I want that my app should use some third party APIs with ssl .
Step 1 : I created key at my home directory keytool -genkey -alias tomcat -keypass mypassword -keystore TestKeyStore.keystore -storepass mypassword -keyalg RSA -validity 360 -keysize 2048
Step 2 :I added connector in server.xml from eclipse
<Connector port="8443" SSLEnabled="true" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75" enableLookups="true"
disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https"
secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/media/prashant/important/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/conf/TestKeyStore.keystore"
keystorePass="mypassword" />
When I restart project tomcat Is taking to long time to start and it show nothing at the end . I tried to increase startup time also still not help me. Any idea what I am missing?
Please give more information. But i would check if you have allowed port 8443 in your firewall. To check its allowed, (if its a Linux machine) run telnet 8443. You will connect, meaning its allowed. Otherwise, details from logs will help further
Related
I'm configuring keycloak as an SP which is connecting to a PingFederate IDP.
I'd like to import the IDP's certificate file into keycloack so that the trust will succeed.
How do I import a crt file into keycloak?
This has been documented in the keycloak's site.
https://www.keycloak.org/docs/3.3/server_installation/topics/network/outgoing.html
keytool -import -alias HOSTDOMAIN -keystore truststore.jks -file host-certificate.cer
The truststore is configured within the standalone.xml, standalone-ha.xml, or domain.xml file in your distribution. The location of this file depends on your operating mode.
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="path to your .jks file containing public certificates"/>
<property name="password" value="password"/>
<property name="hostname-verification-policy" value="WILDCARD"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
New link: https://www.keycloak.org/server/outgoinghttp#_outgoing_https_request_truststore
Keycloak looks to be built on top of the WildFly app server, which is a Java server. Haven't tried it, but I expect you just need to use keytool and import the crt into the Java trust store:
keytool -v -import -file file.crt -alias idp -keystore <whatever keystore your Java process is using>
Keystore default location will depend on OS/java location, but once you do that and (perhaps) restart the Java process you should be good to go.
Navigate to the location of your keycloak.jks trust store (keycloak_install_dir/standalone/configuration)
Then import the .crt into that store using:
sudo keytool -v -importcert -file <your_cert>.crt -alias <whatever_alias_you_want> -keystore keycloak.jks -storepass <the_pw_for_keycloak.jks>
I'm using Jboss application server, i wanted to secure the management interface so i did the following
Creating a keystore with the keytool:
keytool -genkeypair -alias serverkey -keyalg RSA -keysize 2048 -validity 7360 -keystore server.keystore -keypass mypassword -storepass mypassword -dname "cn=Server Administrator,o=Acme,c=GB"
In standalone
<security-realm name="ManagementRealm">
....
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="serverkey"/>
</ssl>
</server-identities>
</security-realm>
Also :
<management-interfaces>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket-binding https="management-https"/>
</http-interface>
</management-interfaces>
And :
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
Now i have to to type https://ip#:9993 to access to the management interface so how can i have automatic redirect from http to https (without adding https to the ip#)
Thanks !
You can just access IP:9443. It will automatically redirect to https.
I configured Tomcat 7 for SSL. I generate the keystore like this
keytool -genkey -alias tomcat -keyalg RSA
in the server.xml, i have
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keyAlias="tomcat" keystoreFile="/Users/xxxxx/.keystore" keystorePass="changeit" />
If I run tomcat directly, $TOMCAT_HOME/bin/startup.sh, when I access https://localhost:8443 from Chrome, at least i got the warning of untrusted certificate, etc...
However, if I start Tomcat from Eclipse, it keep getting this error
localhost uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I even added the ciphers to the Connector, but still same error
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keyAlias="tim" keystoreFile="/Users/z0029mb/.keystore" keystorePass="changeit"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"/>
JAVA_HOME is jdk1.8.0_101, for both Eclipse and Tomcat, running on OS X. So why does Eclipse Tomcat plugin interfere anything with Tomcat starting up that make Tomcat behave differently?
If you use SHA-1 hash function, you might have to re-key the certificate from your Certificate Authority (CA) to use SHA-2. This is because SHA-1 is potentially unsecure.
1) Generate a CSR (Certificate Signing Request)
2) Submit CSR to your CA
3) After your CA issues the certificate files, download and install them based on your server type and CA's instructions.
I am maintaining a servlet application previously developed in Eclipse Helios. I have the servlet instance war file and it runs fine in my Tomcat 7.0 on windows and I receive the correct web responses in SoapUI. It runs with SSL encryption and the url in SoapUI states;
https://localhost:8443/ProjectName/etc/etc
But after retrieving the original code from SVN into Eclipse Helios, I can get it to start okay running through the imported Tomcat but it does not seem to start using SSL in Eclipse Helios and the URL in the Eclipse tab states;
http://localhost:8000/ProjectName/etc/etc
And so when I attempt to run a web request in SoapUI it reacts like the servlet instance is not running. What am I doing wrong?
This solution is supplied for MAC, can follow the same strategy for windows as well.
Step 1) Generate the certificate with java keytool utility by navigating to bin folder of java installation directory
LM-MAA-22004958:etc rkala$ cd /Applications/corona-java-1.1.0/jdk-7u45-macosx-x64/Contents/Home/bin
LM-MAA-22004958:bin rkala$ keytool -genkey -alias myappcert -keyalg RSA -keystore myapp.keystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: localhost.xyz.com
What is the name of your organizational unit?
[Unknown]: my
What is the name of your organization?
[Unknown]: my
What is the name of your City or Locality?
