Solved

SSL in Tomcat

Posted on 2014-01-21
20
1,262 Views
Last Modified: 2014-01-29
Hi,

I have a servlet application developed on Java 1.6.0.29 and running on Tomcat 7, all on Windows.  I have followed many articles to set up SSL for the Servlet including Apache Tomcat's owb documentation but I find it all quite ambiguous, with defferent server.xml parameters etc.  Below is the process I followed but the URL - https://localhost:8443/ doesn't work.  A certificate was set up for me by the company infrastructure team.

Please advise what I am doing wrong and how can I check if the SSL process is "working".

Thanks in advance

#############################################

Discovered that a separate keystore should be set up because any upgrades to Java will remove any certificates

Ensure path to Java bin is added to PATH environment variable, i.e. C:\"Program Files"\Java\jre6\bin.

Create a directory under the C:\ drive for the keystore, i.e. C:\Keys

Open a command window and navigate to the directory created in the step above

Initiate keytool application to create keystore;
      
We used an alias of portalintegration otherwise the alias default of mykey is used.  It is best to specify a relevant alias

keytool -genkey -alias portalintegration -keyalg RSA -keysize 2048 -keystore
PortalIntegration.keystore<return>

The following questions were asked:

Enter keystore password: storePassword <return>

First and last name? - portallive1.ourDomainName.co.uk <return>

What is the name of your organizational unit? - Department Name<return>

What is the name of your organization? - Company Name <return>

What is the name of your City or Locality? - Paisley <return>

What is the name of your State or Province? - Renfrewshire <return>

What is the two-letter country code for this unit? - GB <return>
      

You will then be asked if the information is correct:
Is CN= portallive1.ourDomainName.co.uk, OU= Department Name, O= Company Name, L=Paisley, ST=Renfrewshire, C=GB correct?

If correct enter y or yes <return>

When you answer 'y' or 'yes' the password is then requested:
Enter key password for alias <portalintegration> (Will state "RETURN if same as keystore password" <return>

NOTE: If different password is used then make a note of it!!!

      At this point check that a keystore with relevant name is created in your directory, i.e.
      a file called PortalIntegration.keystore

Copy certificate received from our infrastructure team to relevant location, C:\Keys. Note: No bundle file.

Import certificate to keystore;

keytool -import -trustcacerts -alias portalCert -file certificatename.cer -keystore PortalIntegration.keystore <return>

Enter keystore password: storePassword<return>

Set up connector in server.xml file as below;

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" maxThreads="150" port="8443" keystoreFile="C:\Keys\ PortalIntegration.keystore" keystorePass="storePassword" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" />

When I test Tomcat with URL: https://localhost:8443/ the output is that it cannot display the web page
0
Comment
Question by:ajfarroll
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 10
20 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39797202
About all I can see wrong there is that there is a space between Keys\ and PortalIntegration.keystore.  Its also possible you don't have the issuing CA's key in your caroot, and that can cause a startup error too.

Any startup errors should be logged to catalina.<datestamp>.log in the logs dir - have you checked there for any errors?
0
 

Author Comment

by:ajfarroll
ID: 39797252
Hi Dave Howie,

Thanks for a prompt response.  Any time we have started Tomcat since applying the certificate there have been no errors in the catalina log at startup.  How do I check the issuing CA's key is in the caroot?

Thnaks again

ajfarroll
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39797273
well, that should be logged too if there is an error - however, easiest way to manipulate the java keystores on a windows host is the gui tool here

use the option tools -> keystore manager -> system CA store, password is changeit
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 

Author Comment

by:ajfarroll
ID: 39797368
Thanks again Dave.

Is the link you sent in your last comment for the app named "keytool-iui"?  What exactly does it do.  I opened the link and clicked on "http://www.fuin.org/keytool-iui/keytool-iui.jnlp " but it stated something about being insecure and could put information at risk.  The trouble with that is that security of the servlet and the information it will transfer is the problem we are attempting to overcome.  The server running the servlet is running outside our firewall and my managers will not want information compromised.

I look forward to your feedback.  I am quite new to SSL you see.

ajfarroll
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39797388
The tool is written in java and is an easy to use, gui version of the java keytool - you should preferably download the rarfile version, unzip it locally, and run it locally.  If your management has security concerns about random google code projects, you can instead use the command line java keytool - the default keystore location is <java home>/jre/lib/security/cacerts and you can use the command "keytool -list -v -keystore <keystore name>" to list all the certificates in that keystore (you can list the contents of your PortalIntegration.keystore file by the same method)

you can also use the command "netstat -nab" to list all the ports open on the system and what process owns them - useful if you want to see if tomcat actually opened the port - and for debug purposes, can shut down the tomcat service and use the catalina.bat file (with the argument "start") to open tomcat as a local process, so you can watch its console messages in realtime.
0
 

Author Comment

by:ajfarroll
ID: 39797553
Okay.  I will try that and get back to you with outcome.

Thanks again for all your assistance so far.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39798258
Happy to help :)

Oh, and as one perhaps obvious but easily overlooked element - by default, the config for the secure listener is commented out in the config by being bracketted by  <!-- and -->

unless those are removed, the lines will have no effect, and hence the server will start cleanly but not actually start a secure listener.....
0
 

Author Comment

by:ajfarroll
ID: 39800359
Thanks again Dave Howie.  I will check this part out in the config files.  I have not been able to get near it today due to other projects but should be able to try it again tomorrow and let you know.

