I've been trying all day to set Tomcat 6.0 up for SSL. I know it shouldn't be that hard. I've followed the Tomcat documentation in creating my own Certificate, configuring the connectors in the server.xml file.
When I go to https://localhost:8443, (8443 is the port I defined in the connector) my certificate does not render on the screen, and my browser tells me that it was unable to make a secure connection to the server and that my client may not have the certificate.
My question is, why isn't my certificate rendering for the user to say "Trust" or "Not"?
There's a full documentation on SSL Howto for Tomcat 6. I don't know how far you've gone to setting up your SSL for me to help you.
Make sure that in server.xml in APACHE_HOME/conf has both Connector for port 8080 and 8443 enabled.
Do you happen to have a tcnative-1.dll file in apache-tomcat-6.xxx\bin\ folder?
If so, it will not work with your current <Connector/> configuration. Remove the file or rename the extension and restart the tomcat server again.
This is stated in "Edit the Tomcat Configuration File" section of http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
I ended up figuring it out.
The issue was regarding to my protocol variable in my Connector:
This is what I had: protocol="HTTP/1.1"
Now I have this: protocol="org.apache.coyote.http11.Http11Protocol"
The only issue now is that chrome or IE won't run the site as HTTPS because i signed the certificate myself and am not a CA.
Related
Earlier when I kept both apps(app1 & app2) in the same (Jboss)server, I can call[communicate] the api's available in app1 from app2. [Jboss ssl configured with certificate]
Now My issue is, I moved only my app2 into tomcat server[app2],without changing any code and tried to connect api's of app1. It is throwing the clientProtocol Exception.
I came to know the issue with ssl certificate, because app1 is ssl configured.
Is there any place I have to configure my tomcat server to trust the app1 with the SSL jboss certifcate or in java program I have to add the trustmanager SSL socket code.
Please let me know the possible solution I have been stucked .
You need to configure the tomcat environment to know that exists a certificate to use.
This is done with -Djavax.net.ssl.trustStore=mykeystore or setting it in JAVA_OPTS.
For Linux this is done as follow:
export JAVA_OPTS=-Djavax.net.ssl.trustStore=mykeystore
before calling ./startup.sh
I am creating spring rest service. I wanna secure it with https.
I know that using following solution:
http
.authorizeRequests()
.antMatchers("/secure/**").hasRole("ADMIN")
.anyRequest.hasRole("USER")
.and()
.requiresChannel()
.anyRequest().requiresSecure();
I can force using https. But I do not know what else I have to do. Should I configure something else in spring security or it is enough? I am using tomcat. Should I install certificate? If yes, is existing possibility to install "test certificate"? How it works?
I don't have enough rep to add a comment, so you'll probably need to provide more information to get the answer you really want.
First off, to enable HTTPS, you will need an SSL certificate. If you're just testing/developing, you can generate your own self-signed certificate and ignore certificate warnings from your browser. If however this is a public-facing server, you'll need a valid SSL certificate from a certificate authority like GoDaddy or similar. Generating an SSL cert is probably outside the scope of this question, and there are a lot of guides out there for this (I would post links, but don't have enough rep).
The config you have shown is a valid way to force your application server to only communicate over HTTPS, however, it is not sufficient to actually enable HTTPS for your Tomcat server.
Depending on your setup, you have a few different options for enabling HTTPS.
If you're using Spring Boot with an embedded Tomcat server, then you can enable SSL by setting the server.ssl.* properties of your application.properties file, for example:
server.port=8443
server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-password=secret
server.ssl.key-password=another-secret
Where keystore.jks is the path to your Java keystore that holds your SSL certificate. See Spring Boot Docs for more info.
If you're using a standalone Tomcat server, you'll need to modify Tomcat's server.xml in $CATALINA_BASE/conf/server.xml and add an SSL connector. For example:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
This example is for Tomcat 7, but the process is similar for other Tomcat versions. See Tomcat SSL for more information.
If you are using a proxy/load balancer (like NGINX) you can add an SSL termination there. The proxy/load balancer then intercepts all HTTPS traffic and communicates over non-HTTPS connections to your application servers. This has the added bonus of not having to interfere with your application server to perform SSL-related maintenance like changing your certificate or config.
I am trying to set up SSL in tomcat following the official documentation. I have some questions related to keystores involved this set up. There is a keystore at JRE/lib/security/cacerts and one configured in tomcat server.xml's connector element. Is my following assumption correct.
keystore configured in server.xml is only used for ssl connections and JRE/lib/security/cacerts is still used to trust connections made from server side code such as B2B webservice calls.
That is correct. To be more specific, the KeyStore configured in server.xml is used for inbound SSL connections.
I want to send EMails from a JBoss 7 application. The SMTP server needs a TLS connection with a self signed certificate. If I try to send a EMail I get a SSLHandshakeException because the server certificate cannot be checked. To fix this I have add this: http://springinpractice.com/2012/04/29/fixing-pkix-path-building-issues-when-using-javamail-and-smtp/ (putting the SMTP server certificate into a java truststore file)
My problem is now how to set the truststore file to JBoss 7?
I known at stackoverflow and on other forums there are several answer for that propblem. But I didn't found the right.
