Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

SSL configuration Tomcat 8.5, Java 8, openssl 1.0.1e: can't make it work  RSS feed

 
Kevin Brand
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello group,

Hoping for some help getting the SSL 8443 port to accept https connections.  Have the following setup:

CentOS: 2.6.32-220.el6.i686
Java: 1.8.0-openjdk-1.8.0.91-3.b14.el6_8.i386
OpenSSL: 1.0.1e-48.el6_8.1
Tomcat: 8.5.4
Apr-devel: 1.5.2

o used keytool to setup a 2048 bit keystore with self-signed certificate
o generated the CSR and sent to CA
o imported the return from the CA along with root and chain

I have had no luck configuring the Connector for port 8443 with the above software. 

I attempted to use the Tomcata 6/7 syntax to associate the Connector to the keystore with no luck.  In the docs, it states that 8.5 will use the old syntax and build a SSLHostconfig stanza in the background:

Old syntax:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
        maxThreads="200" compression="on"
        scheme="https" secure="true" SSLEnabled="true">
        keystoreFile="/opt/tomcat/.keystore" keyAlias="tomcat" keystorePass="changeit"

The password given in the Connector is the same as that defined for both the keystore and the self signed certificate.  Using the above I either get a hang forever on access to 8443 or the server returns keystore tampered with or bad password.

I've also tried the above but using the protocol=" "org.apache.coyote.http11.Http11NioProtocol"  --Nio, and Nio2

Example error message:
SEVERE: Failed to initialize end point associated with ProtocolHandler ["https-openssl-nio-8443"]
java.lang.IllegalArgumentException: java.io.IOException: Keystore was tampered with, or password was incorrect

.. with the same results ( hang or password error ).

New syntax:
I've tried all sorts of combinations of entries/attributes  of the SSLHostConfig object with no joy.  It either just throws Java errors at startup or hangs on access ( no password errors here as I don't even think it is attempting to hit the keystore ).

Can anyone here suggest a route to get 8443 up on Tomcat 8.5 w/Java 8 on CentOS 6?

I've tried the default/delivered server.xml ( 8.5.4 ) but it doesn't work either, just hangs on access. 

nMap -p 8443 --script ssl-* <localhost>

Also just hangs forever.

I'd be interested to hear of others who have done either of the following:

1) successfully subscribed to the user mailing list for Tomcat: users@tomcat.apache.org
2) successfully got SSL working on Tomcat 8.5 w/Java 8 ( via any SSL protocol )


thanks,

-klb

 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Kevin!

I may be overly conservative, but I still haven't gained complete trust in the open-source JDKs when used with J2EE. For a long time they weren't fully functional. So I use one of the commercial (Sun/Oracle) or IBM (J9) JDKs when running J2EE servers.

If you are trying to run an APR build, I'm not sure if the usual advice I give applies. Frankly, since APR is primarily about performance and I sneer at "giving 110%" because if you're running that close to the limit, you've already forfeited your ability to handle things when it all really goes pear-shaped. In short, I run the vanilla Tomcat and resort to less expensive ways to keep my performance up.

Here's my port 8443 Connector:


And yes, I did "borrow" my keystore from a Tomcat 6 server. This particular stanza is lifted from a Tomcat 7 server, but as far as I recall, Tomcat 8 is similar.

The important things to note are that I made sure that this connector wasn't commented out (since it's disabled in the sample server.xml) and that I added my cert according to the docs at tomcat.apache.org. The cert alias name is "tomcat", as per the docs.

When using a signed cert, it's important to add each cert in the chain in order so that when you add a downstream cert, it already can find its upstream cert. And that you make sure what you added is, in fact a cert and not a key - the keystore list function will tell you about that.

Normally when starting Tomcat, if port 8443 is mis-configured, the SSL port will not be opened but Tomcat will start anyway, netstat will not show port 8443, but the Tomcat log (catalina.out) will complain. When a client attempts to connect   via  port 8443, the request will fail and an error message will probably be displayed in the browser window. SSL should not hang even if it fails.
 
Don't get me started about those stupid light bulbs.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!