I have a Java web application running on a Debian virtual machine on GCE.
I'm not sure whether this is relevant (i dont think it is, just in case) - i'm using Vaadin 8 in this system, and thus any HTTP calls to it are handled by a Vaadin servlet.
For SSL certification, i ran the openssl commands in self-signed SSL certificate on GCE -- 'SSL certificate could not be parsed' to get CA authorization and generate SSL certification myself. So by this, I'm certifying my SSL by first being a certified authority.
After the commands in self-signed SSL certificate on GCE -- 'SSL certificate could not be parsed', i followed the instructions at https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html and did the following:
ran the following two commands without error:
keytool -genkey -alias myalias -keyalg RSA
openssl pkcs12 -export -in mySite.com.pem -inkey mySite.com.key -out mycert.p12 -name myalias -CAfile msite.CA.pem -caname root -chain
The second command generated mycert.p12 in the directory.
I then configured server.xml. Following are all the configuration tags there are now in server.xml.
<Service name="Catalina">
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/root/.keystore" keystorePass="myPasswd"
clientAuth="false" sslProtocol="TLS"/>
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="443" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
…
</Service>
Replaced this with the server.xml in conf directory of Tomcat. Restarted Tomcat. Called my application in Firefox - still seeing the SSL warning:
As far as i can see, this didn't work because
I'm missing something on the configuration of the certificate on Tomcat -- not sure i did things right on server.xml. i didnt do anything elsewhere on Tomcat.
I did all the configuration right, but Firefox isn't accepting SSL signed by a not-known authority.
I'm not sure (2) can be. the blogs i read tell that generating the .pem file connects it to publicized CA-s and should be OK(?)
Any help would be appreciated. this been eating my time for days - i dont know much about SSL or any security matters -- dont even know where to go from here!
Note: seen Installing SSL certificate on JBoss among some other useful discussions.
//----------------
EDIT:
pls also note; I see no errors on catalina.out.
//----------------
EDIT-2:
i'm getting the security warning above (the screenshot image) when I call by http://.. in Firefox. the call https://.. is giving the following error:
Related
I'm installing JKS certificate on my ubuntu tomcat server. I've searched but still can't solve it. Browser can connect to tomcat 8080 but it's not transmitted by HTTPS.
I use command keytool -importkeystore -srckeystore **.pfx -destkeystore **.jks -srcstoretype PKCS12 -deststoretype JKS to convert PFX to JKS format.
conf/server.xml is :
<Connector port="8443" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/home/hel/key/my.jks"
keystorePass="***"
keyAlias="***"
clientAuth="false" sslProtocol="TLS" />
Added:
In the same time, I tried another configuration(but output same exceptions):
<Connector port="8443" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/home/hel/key/***.pfx"
keystoreType="PKCS12"
keystorePass="***"
keyAlias="***"
clientAuth="false" sslProtocol="TLS" />
There are four files in directory /home/hel/key: .key,.pem,.pfx,.jks.
Added:
I've changed certificateKeyAlias="***" with keyAlias="***", and exceptions disappear.But Port 8443 still can't be connected and 8080 is not transmitted in HTTPS. How can I check it? netstat shows port 8080 and 8443 are really listening.
localhost.log
INFO [localhost-startStop-2]
org.apache.catalina.core.ApplicationContext.log SessionListener:
contextDestroyed() INFO
[localhost-startStop-2]
org.apache.catalina.core.ApplicationContext.log ContextListener:
contextDestroyed() INFO
[localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log ContextListener:
contextInitialized() INFO
[localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log SessionListener:
contextInitialized()
localhost_access_log.txt
"GET /Beer-v1/ HTTP/1.1" 304 -
"GET /Beer-v1/css/a.css HTTP/1.1" 304 -
catalina.log
NG tomcat.util.digester.SetPropertiesRule.begin
[SetPropertiesRule]{Server/Service/Engine/Realm} Setting property
'digest' to 'MD5' did not find a matching property. NG
tomcat.util.digester.Digester.endElement No rules found matching
'Server/Service/Engine/Resource'.
Added
I download a clean copy of tomcat 9 and add code in the original conf/server.xml. In catalina.out java.security.UnrecoverableKeyException: Cannot recover key happens.
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="20000"
redirectPort="8443"
scheme="https"
secure="true"
SSLEnabled="true"
sslProtocol="TLS"
keystoreFile="conf/***.jks"
keystorePass="***"
keystoreType="JKS"
clientAuth="false"
/>
Seems tomcat is not finding the private key of the certificate in the Keystore.
Since you have not specified attribute keyAlias in Connector, tomcat will try to load the first key found in Keystore. See documentation of certificateKeyAlias (
The alias used for the server key and certificate in the keystore. If not specified, the first key read from the keystore will be used. The order in which keys are read from the keystore is implementation dependent. It may not be the case that keys are read from the keystore in the same order as they were added. If more than one key is present in the keystore it is strongly recommended that a keyAlias is configured to ensure that the correct key is used.