[Unknown]: my
What is the name of your State or Province?
[Unknown]: my
What is the two-letter country code for this unit?
[Unknown]: my
Is CN=localhost.xyz.com, OU=my, O=my, L=my, ST=my, C=my correct?
[no]: yes
Enter key password for <myappcert>
(RETURN if same as keystore password):
Step 2): Copy the generated myapp.keystore file to tomcat /conf directory
LM-MAA-22004958:bin rkala$ mv myapp.keystore /Users/rkala/Downloads/apache-tomcat-7.0.93/conf
LM-MAA-22004958:bin rkala$ cd /Users/rkala/Downloads/apache-tomcat-7.0.93/bin
LM-MAA-22004958:bin rkala$ ./startup.sh
Using CATALINA_BASE: /Users/rkala/Downloads/apache-tomcat-7.0.93
Using CATALINA_HOME: /Users/rkala/Downloads/apache-tomcat-7.0.93
Using CATALINA_TMPDIR: /Users/rkala/Downloads/apache-tomcat-7.0.93/temp
Using JRE_HOME: /Applications/corona-java-1.1.0/jdk-7u45-macosx-x64/Contents/Home
Using CLASSPATH: /Users/rkala/Downloads/apache-tomcat-7.0.93/bin/bootstrap.jar:/Users/rkala/Downloads/apache-tomcat-7.0.93/bin/tomcat-juli.jar
Hit the browser with url https://localhost:8443 and you are good to go
Step 3) Modify both server.xml with the same config provided below
1.Tomcat server.xml -> Path: /Users/rkala/Downloads/apache-tomcat-7.0.93/conf/server.xml
2.Under eclipse workspace server folder,modify the server.xml here as well
Add the tls config below this section of commented code. I used port 8443 for https
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector
SSLEnabled="true"
clientAuth="false"
keyAlias="myappcert"
keystoreFile="/Users/rkala/Downloads/apache-tomcat-7.0.93/conf/myapp.keystore"
keystorePass="password which you supplied while generating the certificate using keytool"
maxThreads="200"
port="8443"
scheme="https"
secure="true"
sslProtocol="TLS"
/>
Step 4) Catalina policy permission:
Modify the catalina.policy file located in /conf folder of tomcat installation directory
Search for below keyword(grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar) and replace all the code with single line as mentioned below
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.security.AllPermission;
};
Step 5) Modify the eclipse.ini file and add the below entries and then restart the eclipse.
-vmargs
-Djavax.net.ssl.trustStore=/Users/rkala/Downloads/apache-tomcat-7.0.93/conf/myapp.keystore
-Djavax.net.ssl.trustStorePassword=password which you supplied at step 1
Now you should be able to launch the application and will be able to access it via https
I assume you are referring to running tomcat from within Eclipse. By default the server instances managed by Eclipse (projects in their own right) each have their own separate copies of the tomcat config files (server.xml, context.xml, tomcat-users.xml etc) based on the locally installed runtime version selected at creation. So if the SSL connector is not enabled within that configuration then it won't be started. This allows you to have more than one tomcat instance running at the same time, each with a different config.
To edit the configuration for an Eclipse managed tomcat instance, look for Servers in the project explorer, open your instance and edit the server.xml to uncomment the SSL connector tag which will look something like:
<Connector SSLEnabled="true" clientAuth="false" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
You may also need to create a keystore for tomcat if you haven't already - see the docs for more info: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html.
Restart tomcat from within Eclipse and try the secure address. Hope that helps.
I deleted the server in Eclipse and add it again and now everything appears to be working. Thanks to all who viewed and inputted.
I'm trying to authenticate through CAS+LDAP in a Jboss app. The config is like this:
Server 1: Jboss 6.10. Cas is deployed here.
Server 1: LDAP using OpenDS.
Server 2: Jboss whith the app to login into.
I've configured both jboss to use SSL correctly and the CAS succesfyuly reads and authenticates against the LDAP.
When I get to (through https) server1:8443/app/ i'm redirected to server2:8443/cas/ and the login screen is displayed. I login with a valid user on the LDAP but when the flow gets back to the app i'm always getting this:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
I've read its a certificate problem and, as it is a dev enviroment i'm trying the self-signed certificate. So I did this:
Gen the self signed in Server1 with
keytool -genkey -alias jbosskey -keypass password -keyalg RSA -keystore server.keystore
Get the certificate of the Server1 with:
keytool -export -alias jbosskey -keypass password -file server.crt -keystore server.keystore
Copy the server.crt to Server2 and import it to the truststore of Jboss.
keytool -import -alias server1 -file server.crt -keystore C:\dev\jboss-6.1.0.Final\server.truststore
This gets me the eception. So I also imported to the cacerts of the JVM.
keytool -import -alias server1 -file server.crt -keystore C:\dev\jdk160_18\jre\lib\security\cacerts
Not working, so I tried to add the certificate to the keystore of the Jboss at Server2.
keytool -import -alias server1 -file server.crt -keystore C:\dev\jboss-6.1.0.Final\keystore.jks
The Server1 Jboss server.xml
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="${jboss.web.https.port}" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="password" sslProtocol = "TLS"
/>
The Server2 Jboss server.xml
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="C:\dev\jboss-6.1.0.Final\keystore.jks"
keystorePass="password"
truststoreFile="C:\dev\jboss-6.1.0.Final\server.truststore"
truststorePass="password"
sslProtocol = "TLS" />
I've been stuck on this for a couple of days and don't know if i'm missing something. Did I missed something important with the keytool?
Thanks in advance.