I am trying to set up SSL in tomcat following the official documentation. I have some questions related to keystores involved this set up. There is a keystore at JRE/lib/security/cacerts and one configured in tomcat server.xml's connector element. Is my following assumption correct.
keystore configured in server.xml is only used for ssl connections and JRE/lib/security/cacerts is still used to trust connections made from server side code such as B2B webservice calls.
That is correct. To be more specific, the KeyStore configured in server.xml is used for inbound SSL connections.
Related
Earlier when I kept both apps(app1 & app2) in the same (Jboss)server, I can call[communicate] the api's available in app1 from app2. [Jboss ssl configured with certificate]
Now My issue is, I moved only my app2 into tomcat server[app2],without changing any code and tried to connect api's of app1. It is throwing the clientProtocol Exception.
I came to know the issue with ssl certificate, because app1 is ssl configured.
Is there any place I have to configure my tomcat server to trust the app1 with the SSL jboss certifcate or in java program I have to add the trustmanager SSL socket code.
Please let me know the possible solution I have been stucked .
You need to configure the tomcat environment to know that exists a certificate to use.
This is done with -Djavax.net.ssl.trustStore=mykeystore or setting it in JAVA_OPTS.
For Linux this is done as follow:
export JAVA_OPTS=-Djavax.net.ssl.trustStore=mykeystore
before calling ./startup.sh
I'm a web service client and I'm connecting to the web service through SSL.
It's a 2-way SSL and the producer has shared the certificate. I did run the InstallCert.java, got the alias and created a Keystore.
I'm using weblogic application server and I have placed my Keystore in it.
Now when I run it, I'm getting an error,
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException:
TrustManagerFactoryImpl is not initialized
Before this I could see that it is trying to load the identity certificate and the private key. But as per standards the producer isn't willing to share the private key with us.
Any suggestion on this would be of great help to me. Thanks.
I resolved it.
I added my .cer file to cacerts which is referred by the weblogic server (Using keytool import). In the keystores section, I kept the default option (Demo identity and Demo trust). In the SSL section, I went to advanced, click on the checkbox ("Use JSSE SSL").
It worked.
I had this issue connecting to a MySQL database that requires SSL to connect.
It turns out, for me, the driver version needed to be updated in order to properly-handle the trust store configuration in the JDBC URL.
I built a Web-Service application in Jdeveloper 11.1.1.7 and deployed it on weblogic 10.3.6 with all Key-store and SSL configuration.
SSl Configuration:
Use Server Certs : Checked
Two Way Client Cert Behavior: Client Certs Not Requested. [That is means it is one-way ssl.
Correct me if that wrong]
SSL Listen Port Enabled: Checked
Key-store Configuration:
Custom Identity and Custom Trust. The file path has been specified for those custom key store
A sample client application has been created and everything seems to be fine; I mean the client can not access the server application without specifying the trust store file location where the server certificate is stored and it is trusted at the client end.
By the server certificate I mean the same certificate that has been configured in server Key-store Configuration
for your information the client application referring to trust store as follow:
System.setProperty("javax.net.ssl.trustStore",[Trust-store location goes here]);
System.setProperty("javax.net.ssl.trustStorePassword", [password goes here]);
Till now nothing wrong. Next is the problem details:
For the purpose of testing I tried to access the deployed web-service application using the SoapUI (open source software). What is confusing is the request has been sent, accepted at the server and proceed without specifying any thing for server certificate nor trust store location in SoapUI project configuration !!
Why the SOAP request has been accepted from SoapUI without referring to server certificate? The request should be rejected in this case.
My experience with SoapUI is that it is quite lenient. For example, if it doesn't check if the CN of server certificate matches the fully qualified domain name in the URL. In your case, your server most likely uses a CA signed certificate. Most of the root and intermediate certificates of well known CA's (e.g. VeriSign/Symantec) are already included in the default truststores for most systems. If your server had used a self-signed certificate, then SoapUI would have incurred SSL error unless you import the self-signed certificates into the truststore of the host where SoapUI is running.
Is there any way to configure an additional SSL listener port on an existing WebLogic server that uses a different keystore and truststore configuration from the "main" SSL port?
I don't think you can use multiple keystores for the same server - Even if you're using custom key/trust stores, you should be able to consolidate everything (using import/export for keytool/ikeyman).
Under the Server -> Protocols -> Channels tab, you can define an additional port using your SSL protocol of choice (t3s/https/iiops/ldaps) but your issue should be resolved by using the earlier suggestion alone.
I've been trying all day to set Tomcat 6.0 up for SSL. I know it shouldn't be that hard. I've followed the Tomcat documentation in creating my own Certificate, configuring the connectors in the server.xml file.
When I go to https://localhost:8443, (8443 is the port I defined in the connector) my certificate does not render on the screen, and my browser tells me that it was unable to make a secure connection to the server and that my client may not have the certificate.
My question is, why isn't my certificate rendering for the user to say "Trust" or "Not"?
There's a full documentation on SSL Howto for Tomcat 6. I don't know how far you've gone to setting up your SSL for me to help you.
Make sure that in server.xml in APACHE_HOME/conf has both Connector for port 8080 and 8443 enabled.
Do you happen to have a tcnative-1.dll file in apache-tomcat-6.xxx\bin\ folder?
If so, it will not work with your current <Connector/> configuration. Remove the file or rename the extension and restart the tomcat server again.
This is stated in "Edit the Tomcat Configuration File" section of http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
I ended up figuring it out.
The issue was regarding to my protocol variable in my Connector:
This is what I had: protocol="HTTP/1.1"
Now I have this: protocol="org.apache.coyote.http11.Http11Protocol"
The only issue now is that chrome or IE won't run the site as HTTPS because i signed the certificate myself and am not a CA.