Check the Keystore to see if private key is present and its alias. You can list entries with
keytool -list -v -keystore keystore.jks
Note: you can use directly the pkcs12 file setting
keystoreType = "PKCS12"
UPDATED: Tomcat SSL configuration
This is the minimum configuration of tomcat for a SSL connector (deprecated attributes) in conf/server.xml, using a selfsigned certificate issued for 127.0.0.1 and copied in /conf
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="20000"
redirectPort="8443"
scheme="https"
secure="true"
SSLEnabled="true"
sslProtocol="TLS"
keystoreFile="conf/keystore.jks"
keystorePass="a1b2c3d4e5"
keystoreType="JKS"
clientAuth="false"
/>
I have tested it with a clean copy of tomcat 9 and JRE 1.8, with URL https://127.0.0.1:8443
This link helps me: java.security.UnrecoverableKeyException: Cannot recover key.
When converting PFX to JKS with command keytool -importkeystore -srckeystore **.pfx -destkeystore **.jks -srcstoretype PKCS12 -deststoretype JKS, set destination keystore password the same as keypasswd. And remember to put .jks file in the right path. I think it was in the wrong place.As for selfsigned certificate, I find it needn't to set keystore password the same as keypasswd.
Thanks to pedrofb. You help me so much.
I have two instances of tomcat running on the same VM. One app in one tomcat will call the other app in the second tomcat. Each tomcat is configured with its own set of ports in server.xml. Each one also has its own security key. Here is the snippet of server.xml.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" keystorePass="apple123" keystoreFile="/usr/myFirstKey" sslProtocol="TLS" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
When the app in the first tomcat makes a rest call to the second app in the second tomcat with the url "https://localhost:8444/dashboard", I got this error:
Exception in Sevlet is sun.security.validator.ValidatorException: PKIX
path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
Can someone show me how to fix it?
There's no reason to use HTTPS to communicate between two internal servers; just use HTTP and avoid all the trouble.
But if you insist on HTTPS, you need tomcat#1 to trust the certificate of tomcat#2 -
Export the certificate of tomcat#2 from its key store file
> keytool -exportcert -alias <alias> -file <XXX>.cer
-keystore <keystore>.jks -storepass <password>
Import the certificate to the trust store of tomcat#1
> keytool -importcert -alias <alias> -file <XXX>.cer
-keystore <truststore> -storepass changeit
the default trust store is JAVA-HOME/lib/security/cacerts; it might be better to make a copy of it, and configure tomcat#1 to use the copy.
I am trying to configure one way ssl self signed on jboss-as-7.1.1.Final.
i have created a keystore using java keytool
following is the command i have used to generate the keystore
keytool -genkey -alias foo -keyalg RSA -keystore foo.keystore -validity 10950
the keystore was generated. i have alos modified the standalone.xml file
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="8443"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="foo-ssl" key-alias="foo" password="password" certificate-key-file="D:\Projects\Fiserv\certificate\self signed\foo.keystore" protocol="TLSv1" verify-client="true"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
http wprks fine, but when i use https, i get the below error
Certificate-based authentication failed
Hide details
This server requires a certificate for authentication, and didn't accept the one sent by the browser. Your certificate may have expired, or the server may not trust its issuer. You can try again with a different certificate, if you have one, or you may have to obtain a valid certificate from elsewhere.
Error code: ERR_BAD_SSL_CLIENT_AUTH_CERT
You need to set verify-client="true" to false. You have now specified that the client must also present a certificate (ie. mutual authentication). Thats also what the error code says: ERR_BAD_SSL_CLIENT_AUTH_CERT
I have a Java application which I am running on RHEL server. I want to enable SSL on tomcat 7 on RHEL. I am following this tutorial.
I used this command to to create a self-signed certificate.
keytool -genkey -alias mkyong -keyalg RSA -keystore c:\mkyongkeystore
But on running https://localhost:8443/ I am not getting anything and I am enable to configure Tomcat to support SSL Or https.
A) Create a keystore file to store the server's private key and self-signed certificate by executing the following command:
keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/tomcat6/keystore
B) Uncomment the "SSL HTTP/1.1 Connector" entry in /etc/tomcat6/server.xml and modify as described in the Configuration section below (this is only an example, edit your own configuration and just uncomment it and provide the correct password).
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="want" SSLProtocol="TLS"
keystoreFile="conf/keystore"
truststoreFile="conf/keystore"
keystorePass="XXXXXX"
keystoreType="PKCS12"
ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
truststorePass="XXXXXXXXXXXXXXX" />
C) If you are using selinux, you may need to relabel newly created keystore file context. Use RHEL SELinux guide how to do that.
When I changed https for secure connection in server.xml of tomcat 7.0
<Connector
clientAuth="false" port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="test.cer"
SSLCertificateKeyFile="test.key"
SSLCACertificateFile="CertPath.txt"
SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS"
/>
I've an error when running tomcat from IDE
Caused by: java.io.FileNotFoundException: C:\Documents and Settings\User.keystore (The system cannot find the file specified)
at java.io.FileInputStream.open(Native Method)
but there is no error by running tomcat 7.0/bin/tomcat7.exe.
What wrong in these two? Please explain me! Thanks.
I think you need a .key-store file.
<Connector port=”443” maxHttpHeaderSize=”8192″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100″ scheme=”https” secure=”true”
**keystoreFile=”/home/Raja/Desktop/Tomcat5/mycert.jks”**
clientAuth=”false” sslProtocol=”TLS>
check your server.xml file and also refer this link might be useful to you.
I think you need to create a new key store file and that you can generate by executing this command.
%JAVA_HOME%\bin>keytool.exe -genkey -alias tomcat -keyalg RSA
and for more clarity see this link Tomcat SSL problems. I think this can help you to have better understanding of your problem.