I tried to configure SSL certificate for Tomcat 7(7.0.61) which I installed on Azure Windows VM.
Https does not work and there are no errors in Tomcat logs. I use Digicert certificate which gave me .jks keystore file. VM has its own DNS: myVm.cloudapp.net I registered my own domain NNN.today at one.com and make redirection from NNN.today to myVm.cloudapp.net.
When created certificate I used NNN.today. I configured endpoints for my VM (http for port 80 and SSL for port 443). APR listener is commented out in server.xml.
Here is my server.xml config:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true" acceptCount="100"
scheme="https" secure="true" SSLEnabled="true" clientAuth="false"
sslProtocol="TLS" keyAlias="server"
keystoreFile="${catalina.base}/conf/app_farewell_today.jks" keystorePass="my_password" keystoreType="JKS"
truststoreFile="${catalina.base}/conf/app_farewell_today.jks" truststorePass="my_password" truststoreType="JKS"/>
What am I doing wrong? Any help appreciated!
The VM's firewall should be configured to listen to this ports as well and the public endpoint configuration should map to the proper internal ports as well.
Related
Let's say my app is www.example.com.
When I put mydomin.com in the browser, it should redirect to https://www.example.com.
I have configured SSL already on my server.
If I put https://www.example.com, it always opens, but it does not redirect if I entered example.com.
Here is my connector:
<Connector port="8080" connectionTimeout="20000" protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="443" />
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="file.jks" keystorePass="pass" />
My server is Tomcat 7 and Linux box.
your http port is 8080 instead of the default 80. A url without the port number will default to port 80 hence http://www.example.com. would go to http://www.example.com:80/.
I am trying to implement SSL for my application using jboss. Below is the implementation in server.xml file.
<Service name="jboss.web"
className="org.jboss.web.tomcat.tc5.StandardService">
<!-- A HTTP/1.1 Connector on port 80
<Connector port="80" address="${jboss.bind.address}"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/> -->
<!-- A AJP 1.3 Connector on port 8009 -->
<Connector port="8809" address="${jboss.bind.address}"
enableLookups="false" redirectPort="8443" debug="0"
protocol="AJP/1.3"/>
<!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />
This configuration is working for 'https://localhost:8443' on server but not using my domain eg.'https://test-example.com:8443'.
Please test using this configuration as i have added the SSLEnabled = "true".As it is mandatory
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />
If localhost works but not the domain name, then it's probably because the ${jboss.bind.address} is 127.0.0.1. Verify that you're binding the server's IP and not the loopback.
I am working on spring web app using maven. I am trying to make localhost a secure connection.I am using tomcat server. I used this link for creating my own CA and added it to JVM.
This is what I added in pom.xml.
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
<configuration>
<path>/security</path>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" maxThreads="200" scheme="https" secure="true" keystoreFile="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.71.x86_64/jre/lib/security/cacerts.jks" keystorePass="security"
clientAuth="false" sslProtocol="TLS" />
</configuration>
</plugin>
I went to the link:https://localhost:8443 . But no app is running on that port. Could someone please help?
Go to sever.xml and add following xml
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="{path}/mycer.cert" keystorePass="{password}"/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
first you want to create one CA certificate
you can use java key tool for certificate creation
store that certificate on your server .
add connector config with in your tomcat server.xml
you should provide certificate path and password that given
restart server
if any problem for restarting comment stack trace
http://www.mkyong.com/tomcat/how-to-configure-tomcat-to-support-ssl-or-https/
You need to add a connector in servlet.xml file.
<Connector
protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
Replace the keystore file path and the password with the ones you have.
Refer https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html.
I have got two DNS entries for the same IP address. And I have two ssl keystores for each one of them.
Can I mention both the keystores in server.xml as shown below ?
<Connector address="my_IP_Addres" port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
enableLookups="true" disableUploadTimeout="true"
keystoreFile="1st_keystore_file" keystorePass="1st_key_pass"
clientAuth="false" sslProtocol="SSL" />
<Connector address="my_IP_Addres" port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
enableLookups="true" disableUploadTimeout="true"
keystoreFile="2nd_keystore_file" keystorePass="2nd_key_pass"
clientAuth="false" sslProtocol="SSL" />
No, you cannot use several connectors to single endpoint with Tomcat. HTTPS is HTTP over SSL. It means
client and server establish SSL connection, using only IP:port pairs during handshake procedure
client and server exchange HTTP messages over established SSL connection
DNS entries (host->IP) in your case allows client to resolve server IP before SSL handshake. But during handshake hostnames are not used. This is why server cannot resolve which key/cert pair to use on this phase. And this is the cause, why the only key/cert pair can be provided.
See HTTPS limitations for more details.
I have problem where google chrome is showing:
The site uses SSL, but Google Chrome has detected either high-risk insecure content on the page or problems with the site’s certificate. Don’t enter sensitive information on this page. Invalid certificate or other serious https issues could indicate that someone is attempting to tamper with your connection to the site.
message which shows up as crossed with red https sign.
How should I configure tomcat to get rid of the message shown in detail on the below picture?
I found this link but can't make out from it how to fix this:
http://code.google.com/p/chromium/issues/detail?id=72716
Also there is mention of OpenSSL problem with APR (what would be the OpenSSL alternative?):
http://tomcat.apache.org/security-native.html
I have GeoTrust Business ID certificate which is more than adequate for the site and should be secure enough. So I believe this some issue with either Tomcat or Java.
Working configuration in server.xml:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="16384"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css"
scheme="https"
secure="true"
SSLEnabled="true"
sslProtocol="TLS"
clientAuth="false"
keystoreFile="/usr/share/tomcat6/conf/tomcat.keystore" keystorePass="somepass"
/>
is giving me the error on the picture:
UPDATE - Going native
`<Connector port="443"`
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxHttpHeaderSize="16384"
maxThreads="150"
enableLookups="false"
acceptCount="100"
disableUploadTimeout="true"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css"
scheme="https"
secure="true"
SSLEnabled="true"
SSLCertificateFile="/tomcat/conf/cert.crt"
SSLCertificateKeyFile="/tomcat/conf/key.pem"
SSLCACertificateFile="/tomcat/conf/rootandintermidiate.crt"
clientAuth="optional"
/>
This seemed to do the trick!
According to:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
"The APR connector uses different
attributes for SSL keys and
certificates."
The examples they give is (JSSE):
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
For JSSE and then APR:
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
clientAuth="optional" SSLProtocol="TLSv1"/>
The first thing I noticed was SSLProtocol is different (attribute and its value) and it doesn't use keystoreFile. This appears to be because:
"If the installation uses APR - i.e.
you have installed the Tomcat native
library - then it will use the APR SSL
implementation."
The attributes in your example relate to the JSSE implementation, so I'm assuming the issue relates to the use of the NIO protocol and / or APR. Change your Connector to use the attributes designed solely for APR and remove the JSSE ones (or vice versa).