Tomcat8 - How to configure ssl certificates for both https and two-way authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Tomcat8 - How to configure ssl certificates for both https and two-way authentication

Senthil Kumar

> Hello,
>
> I have configured ssl certificates for below requirements:
>
> 1. Tomcat server certificate configuration in 'server.xml' file to run tomcat server on port 443 and https
>
>  <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
>                maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
>                acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false"
>                sslProtocol="TLSv1.2" ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256" keystoreFile="Tomcat.HostName.pfx" keystorePass="password"
>                keystoreType="PKCS12" />
>
> 2. Service certificate configuration in 'setenv.sh' file for the two-way ssl authentication for the connection to MQ / Soap service servers.
>
> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12 -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=clienttruststore.jks -Djavax.net.ssl.trustStorePassword=changeit'
>
>
> But It looks like the service certificate configured (for the two-way ssl handshake with MQ and Soap service servers) in 'setenv.sh' file is overwriting the tomcat server ssl configuration configured in 'server.xml' and subsequently tomcat server is down for https and port 443.
>
> Can someone recommend suitable tomcat config to fix this issue. The tomcat config should support both https (port 443) and two-ways ssl handshake with other servers.
>
> Thanks,
> Senthil
>      

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication

markt
On 08/08/17 21:03, [hidden email] wrote:

>
>> Hello,
>>
>> I have configured ssl certificates for below requirements:
>>
>> 1. Tomcat server certificate configuration in 'server.xml' file to run tomcat server on port 443 and https
>>
>>  <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
>>                maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
>>                acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false"
>>                sslProtocol="TLSv1.2" ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256" keystoreFile="Tomcat.HostName.pfx" keystorePass="password"
>>                keystoreType="PKCS12" />
>>
>> 2. Service certificate configuration in 'setenv.sh' file for the two-way ssl authentication for the connection to MQ / Soap service servers.
>>
>> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12 -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=clienttruststore.jks -Djavax.net.ssl.trustStorePassword=changeit'
>>
>>
>> But It looks like the service certificate configured (for the two-way ssl handshake with MQ and Soap service servers) in 'setenv.sh' file is overwriting the tomcat server ssl configuration configured in 'server.xml' and subsequently tomcat server is down for https and port 443.
>>
>> Can someone recommend suitable tomcat config to fix this issue. The tomcat config should support both https (port 443) and two-ways ssl handshake with other servers.

Tomcat version?


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication

Christopher Schultz-2
In reply to this post by Senthil Kumar
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Senthil,

On 8/8/17 4:03 PM, [hidden email] wrote:

>
>> Hello,
>>
>> I have configured ssl certificates for below requirements:
>>
>> 1. Tomcat server certificate configuration in 'server.xml' file
>> to run tomcat server on port 443 and https
>>
>> <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150"
>> minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
>> disableUploadTimeout="true" acceptCount="100" scheme="https"
>> secure="true" SSLEnabled="true" clientAuth="false"
>> sslProtocol="TLSv1.2" ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256"
>> keystoreFile="Tomcat.HostName.pfx" keystorePass="password"
>> keystoreType="PKCS12" />
>>
>> 2. Service certificate configuration in 'setenv.sh' file for the
>> two-way ssl authentication for the connection to MQ / Soap
>> service servers.
>>
>> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12
>> -Djavax.net.ssl.keyStorePassword=password
>> -Djavax.net.ssl.trustStore=clienttruststore.jks
>> -Djavax.net.ssl.trustStorePassword=changeit'
>>
>>
>> But It looks like the service certificate configured (for the
>> two-way ssl handshake with MQ and Soap service servers) in
>> 'setenv.sh' file is overwriting the tomcat server ssl
>> configuration configured in 'server.xml' and subsequently tomcat
>> server is down for https and port 443.
>>
>> Can someone recommend suitable tomcat config to fix this issue.
>> The tomcat config should support both https (port 443) and
>> two-ways ssl handshake with other servers.

Regardless of the actual problem and solution, here, I would always
highly recommend that you use explicit configuration for your
<Connector> for your truststore as well as our keystore. Using system
properties is very heavy-handed and ends up applying the same trust
store to a whole variety of components, not just the <Connector>.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmKOlgACgkQHPApP6U8
pFiIvRAArbBwixXhAxxgegBWYIrCMxtqgg8KAccfRyvkmSIGOkQ/xMV+Z8sP+2Xr
KHEnK8P2vKDzgGKT7fjAaD0HCTbWK7j455OKRKYXxowZkOU5Qbz10xW1j25bHtUy
3mD2Vn5jmrv/vMEkr0sJ3AxB8QeyyZ/ZpK33Zy0bNMYB945H3QQ3QX5lX6d8k9El
0VSt4NKglYdLXvuYmI/YVBvIZw0rzt9hPjBAO9Mc0cIEGJfNJafMKjdYpFSfoUOs
b5TpvVEszEGwgsaaOU4Y7EyHg72EAyNtUzyeSIbn0s0VsvYWS3AqT7QiL5GUvQ4Z
glLdYL+34R1gfsB462fE0RFgVaUuGEBUFs/YxV3loh2FUkCe91MbJ02OTRK27Z/o
ipKXNzcwPJ6ASafMRc2qBR6Wt0Mwg+FC/tXIlMcIhVBbkCXNUuhs21n0lO13kdJM
7uK7XSWWTjHyXd38b1NhplidNmDygzTzJ2lcEs/7MDf1lzU0h4l46FbvWNbInDw7
OvvWjheDKH8mqmCNDgbj7iA+b3FMoSwE+Xv5qG54k1nwoStAWzeTFi4vjqHNMxEa
VzKQMcIa++31/Ytdp7UElixMeGwQfxSGJluWi2wnXmupC/+h2YXM3TwG3hgv3t1H
SHQeBUXtnsITpy5iSka1Y2efhEL26jIiApsPIl+TUOLcvumlTrc=
=Bz/F
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication

