o used keytool to setup a 2048 bit keystore with self-signed certificate
o generated the CSR and sent to CA
o imported the return from the CA along with root and chain
I have had no luck configuring the Connector for port 8443 with the above software.
I attempted to use the Tomcata 6/7 syntax to associate the Connector to the keystore with no luck. In the docs, it states that 8.5 will use the old syntax and build a SSLHostconfig stanza in the background:
The password given in the Connector is the same as that defined for both the keystore and the self signed certificate. Using the above I either get a hang forever on access to 8443 or the server returns keystore tampered with or bad password.
I've also tried the above but using the protocol=" "org.apache.coyote.http11.Http11NioProtocol" --Nio, and Nio2
Example error message:
SEVERE: Failed to initialize end point associated with ProtocolHandler ["https-openssl-nio-8443"]
java.lang.IllegalArgumentException: java.io.IOException: Keystore was tampered with, or password was incorrect
.. with the same results ( hang or password error ).
I've tried all sorts of combinations of entries/attributes of the SSLHostConfig object with no joy. It either just throws Java errors at startup or hangs on access ( no password errors here as I don't even think it is attempting to hit the keystore ).
Can anyone here suggest a route to get 8443 up on Tomcat 8.5 w/Java 8 on CentOS 6?
I've tried the default/delivered server.xml ( 8.5.4 ) but it doesn't work either, just hangs on access.
nMap -p 8443 --script ssl-* <localhost>
Also just hangs forever.
I'd be interested to hear of others who have done either of the following:
1) successfully subscribed to the user mailing list for Tomcat: firstname.lastname@example.org 2) successfully got SSL working on Tomcat 8.5 w/Java 8 ( via any SSL protocol )
I may be overly conservative, but I still haven't gained complete trust in the open-source JDKs when used with J2EE. For a long time they weren't fully functional. So I use one of the commercial (Sun/Oracle) or IBM (J9) JDKs when running J2EE servers.
If you are trying to run an APR build, I'm not sure if the usual advice I give applies. Frankly, since APR is primarily about performance and I sneer at "giving 110%" because if you're running that close to the limit, you've already forfeited your ability to handle things when it all really goes pear-shaped. In short, I run the vanilla Tomcat and resort to less expensive ways to keep my performance up.
Here's my port 8443 Connector:
And yes, I did "borrow" my keystore from a Tomcat 6 server. This particular stanza is lifted from a Tomcat 7 server, but as far as I recall, Tomcat 8 is similar.
The important things to note are that I made sure that this connector wasn't commented out (since it's disabled in the sample server.xml) and that I added my cert according to the docs at tomcat.apache.org. The cert alias name is "tomcat", as per the docs.
When using a signed cert, it's important to add each cert in the chain in order so that when you add a downstream cert, it already can find its upstream cert. And that you make sure what you added is, in fact a cert and not a key - the keystore list function will tell you about that.
Normally when starting Tomcat, if port 8443 is mis-configured, the SSL port will not be opened but Tomcat will start anyway, netstat will not show port 8443, but the Tomcat log (catalina.out) will complain. When a client attempts to connect via port 8443, the request will fail and an error message will probably be displayed in the browser window. SSL should not hang even if it fails.
"privilege" comes from the Latin words for "private" and "law" (legal) and dates to feudal times. To "claim privilege" meant that you were above the laws that applied to the common people.