I modified the "Connector port 8443" as follows : > > > <Connector port="8443" maxHttpHeaderSize="8192" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > acceptCount="100" scheme="https" secure="true" > SSLEnabled="true" clientAuth="false" sslProtocol="TLS" > keyAlias="tomcat" > keystoreFile="C:\Program Files\Java\jdk1.6.0_21\jre\lib > \security\cacerts" keypass="my_password"/> > > > And, this is where my problems began. > > For some reason, I cannot get this to work. > > At first, I was using Tomcat version 6.0.21 > > I began to get several errors in my Tomcat window > > (a) only one usage allowed for each of the following : > port / protocol / maxThreads, > > etc, etc > > (b) System parameter "maxThreads"........no match found for > parameter; > System parameter "scheme"........no match found for > parameter; > System parameter "clientAuth"........no match found for > parameter; > > etc, etc > > > > I began to wonder if, maybe, there was something wrong with > the Tomcat version (6.0.21) > > Last year, I had successfully performed a similar procedure > (installed Certificate, modified Tomcat server.xml file, etc). > But, that version I used was : 6.0.18 > > So, I decided to try it. I downloaded an older version of > Tomcat (6.0.18), and repeated the process all over again. > > This time, there were none of the above-mentioned errors. But, > I got another error : > > Alias "tomcat" not found. > > So, I removed that line ----- keyAlias="tomcat" ---- and > re-started the server. > > This time, something else happened : when I start-up the > server, the Tomcat window goes haywire. I see phrases and > lines of data (output) flashing on the screen at the speed of > light. And, then, my computer hangs. I have to re-boot it, to > get it working again. > > I'm at a total loss. > > I have racked my brain for any and all possible causes. At > first, I thought that, maybe, I ought to have created a whole > NEW keystore (as it mentions in the online manual). But, since > I was able to successfully import my certificate into the > default "cacerts", I figured that was not the reason. > > And, besides, there is obviously something wrong with the > newer version of Tomcat, because the older version (which I am > now using), did not give me those earlier errors. > > But, I still do not know what I am doing wrong. > > Any help will be greatly appreciated. > > > Thanks. > > > > > Richard da Silva > > > > > ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
