Win a 3 month subscription to Marco Behler Videos this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Tomcat 8.5 SSL config different from Tomcat 7?  RSS feed

 
Quincy Schmidt
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I upgraded our Tomcat on windows 2012 from 7 to 8.5 and I am unable to get SSL/8443 working. 

Tomcat works and our application works etc with basic server.xml config, but when I add in the SSL info tomcat service stops and throws an error.  Is SSL configured differently in 8.5?

This is what I had in the Tomcat 7 server.xml and was working prior to upgrade.  I am trying it in the tomcat 8.5 server.xml and tomcat will not start.




Error:
2017-06-14 09:57:13 Commons Daemon procrun stdout initialized
09:57:14,280 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback.groovy]
09:57:14,280 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback-test.xml]
09:57:14,280 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Found resource [logback.xml] at [file:/E:/opt/Tomcat%208.5/bin/logback-config/logback.xml]
09:57:14,358 |-INFO in ch.qos.logback.classic.joran.action.ContextNameAction - Setting logger context name as [TC]
09:57:14,358 |-INFO in ch.qos.logback.classic.joran.action.LoggerContextListenerAction - Adding LoggerContextListener of type [ch.qos.logback.classic.jul.LevelChangePropagator] to the object stack
09:57:14,358 |-INFO in ch.qos.logback.classic.jul.LevelChangePropagator@7cbd213e - Propagating DEBUG level on Logger[ROOT] onto the JUL framework
09:57:14,358 |-INFO in ch.qos.logback.classic.joran.action.LoggerContextListenerAction - Starting LoggerContextListener
09:57:14,358 |-INFO in ch.qos.logback.classic.joran.action.JMXConfiguratorAction - begin
09:57:14,374 |-INFO in ch.qos.logback.core.joran.action.AppenderAction - About to instantiate appender of type [ch.qos.logback.core.ConsoleAppender]
09:57:14,374 |-INFO in ch.qos.logback.core.joran.action.AppenderAction - Naming appender as [STDOUT]
09:57:14,389 |-INFO in ch.qos.logback.core.joran.action.NestedComplexPropertyIA - Assuming default type [ch.qos.logback.classic.encoder.PatternLayoutEncoder] for [encoder] property
09:57:14,421 |-INFO in ch.qos.logback.classic.joran.action.RootLoggerAction - Setting level of ROOT logger to INFO
09:57:14,421 |-INFO in ch.qos.logback.classic.jul.LevelChangePropagator@7cbd213e - Propagating INFO level on Logger[ROOT] onto the JUL framework
09:57:14,421 |-INFO in ch.qos.logback.core.joran.action.AppenderRefAction - Attaching appender named [STDOUT] to Logger[ROOT]
09:57:14,421 |-INFO in ch.qos.logback.classic.joran.action.ConfigurationAction - End of configuration.
09:57:14,421 |-INFO in ch.qos.logback.classic.joran.JoranConfigurator@1ee807c6 - Registering current configuration as safe fallback point
2017-06-14 09:57:14,421 TC WARN  [main] org.apache.tomcat.util.net.SSLHostConfig - The property [Certificate.certificateKeystoreFile] was set on the SSLHostConfig named [_default_] and is for connectors of type [JSSE] but the SSLHostConfig is being used with a connector of type [OPENSSL]
2017-06-14 09:57:14,436 TC WARN  [main] org.apache.tomcat.util.net.SSLHostConfig - The property [Certificate.certificateKeystorePassword] was set on the SSLHostConfig named [_default_] and is for connectors of type [JSSE] but the SSLHostConfig is being used with a connector of type [OPENSSL]
2017-06-14 09:57:14,436 TC WARN  [main] org.apache.tomcat.util.net.SSLHostConfig - The property [sslProtocol] was set on the SSLHostConfig named [_default_] and is for connectors of type [JSSE] but the SSLHostConfig is being used with a connector of type [OPENSSL]
2017-06-14 09:57:14,436 TC ERROR [main] org.apache.tomcat.util.digester.Digester - End event threw exception
java.lang.reflect.InvocationTargetException: null
 
Quincy Schmidt
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I got the service to come and I can bring up wsdl pages etc now. Except it works with http and not https.

Do I need configure the SSLHostConfig section?  And can I put in the full path to the .jks file or does it need to be in the conf dir? (E:\keystore\key.jks)

 
Quincy Schmidt
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
From the log file:
 
Rob Spoor
Sheriff
Posts: 21021
85
Chrome Eclipse IDE Java Windows
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Quincy Schmidt wrote:From the log file:

That means that something is already running on the same port (8443). Did you shutdown any previous instance of Tomcat?

To find out what's running on that port you can run netstat -ban as Administator (on Linux it's netstat -plan), then search for the port.
 
Quincy Schmidt
Greenhorn
Posts: 6
  • Likes 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Rob Spoor wrote:
Quincy Schmidt wrote:From the log file:

That means that something is already running on the same port (8443). Did you shutdown any previous instance of Tomcat?

To find out what's running on that port you can run netstat -ban as Administator (on Linux it's netstat -plan), then search for the port.


Thank you for the reply!  I changed port 8080 to 8443 as a test. Having changed it back the bind error no longer comes up.




Finally got it figured out!

Tomcat7:
 


Tomcat8:

Not sure if this is needed or not, but after reading another forum post I commented out line 28: <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>

SSL Config:
  


 
Knute Snortum
Sheriff
Posts: 3837
91
Chrome Eclipse IDE Java Postgres Database VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for posting your solution.
 
Mike London
Ranch Hand
Posts: 1412
8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Good discussion.

To get the certificate working, did you need to follow all these steps?

https://cas.hgtc.edu/docs/ssl-howto.html

Any of these particularly problematic?

I'm going to tackle SSL in Tomcat issue this coming week once I figure out which cert to get.

Thanks,

- mike

 
Knute Snortum
Sheriff
Posts: 3837
91
Chrome Eclipse IDE Java Postgres Database VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That URL seems to be an out-of-date version of this:

https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
 
Mike London
Ranch Hand
Posts: 1412
8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Knute Snortum wrote:That URL seems to be an out-of-date version of this:

https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html


Thanks, will update my link, thank you.

If I get my certificate files for Apache, it looks like I skip to:

1. Modify the Tomcat config files, and
2. The Step: "Installing a Certificate from a Certificate Authority"

Thanks,

- Mike
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!