Re: SSL

Wed, 23 Mar 2011 11:59:57 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joseph,

On 3/23/2011 9:48 AM, Joseph Walters wrote:
> The non-secure port (using port 8022) works fine. Tomcat listens on 
> the secure port (set as port 7019). When connecting using 
> https://domain.name:7019 a certificate warning is presented (not
> issued by a trusted Certificate authority) then I get an 'Unable to
> display screen' error.

I've never seen that error before. What software says "Unable to display
screen"?

> Also perplexing is the certificate (when viewing details through
> Mozilla Firefox) is that the certificate is always being displayed
> from the IBM default.kdb *SYSTEM keystore.

How are you determining that?

> This is ultimately Ok because that is where the client will be
> placing their signed certificate but it is often not what is
> specified for the connector.

So, it's okay but not okay?

> algorithm="IbmIseriesX509"

The Tomcat documentation says to use "IbmX509". Are you sure that
"IbmIseriesX509" is the right value, here?

> sslProtocol="SSL"

Stuck in SSL land, eh? :(

Your first sample configuration does not include a "keystoreFile"
setting. That is unlikely to work out for you.

>            keystoreFile="/QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB"
>            keystorePass="xxxxxxxx" />  

The default keystoreType is "JKS". Is this a "JKS" store?

>            keystoreFile="/home/User/.keystore2"         
>            keystorePass="changeit" />  

Is *this* a JKS store?

> I have also tried changing the sslProtocal between "SSL" and "TLS"

If the problem is the keystore, then the sslProtocol value will not be
the problem.

> I am seeing the following errors in Catalina.out:
> 
> keymanager: Exception in X509KeyManagerImpl initialization 
> 
> java.security.KeyStoreException: Keystore type is invalid  

This will happen if you have the wrong keystore password, the wrong
keystore type, or an invalid keystore type. Which of the above
configurations was active when you got that exception? What was the full
error message, including stack trace?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2KQuUACgkQ9CaO5/Lv0PDsCQCgoNf26Fa23VAbs+wKgHSu9tpj
/1UAoLD8p1Nicf4UnkCjZNrfEHkhSB+C
=KGsy
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
  • SSL Joseph Walters
    • Re: SSL Christopher Schultz

Reply via email to