Regards

AJFarroll
0
 

Author Comment

by:ajfarroll
ID: 39811723
I have looked for the folder cacerts in the jre/lib directory and the security folder in jre/lib does not exist.  When I check the logs now, the catalina.log states the following;

SEVERE: Failed to load keystore type JKS with path C:\/.keystore due to C:\.keystore (The system cannot find the file specified)
java.io.FileNotFoundException: C:\.keystore (The system cannot find the file specified)

There is no C:\.keystore file.  I created a keystore using the keytool and placed it in the folder C:\SSLKeys and adjusted the <Connector > tag in the server.xml file to use the keytool in C:\SSLKeys but Tomcat seems to insist that it needs a file called ".keystore" in C:\.

Do you know why this is happening please?

Thanks again

AJF
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39811750
.keystore is the default filename. In order to override that (and you usually do want to do that) you need to add the keystoreFile= option, which I can see you have done already - so I am not sure why the connector is looking for a file you haven't told it to use.

the example given on the tomcat site looks like this:

<Connector
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="${user.home}/.keystore" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"/>

do you want to post your current connector setup (mask the keystorePass with xxx if required) for comparison?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39811756
I note that the documentation also says (however) -

The example above will throw an error if you have the APR and the Tomcat Native libraries in your path, as Tomcat will try to use the APR connector. The APR connector uses different attributes for SSL keys and certificates. An example of an APR configuration is: 

<Connector 
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           SSLCertificateFile="/usr/local/ssl/server.crt" 
           SSLCertificateKeyFile="/usr/local/ssl/server.pem"
           clientAuth="optional" SSLProtocol="TLSv1"/>

Open in new window


I am not sure why this would be the case for yourself, but an option is to have a crt and pem file instead of the keystore, and try adding the SSLxxx options above?
0
 

Author Comment

by:ajfarroll
ID: 39811805
Hi.  Thanks again so much Dave.  This is my first project involving SSL.

My connector in server.xml is as follows;

<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
      
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
 maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
 clientAuth="false" sslProtocol="TLS" KeyStoreFile="C:\SSLKeys\OrionSSL.keystore" KeyStorePass="********" />

Can I ask is it okay to just delete a previous keystore or is there a more thorough process?

Also, I found the following commands that tried in the command prompt.  The commands run without error or output but hasn't made any difference (unless I need to reboot the server).

set SSL_OPTS=Djavax.net.ssl.keystore=C:\SSLKeys\OrionSSL.keystore
set SSL_OPTS=Djavax.net.ssl.keystorepassword=********

I found these on this site;
http://fusesource.com/docs/broker/5.3/security/SSL-SysProps.html

Regards

AJFarroll
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 39812300
ah. I believe keystoreFile and keystorePass may be case sensitive - try adjusting the case to match what I have put here, and try again?
0
 

Author Comment

by:ajfarroll
ID: 39812321
Dave.  I was just about to reply.  I just discovered that about 20 minutes ago and I made the change.  It is now using the keystore I created in C:\SSLKeys\OrionSSL.keystore.  However, when I look at https://localhost:8443/ it is saying there is something wrong with the certificate.  Although if I click on "continue to the website" it does open up tomcat in https with port 8443.  Am I correct in saying this is the point where I import my certificate from the host server??

Regards

AJFarroll
0
 

Author Closing Comment

by:ajfarroll
ID: 39817217
This part got me further on Dave thanks a lot for all your assistance.  I imported the certificates and using WireShark packet inspection it appears to be encrypting the information

Regards

AJFarroll
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39817641
odd that it says wrong cert; however, you can check that easily enough - just web browse to it and see what certificate it offers.

Wireshark is even better than that, because if you give it the secret key in PEM format, it will decode the encryption for you too ;)
0
 

Author Comment

by:ajfarroll
ID: 39818084
Thanks.  How do I web browse to see the certificate?

Regards

AJFarroll
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39818096
https://<ip of server>:8443/ - you already did this.

However, if you do it in most browsers (such as firefox) there will be an opportunity to view the certificate sent, which you can compare to what you thought you had added :)

You need to ensure what you type in https://servernamehere:8443/ for "servernamehere" matches the CN in the certificate if you want the error to go away.
0
 

Author Comment

by:ajfarroll
ID: 39818180
Thanks again Dave.  I repeat this is my baptism of fire on SSL.

In Internet Explorer, as I mentioned if I enter "https://ourservernamehere:8443/" the web page states a message about "problem with certificate" and options for "Exit web site" and "Continue to website (Not recommended)".  If I select to continue to website, the Tomcat web page is displayed but the URL bar is red and at the end of the URL bar there is a small additional URL bar saying "certificate error".  If I click on certificate error a dialog appears stating "Untrusted certificate" with a link to "View Certificates".  If I click on View certificates a dialog appears named "Certificate" and shows the server domain name and a button to "Install certificate".  When I click on "Install Certificate" the certificate import wozard appears and shows options I am unsure of, i.e. "type of certificate" and "browse to install location" which shows directories that I assume are to do with the browser.

In Firefox, if I enter the URL "https://ourservernamehere:8443/", Firefox states "the connection is untrusted".  I expanded the option for "I understand the risks" and there is a button for "Add Exception".

Could you advise me on what way to handle this please?

Thanks for your patience and again its my first SSL project and previously came from a UNIX and Oracle role

Regards

AJFarroll
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39818309
both are valid routes. if you use IE and view certificates, then on the very first page (general) should be "issued to:" which tells you what the browser would need to see as the ourservernamehere value before it didn't complain about the certificate.

in the firefox exception dialogue, there is  a "get certificate" then "view" option, and the view pulls up a similar dialogue with "Common Name (CN)" identifying the match field.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
This video teaches users how to migrate an existing Wordpress website to a new domain.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question