I configured Tomcat 7 for SSL. I generate the keystore like this
keytool -genkey -alias tomcat -keyalg RSA
in the server.xml, i have
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keyAlias="tomcat" keystoreFile="/Users/xxxxx/.keystore" keystorePass="changeit" />
If I run tomcat directly, $TOMCAT_HOME/bin/startup.sh, when I access https://localhost:8443 from Chrome, at least i got the warning of untrusted certificate, etc...
However, if I start Tomcat from Eclipse, it keep getting this error
localhost uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I even added the ciphers to the Connector, but still same error
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keyAlias="tim" keystoreFile="/Users/z0029mb/.keystore" keystorePass="changeit"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"/>
JAVA_HOME is jdk1.8.0_101, for both Eclipse and Tomcat, running on OS X. So why does Eclipse Tomcat plugin interfere anything with Tomcat starting up that make Tomcat behave differently?
If you use SHA-1 hash function, you might have to re-key the certificate from your Certificate Authority (CA) to use SHA-2. This is because SHA-1 is potentially unsecure.
1) Generate a CSR (Certificate Signing Request)
2) Submit CSR to your CA
3) After your CA issues the certificate files, download and install them based on your server type and CA's instructions.
Related
Using the ServiceBindingManager referencing the "sample-bindings.xml" configuration in the /conf/jboss-service.xml:
<mbean code="org.jboss.services.binding.ServiceBindingManager"
name="jboss.system:service=ServiceBindingManager">
<attribute name="ServerName">myserver</attribute>
<attribute name="StoreURL">${jboss.home.url}/docs/examples/binding-manager/sample-bindings.xml</attribute>
<attribute name="StoreFactoryClassName">
org.jboss.services.binding.XMLServicesStoreFactory
</attribute>
</mbean>
1) Having enabled the ServiceBindingManager does it mean the "server.xml" ports are overwritten by the sample-bindings.xml defined ports?
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" address="${jboss.bind.address}"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/javascript,application/x-javascript,text/css,text/plain"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" server="server1" />
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="250" scheme="https" secure="true"
maxHttpHeaderSize="8192"
emptySessionPath="true"
address="${jboss.bind.address}"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="xx"
truststoreFile="${jboss.server.home.dir}/conf/server.keystore"
truststorePass="xx"
clientAuth="false" sslProtocol="TLS" server="server1" />
2) If the server.xml ports are not relevant any more, how can the TLS server certificate still be used?
After some googling, it does look like sample-bindings.xml ports will override server.xml ports related settings and is mainly used for running multiple instances of JBoss on the same server/machine. On the SSL scertificate, if the keystores appear to be no longer found - you can add them as program arguments either in the JAVA_OPTS section of run.conf (I'm assuming you're using an older version of JBoss) or you can add them to the command line or script you use to start JBoss, for example:
/home/jboss/jboss-eap-5.1/jboss-as/bin/./run.sh -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.trustStore=server.keystore -Djavax.net.ssl.trustStorePassword=xx -Djavax.net.ssl.keyStorePassword=xx > /dev/null 2>&1 &
Note, you'd need the correct paths to the files.
We use the same keystore/truststore program arguments at work on many Jboss instances.
I want that my app should use some third party APIs with ssl .
Step 1 : I created key at my home directory keytool -genkey -alias tomcat -keypass mypassword -keystore TestKeyStore.keystore -storepass mypassword -keyalg RSA -validity 360 -keysize 2048
Step 2 :I added connector in server.xml from eclipse
<Connector port="8443" SSLEnabled="true" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75" enableLookups="true"
disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https"
secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/media/prashant/important/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/conf/TestKeyStore.keystore"
keystorePass="mypassword" />
When I restart project tomcat Is taking to long time to start and it show nothing at the end . I tried to increase startup time also still not help me. Any idea what I am missing?
Please give more information. But i would check if you have allowed port 8443 in your firewall. To check its allowed, (if its a Linux machine) run telnet 8443. You will connect, meaning its allowed. Otherwise, details from logs will help further
I am maintaining a servlet application previously developed in Eclipse Helios. I have the servlet instance war file and it runs fine in my Tomcat 7.0 on windows and I receive the correct web responses in SoapUI. It runs with SSL encryption and the url in SoapUI states;
https://localhost:8443/ProjectName/etc/etc
But after retrieving the original code from SVN into Eclipse Helios, I can get it to start okay running through the imported Tomcat but it does not seem to start using SSL in Eclipse Helios and the URL in the Eclipse tab states;
http://localhost:8000/ProjectName/etc/etc
And so when I attempt to run a web request in SoapUI it reacts like the servlet instance is not running. What am I doing wrong?
