When I changed https for secure connection in server.xml of tomcat 7.0
<Connector
clientAuth="false" port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="test.cer"
SSLCertificateKeyFile="test.key"
SSLCACertificateFile="CertPath.txt"
SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS"
/>
I've an error when running tomcat from IDE
Caused by: java.io.FileNotFoundException: C:\Documents and Settings\User.keystore (The system cannot find the file specified)
at java.io.FileInputStream.open(Native Method)
but there is no error by running tomcat 7.0/bin/tomcat7.exe.
What wrong in these two? Please explain me! Thanks.
I think you need a .key-store file.
<Connector port=”443” maxHttpHeaderSize=”8192″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100″ scheme=”https” secure=”true”
**keystoreFile=”/home/Raja/Desktop/Tomcat5/mycert.jks”**
clientAuth=”false” sslProtocol=”TLS>
check your server.xml file and also refer this link might be useful to you.
I think you need to create a new key store file and that you can generate by executing this command.
%JAVA_HOME%\bin>keytool.exe -genkey -alias tomcat -keyalg RSA
and for more clarity see this link Tomcat SSL problems. I think this can help you to have better understanding of your problem.
Related
I have a Java web application running on a Debian virtual machine on GCE.
I'm not sure whether this is relevant (i dont think it is, just in case) - i'm using Vaadin 8 in this system, and thus any HTTP calls to it are handled by a Vaadin servlet.
For SSL certification, i ran the openssl commands in self-signed SSL certificate on GCE -- 'SSL certificate could not be parsed' to get CA authorization and generate SSL certification myself. So by this, I'm certifying my SSL by first being a certified authority.
After the commands in self-signed SSL certificate on GCE -- 'SSL certificate could not be parsed', i followed the instructions at https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html and did the following:
ran the following two commands without error:
keytool -genkey -alias myalias -keyalg RSA
openssl pkcs12 -export -in mySite.com.pem -inkey mySite.com.key -out mycert.p12 -name myalias -CAfile msite.CA.pem -caname root -chain
The second command generated mycert.p12 in the directory.
I then configured server.xml. Following are all the configuration tags there are now in server.xml.
<Service name="Catalina">
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/root/.keystore" keystorePass="myPasswd"
clientAuth="false" sslProtocol="TLS"/>
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="443" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
…
</Service>
Replaced this with the server.xml in conf directory of Tomcat. Restarted Tomcat. Called my application in Firefox - still seeing the SSL warning:
As far as i can see, this didn't work because
I'm missing something on the configuration of the certificate on Tomcat -- not sure i did things right on server.xml. i didnt do anything elsewhere on Tomcat.
I did all the configuration right, but Firefox isn't accepting SSL signed by a not-known authority.
I'm not sure (2) can be. the blogs i read tell that generating the .pem file connects it to publicized CA-s and should be OK(?)
Any help would be appreciated. this been eating my time for days - i dont know much about SSL or any security matters -- dont even know where to go from here!
Note: seen Installing SSL certificate on JBoss among some other useful discussions.
//----------------
EDIT:
pls also note; I see no errors on catalina.out.
//----------------
EDIT-2:
i'm getting the security warning above (the screenshot image) when I call by http://.. in Firefox. the call https://.. is giving the following error:
I have Tocmat 8 installed on redhat 7
Everything works fine, the problem when I run my project, I just got this error:
Caused by: java.security.KeyStoreException: Could not load keystore
file.
conf/server.xml
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https"
secure="true"
keystoreFile="/usr/share/tomcat8.5/8.5.23/conf/.keystore"
keystorePass="*****"
clientAuth="false" sslProtocol="TLS" />
I tried this command:
keytool -list -v -keystore ../conf/.keystore
and everything is OK, the problem is just when I run my application, I found in the log file localhost.2017-10-11.log a keystore exception.
Any help !
I am working on spring web app using maven. I am trying to make localhost a secure connection.I am using tomcat server. I used this link for creating my own CA and added it to JVM.
This is what I added in pom.xml.
