Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

configuring Tomcat for SSL

 
hossein arabi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear All,
I have created a Keystore that contains the self signed certificate and the private key.
then I have configured the Server.XML :

what else I have to do that I can see the HTTPS ?
what is the next steps?
Thank you so much...
 
Carey Evans
Ranch Hand
Posts: 225
Debian Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you’re not using the default JKS keystore type, you will need to tell Tomcat. Look in the documentation for keystoreType, or put your keys in a JKS keystore instead.
 
hossein arabi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Carey Evans wrote:If you’re not using the default JKS keystore type, you will need to tell Tomcat. Look in the documentation for keystoreType, or put your keys in a JKS keystore instead.


I am using JCE to create a PKCS12 keystore format that contain my selfsinged certificate + private key
 
Carey Evans
Ranch Hand
Posts: 225
Debian Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hossein arabi wrote:I am using JCE to create a PKCS12 keystore format that contain my selfsinged certificate + private key

Since you've chosen not to use a JKS keystore, you need to configure Tomcat to tell it what kind of keystore you are using.
 
hossein arabi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thanks....
I had mention the type of the certificate in server.xml:


and now the problem is that I cannot open the https with browser except with netscape browser and it makes me confuse...
1. the question is that how I can view the https from IE because I am gonna use that browser( when I use .jks format for keystore everything goes well but since I have to use client certificate it should be .pfx format)
and tomcat is running well...(
thank you so much :P
 
Carey Evans
Ranch Hand
Posts: 225
Debian Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If it works with JKS, why can't you use that? The JCA Reference Guide explains that PKCS #12 doesn't support trusted certificates yet, which JKS does, so this may be the problem. You can still use PKCS #12 for the client key, and JKS for the server key and trusted client certificate.
 
hossein arabi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
so it means that the format can be different?
I can use jks for the server and PFX (pkcs12) for the client?

and one more question is that is it for the client authentication also I need to create key store or just the certificate is enough?
thanks....
 
Carey Evans
Ranch Hand
Posts: 225
Debian Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, you would use JKS for Java code, and PFX to supply a key for the browser to import into its own keystore, which is different for Internet Explorer and Firefox.

If you're using SSL to authenticate the client, it needs a private key, which can be exported to and imported from a PFX file. If you're using a password to authenticate the client, and only using SSL to authenticate the server, all the client needs is the server certificate.
 
hossein arabi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I wanna use mutual authentication...so both server and client authentication is needed...
till now I could manage to do the server authentication...
the only thing left is the client authentication which I don have any clue that :
1. how to request the client certificate from server
2. is it just a client certificate or is a keystore that contains the client cert+private key?
thanks for guiding me ....
 
Carey Evans
Ranch Hand
Posts: 225
Debian Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For mutual authentication, each end needs its own private key in its keystore, and a certificate from the other end in its truststore; this certificate could be from the other key, or a CA which has signed it. Tomcat makes the truststore the same as the keystore by default, which can be confusing. You also need to configure Tomcat to ask for the other end’s certificate with the clientAuth setting.

Java 6 also doesn't support a PKCS #12 (PFX or P12) file for the truststore, only JKS or JCEKS.

The browser can get the remote certificate into its trusted certificates from a .CER file. Its private key can be imported from a PKCS #12 file, or it can generate one itself and get it signed online by a CA. You can run your own CA using EJBCA, or one that comes with your OS.

Note that you don’t need to issue the certificates for the browsers yourself. If your users get their client certificates from Brand X CA, you can add Brand X CA’s root certificate to your server’s trust store to accept the client certificates.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic