I currently have Tomcat 7 server running a web service.
I've enabled 2-way SSL in server.xml
<Connector port="8443"
maxThreads="500"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="tomcat_keystore.jks"
keystorePass="*******"
truststoreFile="tomcat_truststore.jks"
truststorePass="*****"
clientAuth="true"
keyAlias="tomcat"
redirectPort="8080"
sslProtocol="TLS"/>
The direct connection to HTTPS web service works fine.
But when I call it through the Load Balancer, it is failing because current health check fails (so it thinks that web service is down).
If this health check passes, the Load balancer will simply forward the request to Tomcat server.
Current health check is just calling HTTPS GET method and expects a 200 OK.
I know I can get this resolved by installing the certs on the Load balancer but I don't want to do that because I just need to verify:
1) If the box is up and running
2) if the tomcat server is up and running
Is it possible to have another web service running at the same time on the same tomcat server which can be called by HTTP GET (no SSL)? which I can add it in the Load Balancer health check?
Yes, it is possible. But not on same port.
You have to configure another connector.
Related
I am creating spring rest service. I wanna secure it with https.
I know that using following solution:
http
.authorizeRequests()
.antMatchers("/secure/**").hasRole("ADMIN")
.anyRequest.hasRole("USER")
.and()
.requiresChannel()
.anyRequest().requiresSecure();
I can force using https. But I do not know what else I have to do. Should I configure something else in spring security or it is enough? I am using tomcat. Should I install certificate? If yes, is existing possibility to install "test certificate"? How it works?
I don't have enough rep to add a comment, so you'll probably need to provide more information to get the answer you really want.
First off, to enable HTTPS, you will need an SSL certificate. If you're just testing/developing, you can generate your own self-signed certificate and ignore certificate warnings from your browser. If however this is a public-facing server, you'll need a valid SSL certificate from a certificate authority like GoDaddy or similar. Generating an SSL cert is probably outside the scope of this question, and there are a lot of guides out there for this (I would post links, but don't have enough rep).
The config you have shown is a valid way to force your application server to only communicate over HTTPS, however, it is not sufficient to actually enable HTTPS for your Tomcat server.
Depending on your setup, you have a few different options for enabling HTTPS.
If you're using Spring Boot with an embedded Tomcat server, then you can enable SSL by setting the server.ssl.* properties of your application.properties file, for example:
server.port=8443
server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-password=secret
server.ssl.key-password=another-secret
Where keystore.jks is the path to your Java keystore that holds your SSL certificate. See Spring Boot Docs for more info.
If you're using a standalone Tomcat server, you'll need to modify Tomcat's server.xml in $CATALINA_BASE/conf/server.xml and add an SSL connector. For example:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
This example is for Tomcat 7, but the process is similar for other Tomcat versions. See Tomcat SSL for more information.
If you are using a proxy/load balancer (like NGINX) you can add an SSL termination there. The proxy/load balancer then intercepts all HTTPS traffic and communicates over non-HTTPS connections to your application servers. This has the added bonus of not having to interfere with your application server to perform SSL-related maintenance like changing your certificate or config.
1/
Install the latest version of tomcat (8.0.28) and run it on java 8 (I'm using the 1.8.0_45 / 64-Bit version).
I'm running the Tomcat on a Windows 7 64-Bit
2/ Enable SSL on Tomcat:
Activate SSL by creating a keystore and uncommenting the https connector in the server.xml file, add
keystoreFile="" keystorePass=""
to the connector.
FYI: here is my connector:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystorePass="password"
keystoreFile="/path/to/my/keystore" />
3/ Install Fiddler (www.telerik.com/fiddler) or any other tool to sniff the traffic between your host and the server, the fiddler should run on your host. I did my screen shots with Fiddler.
4/
Go to tools/options/https and check "enable decrypt".
5/
Using Internet explorer 11 (chrome also works but as it compresses the websocket traffic it makes it harder to reach 8KB of data), access your tomcat remotely using https and open the example app at https://server:8443/examples/websocket/echo.xhtml
choose "Programmatic API", hit "Connect", then send a small test message
on fiddler, double click on the websocket session and look at the result in the websocket tab.
Now, try to send a large text of say 20KB, you'll see that the reply is split in frames of 8KB marked "Continuation". There should be a frame marked "Final" which is missing at this point.
Send another small message so that the missing frame is flushed.
Important:
If I connect to a Tomcat running locally on my host I do not reproduce this issue.
If I do not use SSL, I do not reproduce this issue.
Questions:
- why such behavior, did anyone experience the same thing ?
- how to properly troubleshoot this issue ?
- I tried to enable the Tomcat logging but nothing interesting in the logging: org.apache.tomcat.websocket.level = FINE
The issue is apparently OS related:
When Tomcat is on Windows 7 it does not work
When Tomcat is on Windows 10 it works
When Tomcat is on Windows Server 2012 R2 it works
In short this issue a combination of OS (some versions of windows) / SSL and WebSockets.
The "dirty" workaround I found for now is to send a last message to flush the buffer since I have access to the code of the server side.
please let me knwo if you faced such issue as this could be something related to the SSL handshake for some specific windows versions and I don't knwo how to trouble shoot that.
I would like to know if anybody has experience working with SSL and HTTPS on a Google Compute Engine (not GAE) instance. I have been unable to use HTTPS with my website: browsers and online test tools fail to connect to my server.
My environment is ubuntu-1404-trusty-v20141212 and Tomcat 8.
Here's what I did:
I ticked "allow HTTP" and "allow HTTPS traffic" on the instance's network settings
Installed my $4 Comodo certs.