This solution is supplied for MAC, can follow the same strategy for windows as well.
Step 1) Generate the certificate with java keytool utility by navigating to bin folder of java installation directory
LM-MAA-22004958:etc rkala$ cd /Applications/corona-java-1.1.0/jdk-7u45-macosx-x64/Contents/Home/bin
LM-MAA-22004958:bin rkala$ keytool -genkey -alias myappcert -keyalg RSA -keystore myapp.keystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: localhost.xyz.com
What is the name of your organizational unit?
[Unknown]: my
What is the name of your organization?
[Unknown]: my
What is the name of your City or Locality?
[Unknown]: my
What is the name of your State or Province?
[Unknown]: my
What is the two-letter country code for this unit?
[Unknown]: my
Is CN=localhost.xyz.com, OU=my, O=my, L=my, ST=my, C=my correct?
[no]: yes
Enter key password for <myappcert>
(RETURN if same as keystore password):
Step 2): Copy the generated myapp.keystore file to tomcat /conf directory
LM-MAA-22004958:bin rkala$ mv myapp.keystore /Users/rkala/Downloads/apache-tomcat-7.0.93/conf
LM-MAA-22004958:bin rkala$ cd /Users/rkala/Downloads/apache-tomcat-7.0.93/bin
LM-MAA-22004958:bin rkala$ ./startup.sh
Using CATALINA_BASE: /Users/rkala/Downloads/apache-tomcat-7.0.93
Using CATALINA_HOME: /Users/rkala/Downloads/apache-tomcat-7.0.93
Using CATALINA_TMPDIR: /Users/rkala/Downloads/apache-tomcat-7.0.93/temp
Using JRE_HOME: /Applications/corona-java-1.1.0/jdk-7u45-macosx-x64/Contents/Home
Using CLASSPATH: /Users/rkala/Downloads/apache-tomcat-7.0.93/bin/bootstrap.jar:/Users/rkala/Downloads/apache-tomcat-7.0.93/bin/tomcat-juli.jar
Hit the browser with url https://localhost:8443 and you are good to go
Step 3) Modify both server.xml with the same config provided below
1.Tomcat server.xml -> Path: /Users/rkala/Downloads/apache-tomcat-7.0.93/conf/server.xml
2.Under eclipse workspace server folder,modify the server.xml here as well
Add the tls config below this section of commented code. I used port 8443 for https
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector
SSLEnabled="true"
clientAuth="false"
keyAlias="myappcert"
keystoreFile="/Users/rkala/Downloads/apache-tomcat-7.0.93/conf/myapp.keystore"
keystorePass="password which you supplied while generating the certificate using keytool"
maxThreads="200"
port="8443"
scheme="https"
secure="true"
sslProtocol="TLS"
/>
Step 4) Catalina policy permission:
Modify the catalina.policy file located in /conf folder of tomcat installation directory
Search for below keyword(grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar) and replace all the code with single line as mentioned below
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.security.AllPermission;
};
Step 5) Modify the eclipse.ini file and add the below entries and then restart the eclipse.
-vmargs
-Djavax.net.ssl.trustStore=/Users/rkala/Downloads/apache-tomcat-7.0.93/conf/myapp.keystore
-Djavax.net.ssl.trustStorePassword=password which you supplied at step 1
Now you should be able to launch the application and will be able to access it via https
I assume you are referring to running tomcat from within Eclipse. By default the server instances managed by Eclipse (projects in their own right) each have their own separate copies of the tomcat config files (server.xml, context.xml, tomcat-users.xml etc) based on the locally installed runtime version selected at creation. So if the SSL connector is not enabled within that configuration then it won't be started. This allows you to have more than one tomcat instance running at the same time, each with a different config.
To edit the configuration for an Eclipse managed tomcat instance, look for Servers in the project explorer, open your instance and edit the server.xml to uncomment the SSL connector tag which will look something like:
<Connector SSLEnabled="true" clientAuth="false" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
You may also need to create a keystore for tomcat if you haven't already - see the docs for more info: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html.
Restart tomcat from within Eclipse and try the secure address. Hope that helps.
I deleted the server in Eclipse and add it again and now everything appears to be working. Thanks to all who viewed and inputted.
I'm trying to authenticate through CAS+LDAP in a Jboss app. The config is like this:
Server 1: Jboss 6.10. Cas is deployed here.
Server 1: LDAP using OpenDS.
Server 2: Jboss whith the app to login into.
I've configured both jboss to use SSL correctly and the CAS succesfyuly reads and authenticates against the LDAP.
