What is difference between keystore/truststore in JAVA_OPTS and in the Connector?
Eg:
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=<trustStorePath> \
-Djavax.net.ssl.trustStorePassword=<trustStorePassword> \
-Djavax.net.ssl.keyStorePassword=<keystorePassword> \
-Djavax.net.ssl.keyStore=<keystorePath> \
-Djavax.net.ssl.keyStoreType=JKS \
-Djavax.net.ssl.trustStoreType=JKS"
and
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="100"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true" clientAuth="false"
sslProtocol="TLS" keyAlias="server"
keystoreFile="/home/user_name/your_site_name.jks"
keystorePass="your_keystore_password" />
I would like to use second approach. Can I get rid of first JAVA_OPTS settings? Is there any advantage of using first approach if there is second one (connector with params)?
The first one sets the default SSLContext for the whole JVM, the second one only configures the SSLContext for the https SSL Connector, i.e. for clients connecting to your application via https.
The JAVA_OPTS settings seems redundant if you only use SSL for the https server. It remains useful if you want to add a trusted server certificate or a client key to set up SSL connections to another server over secure http, ldap, ftp etc.
I have a single AWS ec2 instance without a load balancer. I have apache tomcat server running on the same. How should i install a ssl certificate on the server for the website that i am hosting on the server? I am running a java struts 2 application running on the server.
All the options online are about using ACM with load balancer.
For Tomcat8 I would do the following:
Copy your .p12 to /usr/java/latest/
Add the following to your server.xml file, ensuring the keystoreFile matches the above step and keystorePass corresponds to the cert
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1.2"
keystoreFile="/usr/java/latest/<your.p12>"
keystorePass="<add passwd here>" keystoreType="PKCS12"
connectionTimeout="20000" redirectPort="8443"
proxyPort="443" server="NunYa"
proxyName="<fqdn>" />
If you want to prevent unencrypted traffic, comment out block in server.xml starting with <Connector port="8080" protocol="HTTP/1.1"
For more details see the references below.
References
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html
http://www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/
You can use ngnix server to route the default 443 port to your tomcat 8080 or 8443 port Amazon instance.
For that you need to buy ssl or get free ssl for 3 month duration via "https://letsencrypt.org" websites.
you can even configure ngnix by using openssl certificate if your going work as a demo purpose.
I moved to a new server and I installed Oracle Linux operating system, and Oracle database on the machine.
Then according this tutorial I installed Apache - 7 and JDK 1.8
But when I attempt to access it as ww.mysite.com it does not work.
But when I attempt to access with ww.mysite.com:8080 I can access the site.
How can I change my site to work on ww.mysite.com
My server.xml file below:
<Connector
port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
compression="on"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/css,image/svg+xml,image/gif,image/jpeg,image/png,text/plain,application/xhtml+xml,application/javascript,application/json,text/javascript"
maxThreads="350"
threadPriority="java.lang.Thread.MAX_PRIORITY"
acceptCount="200"
/>
Change the port to 80 in the first line as below:
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
compression="on"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/css,image/svg+xml,image/gif,image/jpeg,image/png,text/plain,application/xhtml+xml,application/javascript,application/json,text/javascript"
maxThreads="350"
threadPriority="java.lang.Thread.MAX_PRIORITY"
acceptCount="200"
/>
Iyi calismalar,
You need to change port="8080" to port="80", because 80 ist the http standard port. When not on the standard port, you need to add the port the the calling URL. - The same is for https where standard Port is 443.
Btw. don't forget to restart Tomcat after changing the server.xml ;-)
-- edit
Also you should take care about your firewall on the system you are working as well as maybe on your router. You need to open port 80 there for incoming requests. But you should make sure that nobody could hack your system/network.
For this most people use an Apache HTTPD in front of a tomcat for exaple to filter SQL injections etc.
-- edit
For the case that tomcat would not start, you might also have to check if some other thing on your system is already listening on port 80.
-- edit
Last but not least ports <= 1024 are privileged, so you need to run tomcat with these privileges.
After trying a lot of things. i found solution.
with command line on linux terminal i installed httpd
sudo yum install httpd
then i change my port number from 80 to 8080 in server.xml
<Connector
port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
compression="on"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/css,image/svg+xml,image/gif,image/jpeg,image/png,text/plain,application/xhtml+xml,application/javascript,application/json,text/javascript"
maxThreads="350"
threadPriority="java.lang.Thread.MAX_PRIORITY"
acceptCount="200"
/>
In linux command line i change my user to tomcat user. which was create as the link below for apache tomcat purpose.
https://oracle-base.com/articles/linux/apache-tomcat-7-installation-on-linux
Run apache tomcat - >
./startup.sh
change user to main one and open the httpd.conf file.
/etc/httpd/conf/httpd.conf
edit file with vi linux command
vi httpd.conf
Add this one
<VirtualHost *:80>
ServerName ww.mysite.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://ww.mysite.com:8080/
ProxyPassReverse / http://ww.mysite.com:8080/
ErrorLog logs/mysite.com-error_log
</VirtualHost>
I would like to know if anybody has experience working with SSL and HTTPS on a Google Compute Engine (not GAE) instance. I have been unable to use HTTPS with my website: browsers and online test tools fail to connect to my server.
My environment is ubuntu-1404-trusty-v20141212 and Tomcat 8.
Here's what I did:
I ticked "allow HTTP" and "allow HTTPS traffic" on the instance's network settings
Installed my $4 Comodo certs.
Used as-is Connector configuration on server.xml with only keystore and password added
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/ssl/private/tomcat.keystore"
keystorePass="password"
/>
I get the aforementioned error when I start my Tomcat and go to https://mysite.com:8443. Some diagnostics are:
Log catalina.out doesn't say anything severe.
Using netstat -ntlp |grep :8443
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 8500/java shows my tomcat is listening at 8443
Finally I created an AWS EC2 instance with the same environment and installed my SSL certificates. It immediately works without any tinkering with port and firewall.
Any advice on how to make SSL work on GCE is appreciated.
Figured it out myself. As suspected, this does have something to do with firewall.
When allowing HTTPS traffic in a GCE instance, the default port is 443 not 8443.
Either change the listening port or change the firewall rule here:
Google Developers Console->Compute Engine->Networks->the network's
name the instance is associated with->Firewall rules.
Several rules are listed, in my case I need to modify default-allow-https
I am using tomcat 5.5 and configured keystore and added this connector inside server.xml file
<Connector port="443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
clientAuth="false" sslProtocol="TLS"/>
But I am not sure why when I type in https://locahost the browser tells me "This program cannot display the webpage".
Did you check Tomcat's logs?
Perhaps the connector could not start up.
Perhaps Tomcat could not read or find the .keystore you configured.
Perhaps the .keystore has a password which Tomcat does not know about.
Perhaps another process is already bound to that port.
The logs will probably tell you exactly which of these is going on.
Possibly you have your browser configured to use a web proxy. In this case, make sure that localhost and 127.0.0.1 are exceptions to using this proxy under the browser's preferences or options. ALSO make sure that localhost is mapped to 127.0.0.1 in your /etc/hosts file. Which in windows is under \WINDOWS\system32\drivers\etc\hosts.
Try to add the port
localhost :443