Used as-is Connector configuration on server.xml with only keystore and password added
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/ssl/private/tomcat.keystore"
keystorePass="password"
/>
I get the aforementioned error when I start my Tomcat and go to https://mysite.com:8443. Some diagnostics are:
Log catalina.out doesn't say anything severe.
Using netstat -ntlp |grep :8443
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 8500/java shows my tomcat is listening at 8443
Finally I created an AWS EC2 instance with the same environment and installed my SSL certificates. It immediately works without any tinkering with port and firewall.
Any advice on how to make SSL work on GCE is appreciated.
Figured it out myself. As suspected, this does have something to do with firewall.
When allowing HTTPS traffic in a GCE instance, the default port is 443 not 8443.
Either change the listening port or change the firewall rule here:
Google Developers Console->Compute Engine->Networks->the network's
name the instance is associated with->Firewall rules.
Several rules are listed, in my case I need to modify default-allow-https
I'm running a java web app in Eclipse (Helios) using Tomcat 7. The server startups up successfully (duration indicated) however Eclipse's progress bar still spins saying that Tomcat is starting up. Eventually the timeout is reached and an error is thrown.
I believe Tomcat is fine as I've taken the command that it uses and ran it manually in the shell. Tomcat runs fine and I'm able to hit the web app at the expected URL. I can also hit it after it's started up and before the timeout occurs.
I've reinstalled Eclipse, I ran it with clean, I deleted/recreated the server. Nothing has worked. Anybody have any clues?
I had this issue, it seems that the Eclipse calls the application url after start up to make sure it is running.
A proxy client (pshione) had changed the system proxy so the eclipse could not call the start page and thinks that the application is not starting yet!!
I removed the proxy and it works fine now!
Edited:
This can also happen when you start your tomcat with SSL, but the ssl certification is not valid. When you make a call to and invalid SSL certification site, some browser confirm if you want to go one or not, but eclipse can not connect to your invalid ssl site! I suggest test your site with normal http instead of https.
This issue is related to a tomcat configured with HTTPS without a HTTP connector.
I had this SSL connector in server.xml and my tomcat in Eclipse is always showing Starting:
<Connector SSLEnabled="true" asyncTimeout="10000000" clientAuth="false"
connectionTimeout="10000000" keepAliveTimeout="10000000"
keystoreFile="/opt/config/selfsigned.p12" keystorePass="changeit"
keystoreType="PKCS12" maxThreads="200" port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS"/>
I suppose Eclipse uses a HTTP connection to the server to verify that instance of Tomcat is available.
I've solve this problem including an aditional HTTP connector redirecting to HTTPS in server.xml.
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1"
redirectPort="443"/>
<Connector SSLEnabled="true" asyncTimeout="10000000" clientAuth="false"
connectionTimeout="10000000" keepAliveTimeout="10000000"
keystoreFile="/opt/config/selfsigned.p12" keystorePass="changeit"
keystoreType="PKCS12" maxThreads="200" port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS"/>
With this change my tomcat in Eclipse starts properly showing Debugging state.
Some updates of Java cause problems with Eclipse's networking operation. Specifically, Eclipse tries to use IPv6 instead of IPv4 and sometimes fails. When Eclipse starts up Tomcat, one of the final steps that it does is tests the a debug call to Tomcat. This is likely to be the part that is hanging. Fortunately, the fix is very easy. We simply tell Eclipse to use IPv4 instead.
To do this, edit the eclipse.ini file (found in the Eclipse directory) and add the following to the end of the file on its own line:
-Djava.net.preferIPv4Stack=true
Restart Eclipse and you should be good to go.
I had the same issue, it was due to the connectors I had defined (I only had an AJP connector).
Adding an HTTP connector to Tomcat's server.xml solved the problem.
I've found the answer (just after posting here which, ironically, seems to be how to find answer's to one's own question.)
The answer was that the port was being used by another process. I should've known but upgraded several different packages will do this. But onto the symptoms:
Tomcat starts successfully. Able to hit the application before timeout.
Eclipse looks like it's unable to determine whether the server has started or stopped.
HTTP is currently running under the default of 8080. Unfortunately, my data store was listening at 8080 (my guess as I'm not particularly sure what it does with the port except that it's allocated for jmx). I'm guessing that Eclipse is unable to detect Tomcat at 8080.
I got this problem, it seems that my tomcat version was buggy (tomcat 7.0.23)
switch your tomcat version to another (i.e tomcat 7.0.14) it works for me.
good luck
This could happen if two servlets have been mapped to the same request URL, Tomcat will start up fine but eclipse won't be able to generate the correct web.xml file and therefore won't be able to publish the webApp.
Check your servlet mapping #WebServlet("\TheURLThatShouldInvokeThisServlet") make sure two servlets dont have the same "TheURLThatShouldInvokeThisServlet".
(putting it for the record!)
I am using tomcat 5.5 and configured keystore and added this connector inside server.xml file
<Connector port="443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
clientAuth="false" sslProtocol="TLS"/>
But I am not sure why when I type in https://locahost the browser tells me "This program cannot display the webpage".
Did you check Tomcat's logs?
Perhaps the connector could not start up.
Perhaps Tomcat could not read or find the .keystore you configured.
Perhaps the .keystore has a password which Tomcat does not know about.
Perhaps another process is already bound to that port.
The logs will probably tell you exactly which of these is going on.
Possibly you have your browser configured to use a web proxy. In this case, make sure that localhost and 127.0.0.1 are exceptions to using this proxy under the browser's preferences or options. ALSO make sure that localhost is mapped to 127.0.0.1 in your /etc/hosts file. Which in windows is under \WINDOWS\system32\drivers\etc\hosts.
Try to add the port
localhost :443