I have already tried followings:
adding JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/home/stewert.c-on/data/projects/keystore/devel.truststore -Djavax.net.ssl.trustStorePassword=123456" to:
jboss-as-7.1.1.Final/bin/standalone.conf
jboss-as-7.1.1.Final/bin/domain.conf
jboss-as-7.1.1.Final/bin/appclient.conf
adding <jsse keystore-password="123456" keystore-url="/home/stewert.c-on/data/projects/keystore/devel.keystore" truststore-password="123456" truststore-url="/home/stewert.c-on/data/projects/keystore/devel.truststore"/> to jboss-as-7.1.1.Final/standalone/configuration/standalone.xml
But if I check at runtime the system environment variable with 'System.getProperty("javax.net.ssl.trustStore")' I get in every case null!
My environment:
Linux
JBoss 7.1
JDK 7
I'm starting JBoss inside of eclipse Juno
Anybody knows what's going wrong? Where must I set the truststore?
Thanks,
Steffen
Someone asked on the JBoss forum "javax.net.ssl.trustStore - only way to specify client trust?", and the answer is basically "yes".
Their approach was to set that in a system-properties element in the server config XML, which seems like the best way to me too. Better than grubbing about in the run configuration files!
I'm running a java web app in Eclipse (Helios) using Tomcat 7. The server startups up successfully (duration indicated) however Eclipse's progress bar still spins saying that Tomcat is starting up. Eventually the timeout is reached and an error is thrown.
I believe Tomcat is fine as I've taken the command that it uses and ran it manually in the shell. Tomcat runs fine and I'm able to hit the web app at the expected URL. I can also hit it after it's started up and before the timeout occurs.
I've reinstalled Eclipse, I ran it with clean, I deleted/recreated the server. Nothing has worked. Anybody have any clues?
I had this issue, it seems that the Eclipse calls the application url after start up to make sure it is running.
A proxy client (pshione) had changed the system proxy so the eclipse could not call the start page and thinks that the application is not starting yet!!
I removed the proxy and it works fine now!
Edited:
This can also happen when you start your tomcat with SSL, but the ssl certification is not valid. When you make a call to and invalid SSL certification site, some browser confirm if you want to go one or not, but eclipse can not connect to your invalid ssl site! I suggest test your site with normal http instead of https.
This issue is related to a tomcat configured with HTTPS without a HTTP connector.
I had this SSL connector in server.xml and my tomcat in Eclipse is always showing Starting:
<Connector SSLEnabled="true" asyncTimeout="10000000" clientAuth="false"
connectionTimeout="10000000" keepAliveTimeout="10000000"
keystoreFile="/opt/config/selfsigned.p12" keystorePass="changeit"
keystoreType="PKCS12" maxThreads="200" port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS"/>
I suppose Eclipse uses a HTTP connection to the server to verify that instance of Tomcat is available.
I've solve this problem including an aditional HTTP connector redirecting to HTTPS in server.xml.
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1"
redirectPort="443"/>
<Connector SSLEnabled="true" asyncTimeout="10000000" clientAuth="false"
connectionTimeout="10000000" keepAliveTimeout="10000000"
keystoreFile="/opt/config/selfsigned.p12" keystorePass="changeit"
keystoreType="PKCS12" maxThreads="200" port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS"/>
With this change my tomcat in Eclipse starts properly showing Debugging state.
Some updates of Java cause problems with Eclipse's networking operation. Specifically, Eclipse tries to use IPv6 instead of IPv4 and sometimes fails. When Eclipse starts up Tomcat, one of the final steps that it does is tests the a debug call to Tomcat. This is likely to be the part that is hanging. Fortunately, the fix is very easy. We simply tell Eclipse to use IPv4 instead.
To do this, edit the eclipse.ini file (found in the Eclipse directory) and add the following to the end of the file on its own line:
-Djava.net.preferIPv4Stack=true
Restart Eclipse and you should be good to go.
I had the same issue, it was due to the connectors I had defined (I only had an AJP connector).
Adding an HTTP connector to Tomcat's server.xml solved the problem.
I've found the answer (just after posting here which, ironically, seems to be how to find answer's to one's own question.)
The answer was that the port was being used by another process. I should've known but upgraded several different packages will do this. But onto the symptoms:
Tomcat starts successfully. Able to hit the application before timeout.
Eclipse looks like it's unable to determine whether the server has started or stopped.
HTTP is currently running under the default of 8080. Unfortunately, my data store was listening at 8080 (my guess as I'm not particularly sure what it does with the port except that it's allocated for jmx). I'm guessing that Eclipse is unable to detect Tomcat at 8080.
I got this problem, it seems that my tomcat version was buggy (tomcat 7.0.23)
switch your tomcat version to another (i.e tomcat 7.0.14) it works for me.
good luck
This could happen if two servlets have been mapped to the same request URL, Tomcat will start up fine but eclipse won't be able to generate the correct web.xml file and therefore won't be able to publish the webApp.
Check your servlet mapping #WebServlet("\TheURLThatShouldInvokeThisServlet") make sure two servlets dont have the same "TheURLThatShouldInvokeThisServlet".
(putting it for the record!)