• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Rob Spoor
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Jesse Silverman
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Frits Walraven

configuring Tomcat for SSL

 
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Dear All,
I have created a Keystore that contains the self signed certificate and the private key.
then I have configured the Server.XML :

what else I have to do that I can see the HTTPS ?
what is the next steps?
Thank you so much...
 
Ranch Hand
Posts: 225
Eclipse IDE Debian Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you’re not using the default JKS keystore type, you will need to tell Tomcat. Look in the documentation for keystoreType, or put your keys in a JKS keystore instead.
 
hossein arabi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Carey Evans wrote:If you’re not using the default JKS keystore type, you will need to tell Tomcat. Look in the documentation for keystoreType, or put your keys in a JKS keystore instead.



I am using JCE to create a PKCS12 keystore format that contain my selfsinged certificate + private key
 
Carey Evans
Ranch Hand
Posts: 225
Eclipse IDE Debian Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

hossein arabi wrote:I am using JCE to create a PKCS12 keystore format that contain my selfsinged certificate + private key


Since you've chosen not to use a JKS keystore, you need to configure Tomcat to tell it what kind of keystore you are using.
 
hossein arabi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanks....
I had mention the type of the certificate in server.xml:


and now the problem is that I cannot open the https with browser except with netscape browser and it makes me confuse...
1. the question is that how I can view the https from IE because I am gonna use that browser( when I use .jks format for keystore everything goes well but since I have to use client certificate it should be .pfx format)
and tomcat is running well...(
thank you so much :P
 
Carey Evans
Ranch Hand
Posts: 225
Eclipse IDE Debian Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If it works with JKS, why can't you use that? The JCA Reference Guide explains that PKCS #12 doesn't support trusted certificates yet, which JKS does, so this may be the problem. You can still use PKCS #12 for the client key, and JKS for the server key and trusted client certificate.
 
hossein arabi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
so it means that the format can be different?
I can use jks for the server and PFX (pkcs12) for the client?

and one more question is that is it for the client authentication also I need to create key store or just the certificate is enough?
thanks....
 
Carey Evans
Ranch Hand
Posts: 225
Eclipse IDE Debian Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, you would use JKS for Java code, and PFX to supply a key for the browser to import into its own keystore, which is different for Internet Explorer and Firefox.

If you're using SSL to authenticate the client, it needs a private key, which can be exported to and imported from a PFX file. If you're using a password to authenticate the client, and only using SSL to authenticate the server, all the client needs is the server certificate.
 
hossein arabi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I wanna use mutual authentication...so both server and client authentication is needed...
till now I could manage to do the server authentication...
the only thing left is the client authentication which I don have any clue that :
1. how to request the client certificate from server
2. is it just a client certificate or is a keystore that contains the client cert+private key?
thanks for guiding me ....
 
Carey Evans
Ranch Hand
Posts: 225
Eclipse IDE Debian Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
For mutual authentication, each end needs its own private key in its keystore, and a certificate from the other end in its truststore; this certificate could be from the other key, or a CA which has signed it. Tomcat makes the truststore the same as the keystore by default, which can be confusing. You also need to configure Tomcat to ask for the other end’s certificate with the clientAuth setting.

Java 6 also doesn't support a PKCS #12 (PFX or P12) file for the truststore, only JKS or JCEKS.

The browser can get the remote certificate into its trusted certificates from a .CER file. Its private key can be imported from a PKCS #12 file, or it can generate one itself and get it signed online by a CA. You can run your own CA using EJBCA, or one that comes with your OS.

Note that you don’t need to issue the certificates for the browsers yourself. If your users get their client certificates from Brand X CA, you can add Brand X CA’s root certificate to your server’s trust store to accept the client certificates.
 
reply
    Bookmark Topic Watch Topic
  • New Topic