When I get to (through https) server1:8443/app/ i'm redirected to server2:8443/cas/ and the login screen is displayed. I login with a valid user on the LDAP but when the flow gets back to the app i'm always getting this:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
I've read its a certificate problem and, as it is a dev enviroment i'm trying the self-signed certificate. So I did this:
Gen the self signed in Server1 with
keytool -genkey -alias jbosskey -keypass password -keyalg RSA -keystore server.keystore
Get the certificate of the Server1 with:
keytool -export -alias jbosskey -keypass password -file server.crt -keystore server.keystore
Copy the server.crt to Server2 and import it to the truststore of Jboss.
keytool -import -alias server1 -file server.crt -keystore C:\dev\jboss-6.1.0.Final\server.truststore
This gets me the eception. So I also imported to the cacerts of the JVM.
keytool -import -alias server1 -file server.crt -keystore C:\dev\jdk160_18\jre\lib\security\cacerts
Not working, so I tried to add the certificate to the keystore of the Jboss at Server2.
keytool -import -alias server1 -file server.crt -keystore C:\dev\jboss-6.1.0.Final\keystore.jks
The Server1 Jboss server.xml
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="${jboss.web.https.port}" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="password" sslProtocol = "TLS"
/>
The Server2 Jboss server.xml
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="C:\dev\jboss-6.1.0.Final\keystore.jks"
keystorePass="password"
truststoreFile="C:\dev\jboss-6.1.0.Final\server.truststore"
truststorePass="password"
sslProtocol = "TLS" />
I've been stuck on this for a couple of days and don't know if i'm missing something. Did I missed something important with the keytool?
Thanks in advance.
I am trying to run my application in jboss 7 from jboss 4. In jboss 4 we changed server.xml to configure keystoreFile and keystorePass etc. Can any one help me where to make these changes in jboss7.
The server.xml equivalent in Jboss 7 is a standalone/configuration/standalone.xml for a standalone installation and domain.xml for a domain aware one.
I'm not sure where those options are or how you're supposed to configure it in Jboss 7, but start with standalone.xml file first.
Edit the file standalone/configuration/standalone.xml:
<subsystem xmlns="urn:jboss:domain:web:1.0" default-virtual-server="default-host">
<connector name="http" scheme="http" protocol="HTTP/1.1" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost" />
<alias name="example.com" />
</virtual-server>
</subsystem>
Replace thew connector tag with following one:
<connector name="https" scheme="https" protocol="HTTP/1.1" secure =”true” socket- binding="https" ssl=”your certificate name”/>
You should avoid touching the config XMLs yourself.
Rather let it up to domain controller and host controller,
and configure your server through the means mentioned here:
JBoss AS 7 JMX Console
Update:
For manual configuration, try the Web UI - http://localhost:9990/.
For automated configuration, try CLI scripts.
To develop and debug CLI commands, try jboss-cli.sh --gui.
But if you really must, it's in standalone/configuration/standalone.xml:
<subsystem xmlns="urn:jboss:domain:web:1.0" ...>
The schema is here: http://www.jboss.org/schema/jbossas/jboss-as-web_1_2.xsd
(or later versions).
Recommended way to change the AS 7 model is anyway by means of the Command Line Interface.
For example, you can set the socket binding port of the HTTP port to 8090 with :
/socket-binding-group=standard-sockets/socket-binding=http:write-attribute(name="port", value="8090")
JBoss EAP 7 uses the Undertow web server and configures it via the undertow subsystem (which replaces the web subsystem used in previous versions). SSL/TLS setup using the CLI is described in Setting up an SSL/TLS for Applications. If you would like to directly modify the standalone.xml file, the instructions can be translated to:
Add and configure an HTTPS security realm. - under /server/management/security-realms add an HTTPS security-realm element, for example
<security-realm name="HTTPSRealm">
<server-identities>
<ssl>
<keystore path="/path/to/your/keystore/myKeystore.jks"
keystore-password="myKeystorePassword"
alias="mySSLKeyPairAlias"
key-password="mySSLKeyPairPassword" />
</ssl>
</server-identities>
</security-realm>
Update the undertow subsystem to use the HTTPS security realm. - under /server/profile find the Undertow subsystem element (e.g. <subsystem xmlns="urn:jboss:domain:undertow:3.1">). It has a server child element to which you add an https-listener element referencing your HTTPSRealm created in step 1 above, for example
<https-listener name="default-ssl" socket-binding="https" security-realm="HTTPSRealm" />
More details can be found at these related links:
Security Realms
Security Realm Detailed Configuration
https-listener Attributes