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
<configuration>
<path>/security</path>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" maxThreads="200" scheme="https" secure="true" keystoreFile="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.71.x86_64/jre/lib/security/cacerts.jks" keystorePass="security"
clientAuth="false" sslProtocol="TLS" />
</configuration>
</plugin>
I went to the link:https://localhost:8443 . But no app is running on that port. Could someone please help?
Go to sever.xml and add following xml
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="{path}/mycer.cert" keystorePass="{password}"/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
first you want to create one CA certificate
you can use java key tool for certificate creation
store that certificate on your server .
add connector config with in your tomcat server.xml
you should provide certificate path and password that given
restart server
if any problem for restarting comment stack trace
http://www.mkyong.com/tomcat/how-to-configure-tomcat-to-support-ssl-or-https/
You need to add a connector in servlet.xml file.
<Connector
protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
Replace the keystore file path and the password with the ones you have.
Refer https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html.
I tried to configure SSL certificate for Tomcat 7(7.0.61) which I installed on Azure Windows VM.
Https does not work and there are no errors in Tomcat logs. I use Digicert certificate which gave me .jks keystore file. VM has its own DNS: myVm.cloudapp.net I registered my own domain NNN.today at one.com and make redirection from NNN.today to myVm.cloudapp.net.
When created certificate I used NNN.today. I configured endpoints for my VM (http for port 80 and SSL for port 443). APR listener is commented out in server.xml.
Here is my server.xml config:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true" acceptCount="100"
scheme="https" secure="true" SSLEnabled="true" clientAuth="false"
sslProtocol="TLS" keyAlias="server"
keystoreFile="${catalina.base}/conf/app_farewell_today.jks" keystorePass="my_password" keystoreType="JKS"
truststoreFile="${catalina.base}/conf/app_farewell_today.jks" truststorePass="my_password" truststoreType="JKS"/>
What am I doing wrong? Any help appreciated!
The VM's firewall should be configured to listen to this ports as well and the public endpoint configuration should map to the proper internal ports as well.
I have problem where google chrome is showing:
The site uses SSL, but Google Chrome has detected either high-risk insecure content on the page or problems with the site’s certificate. Don’t enter sensitive information on this page. Invalid certificate or other serious https issues could indicate that someone is attempting to tamper with your connection to the site.
message which shows up as crossed with red https sign.
How should I configure tomcat to get rid of the message shown in detail on the below picture?
I found this link but can't make out from it how to fix this:
http://code.google.com/p/chromium/issues/detail?id=72716
Also there is mention of OpenSSL problem with APR (what would be the OpenSSL alternative?):
http://tomcat.apache.org/security-native.html
I have GeoTrust Business ID certificate which is more than adequate for the site and should be secure enough. So I believe this some issue with either Tomcat or Java.
Working configuration in server.xml:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="16384"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css"
scheme="https"
secure="true"
SSLEnabled="true"
sslProtocol="TLS"
clientAuth="false"
keystoreFile="/usr/share/tomcat6/conf/tomcat.keystore" keystorePass="somepass"
/>
is giving me the error on the picture:
UPDATE - Going native
`<Connector port="443"`
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxHttpHeaderSize="16384"
maxThreads="150"
enableLookups="false"
acceptCount="100"
disableUploadTimeout="true"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css"
scheme="https"
secure="true"
SSLEnabled="true"
SSLCertificateFile="/tomcat/conf/cert.crt"
SSLCertificateKeyFile="/tomcat/conf/key.pem"
SSLCACertificateFile="/tomcat/conf/rootandintermidiate.crt"
clientAuth="optional"
/>
This seemed to do the trick!
According to:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
"The APR connector uses different
attributes for SSL keys and
certificates."
The examples they give is (JSSE):
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
For JSSE and then APR:
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
clientAuth="optional" SSLProtocol="TLSv1"/>
The first thing I noticed was SSLProtocol is different (attribute and its value) and it doesn't use keystoreFile. This appears to be because:
"If the installation uses APR - i.e.
you have installed the Tomcat native
library - then it will use the APR SSL
implementation."
The attributes in your example relate to the JSSE implementation, so I'm assuming the issue relates to the use of the NIO protocol and / or APR. Change your Connector to use the attributes designed solely for APR and remove the JSSE ones (or vice versa).