Senthil Kumar
In reply to this post by markt
Mark,

Tomcat version is 8.0.39.

I have to use both server certificate (.pfx) and service certificate as
keystore. Do I need to convert PFX format certificate to JKS format. How to
configure more than on private certificate in keystore.

Senthil

On Wed, Aug 9, 2017 at 1:39 AM, Mark Thomas <[hidden email]> wrote:

> On 08/08/17 21:03, [hidden email] wrote:
> >
> >> Hello,
> >>
> >> I have configured ssl certificates for below requirements:
> >>
> >> 1. Tomcat server certificate configuration in 'server.xml' file to run
> tomcat server on port 443 and https
> >>
> >>  <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150"
> minSpareThreads="25"
> >>                maxSpareThreads="75" enableLookups="false"
> disableUploadTimeout="true"
> >>                acceptCount="100" scheme="https" secure="true"
> SSLEnabled="true" clientAuth="false"
> >>                sslProtocol="TLSv1.2" ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256"
> keystoreFile="Tomcat.HostName.pfx" keystorePass="password"
> >>                keystoreType="PKCS12" />
> >>
> >> 2. Service certificate configuration in 'setenv.sh' file for the
> two-way ssl authentication for the connection to MQ / Soap service servers.
> >>
> >> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12
> -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=clienttruststore.jks
> -Djavax.net.ssl.trustStorePassword=changeit'
> >>
> >>
> >> But It looks like the service certificate configured (for the two-way
> ssl handshake with MQ and Soap service servers) in 'setenv.sh' file is
> overwriting the tomcat server ssl configuration configured in 'server.xml'
> and subsequently tomcat server is down for https and port 443.
> >>
> >> Can someone recommend suitable tomcat config to fix this issue. The
> tomcat config should support both https (port 443) and two-ways ssl
> handshake with other servers.
>
> Tomcat version?
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication

markt
On 09/08/17 12:24, Senthil Kumar wrote:
> Mark,
>
> Tomcat version is 8.0.39.
>
> I have to use both server certificate (.pfx) and service certificate as
> keystore. Do I need to convert PFX format certificate to JKS format. How to
> configure more than on private certificate in keystore.

The setenv.sh settings shouldn't interfere with the Tomcat connector but
to be sure I suggest the following:

- comment out the setenv.sh settings
- start Tomcat
- test https on port 443 and report and errors including those in the
  logs

Once port 443 is working then uncomment the settings in setenv and check
port 433 still works.

Mark

>
> Senthil
>
> On Wed, Aug 9, 2017 at 1:39 AM, Mark Thomas <[hidden email]> wrote:
>
>> On 08/08/17 21:03, [hidden email] wrote:
>>>
>>>> Hello,
>>>>
>>>> I have configured ssl certificates for below requirements:
>>>>
>>>> 1. Tomcat server certificate configuration in 'server.xml' file to run
>> tomcat server on port 443 and https
>>>>
>>>>  <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150"
>> minSpareThreads="25"
>>>>                maxSpareThreads="75" enableLookups="false"
>> disableUploadTimeout="true"
>>>>                acceptCount="100" scheme="https" secure="true"
>> SSLEnabled="true" clientAuth="false"
>>>>                sslProtocol="TLSv1.2" ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256"
>> keystoreFile="Tomcat.HostName.pfx" keystorePass="password"
>>>>                keystoreType="PKCS12" />
>>>>
>>>> 2. Service certificate configuration in 'setenv.sh' file for the
>> two-way ssl authentication for the connection to MQ / Soap service servers.
>>>>
>>>> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12
>> -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=clienttruststore.jks
>> -Djavax.net.ssl.trustStorePassword=changeit'
>>>>
>>>>
>>>> But It looks like the service certificate configured (for the two-way
>> ssl handshake with MQ and Soap service servers) in 'setenv.sh' file is
>> overwriting the tomcat server ssl configuration configured in 'server.xml'
>> and subsequently tomcat server is down for https and port 443.
>>>>
>>>> Can someone recommend suitable tomcat config to fix this issue. The
>> tomcat config should support both https (port 443) and two-ways ssl
>> handshake with other servers.
>>
>> Tomcat version?
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...