Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

[Update - Success] Adding SSL certificate to Server.xml

 
Marty Finn
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Preface: I know nothing about web servers as you will soon understand but still I am the one that has to get this done. I am walking into this blind.

I am trying to update our Server.xml as per these instructions. But our Server.xml file doesn't have this section to uncomment. I will post or Server.xml below.

___________________________________________
Open the server.xml file.
After uncommenting the SSL/TLS connector from server.xml, locate the following text section:
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" />
Add the "keystoreFile" and "keystorePass directives:
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="/full/path/to/tomcat.keystore" keystorePass="changeit" />
Restart Tomcat.
________________________________________________




Any help really appreciated. I am totally lost. I have been reading at apache.tomcat.org and have tried to paste some examples in but then Tomcat Service won't start.

[ August 27, 2007: Message edited by: Marty Finn ]
[ August 27, 2007: Message edited by: Marty Finn ]
 
Rene Larsen
Ranch Hand
Posts: 1179
Eclipse IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can read about the configuration here SSL Configuration HOW-TO

It look like an easy job just take the section that should have been uncomment from the documentation (see above) and copy/paste to server.xml below <Service name="Catalina">
 
Marty Finn
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes I did read that yesterday and tried to paste that in right where you mentioned but afterwards the Tomcat service would not load.
 
Rene Larsen
Ranch Hand
Posts: 1179
Eclipse IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Which version of Tomcat do you have 4.0.x or 4.1.x?

Your first post show a description for 4.0.x (<Factory className="or...), but your server.xml is from a Tomcat v4.1.x to v6.x
 
Marty Finn
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
5.0 I think..
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
With 5, you don't need the <factory ..> tag.
You only need to enter the keystoreFile and keystorePass attributes.

 
Marty Finn
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you. Am I supposed to close this with </Connector>? When I do the service won't start. When I dont it starts but Https:// to the site does not work.

How can I tell if I have the .java components running that are needed to facilitate this?

-Sorry for being a total noob
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's an XML document so each tag has to be closed.
The example above has no body and doesn't need a separate closing tag.

 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Marty Finn:

How can I tell if I have the .java components running that are needed to facilitate this?


If you have a valid certificate, all you need to do is tell Tomcat where it is and it should work. You don't need any .java components.
 
Marty Finn
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks again.
I feel like I am getting closer. This is what I have in my server.xml.

I have tried to put the tomcat.keystore in different locations. Can it be copied from where it was created by the keytool commands? The certificate we got from GoDaddy.com had 2 options for creating the .keystore file.
Use the following OpenSSL command to combine the ca bundle (gd_bundle.crt) and your SSL certificate:

openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in <name of your certificate> -inkey <name of your certificate private key file> -out keystore.tomcat -name tomcat -passout pass:changeit
OR
Installing Root and Intermediate Certificates
Root:
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file valicert_class2_root.crt.

First intermediate (gd_cross_intermediate.crt):
keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt

Second intermediate (gd_intermediate.crt):
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt
I chose the second option because "OPENSSL" was an invalid command.

Anyways this is the error I now get in the stdout.log


Thanks Again
[ August 27, 2007: Message edited by: Marty Finn ]
 
Marty Finn
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
OK thanks for all the help. I was importing the certificates into the wrong .keystore file.

When I now go to https://localhost:8443 I am prompted about certificate and our webpage loads. However from outside the just going to https://ourwebsite.com gives "page cannot be displayed" but plain http:// works.

Any ideas on my next step?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Marty Finn:
OK thanks for all the help. I was importing the certificates into the wrong .keystore file.

When I now go to https://localhost:8443 I am prompted about certificate and our webpage loads. However from outside the just going to https://ourwebsite.com gives "page cannot be displayed" but plain http:// works.

Any ideas on my next step?


Congrats with the keystore file.
TIP: Document what you did. You won't remember this stuff a year from now when you need to do it again.


If Tomcat is serving up your pages under SSL from within your network or on the local machine, it's working.
Check your firewall settings and/or your port forwarding to make sure that 8443 is both open to the outside world and pointing to the correct machine.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic