Solved

SSL in Tomcat

Posted on 2014-01-21
20
1,187 Views
Last Modified: 2014-01-29
Hi,

I have a servlet application developed on Java 1.6.0.29 and running on Tomcat 7, all on Windows.  I have followed many articles to set up SSL for the Servlet including Apache Tomcat's owb documentation but I find it all quite ambiguous, with defferent server.xml parameters etc.  Below is the process I followed but the URL - https://localhost:8443/ doesn't work.  A certificate was set up for me by the company infrastructure team.

Please advise what I am doing wrong and how can I check if the SSL process is "working".

Thanks in advance

#############################################

Discovered that a separate keystore should be set up because any upgrades to Java will remove any certificates

Ensure path to Java bin is added to PATH environment variable, i.e. C:\"Program Files"\Java\jre6\bin.

Create a directory under the C:\ drive for the keystore, i.e. C:\Keys

Open a command window and navigate to the directory created in the step above

Initiate keytool application to create keystore;
      
We used an alias of portalintegration otherwise the alias default of mykey is used.  It is best to specify a relevant alias

keytool -genkey -alias portalintegration -keyalg RSA -keysize 2048 -keystore
PortalIntegration.keystore<return>

The following questions were asked:

Enter keystore password: storePassword <return>

First and last name? - portallive1.ourDomainName.co.uk <return>

What is the name of your organizational unit? - Department Name<return>

What is the name of your organization? - Company Name <return>

What is the name of your City or Locality? - Paisley <return>

What is the name of your State or Province? - Renfrewshire <return>

What is the two-letter country code for this unit? - GB <return>
      

You will then be asked if the information is correct:
Is CN= portallive1.ourDomainName.co.uk, OU= Department Name, O= Company Name, L=Paisley, ST=Renfrewshire, C=GB correct?

If correct enter y or yes <return>

When you answer 'y' or 'yes' the password is then requested:
Enter key password for alias <portalintegration> (Will state "RETURN if same as keystore password" <return>

NOTE: If different password is used then make a note of it!!!

      At this point check that a keystore with relevant name is created in your directory, i.e.
      a file called PortalIntegration.keystore

Copy certificate received from our infrastructure team to relevant location, C:\Keys. Note: No bundle file.

Import certificate to keystore;

keytool -import -trustcacerts -alias portalCert -file certificatename.cer -keystore PortalIntegration.keystore <return>

Enter keystore password: storePassword<return>

Set up connector in server.xml file as below;

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" maxThreads="150" port="8443" keystoreFile="C:\Keys\ PortalIntegration.keystore" keystorePass="storePassword" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" />

When I test Tomcat with URL: https://localhost:8443/ the output is that it cannot display the web page
0
Comment
Question by:ajfarroll
  • 10
  • 10
20 Comments
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
About all I can see wrong there is that there is a space between Keys\ and PortalIntegration.keystore.  Its also possible you don't have the issuing CA's key in your caroot, and that can cause a startup error too.

Any startup errors should be logged to catalina.<datestamp>.log in the logs dir - have you checked there for any errors?
0
 

Author Comment

by:ajfarroll
Comment Utility
Hi Dave Howie,

Thanks for a prompt response.  Any time we have started Tomcat since applying the certificate there have been no errors in the catalina log at startup.  How do I check the issuing CA's key is in the caroot?

Thnaks again

ajfarroll
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
well, that should be logged too if there is an error - however, easiest way to manipulate the java keystores on a windows host is the gui tool here

use the option tools -> keystore manager -> system CA store, password is changeit
0
 

Author Comment

by:ajfarroll
Comment Utility
Thanks again Dave.

Is the link you sent in your last comment for the app named "keytool-iui"?  What exactly does it do.  I opened the link and clicked on "http://www.fuin.org/keytool-iui/keytool-iui.jnlp " but it stated something about being insecure and could put information at risk.  The trouble with that is that security of the servlet and the information it will transfer is the problem we are attempting to overcome.  The server running the servlet is running outside our firewall and my managers will not want information compromised.

I look forward to your feedback.  I am quite new to SSL you see.

ajfarroll
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
The tool is written in java and is an easy to use, gui version of the java keytool - you should preferably download the rarfile version, unzip it locally, and run it locally.  If your management has security concerns about random google code projects, you can instead use the command line java keytool - the default keystore location is <java home>/jre/lib/security/cacerts and you can use the command "keytool -list -v -keystore <keystore name>" to list all the certificates in that keystore (you can list the contents of your PortalIntegration.keystore file by the same method)

you can also use the command "netstat -nab" to list all the ports open on the system and what process owns them - useful if you want to see if tomcat actually opened the port - and for debug purposes, can shut down the tomcat service and use the catalina.bat file (with the argument "start") to open tomcat as a local process, so you can watch its console messages in realtime.
0
 

Author Comment

by:ajfarroll
Comment Utility
Okay.  I will try that and get back to you with outcome.

Thanks again for all your assistance so far.
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
Happy to help :)

Oh, and as one perhaps obvious but easily overlooked element - by default, the config for the secure listener is commented out in the config by being bracketted by  <!-- and -->

unless those are removed, the lines will have no effect, and hence the server will start cleanly but not actually start a secure listener.....
0
 

Author Comment

by:ajfarroll
Comment Utility
Thanks again Dave Howie.  I will check this part out in the config files.  I have not been able to get near it today due to other projects but should be able to try it again tomorrow and let you know.

Regards

AJFarroll
0
 

Author Comment

by:ajfarroll
Comment Utility
I have looked for the folder cacerts in the jre/lib directory and the security folder in jre/lib does not exist.  When I check the logs now, the catalina.log states the following;

SEVERE: Failed to load keystore type JKS with path C:\/.keystore due to C:\.keystore (The system cannot find the file specified)
java.io.FileNotFoundException: C:\.keystore (The system cannot find the file specified)

There is no C:\.keystore file.  I created a keystore using the keytool and placed it in the folder C:\SSLKeys and adjusted the <Connector > tag in the server.xml file to use the keytool in C:\SSLKeys but Tomcat seems to insist that it needs a file called ".keystore" in C:\.

Do you know why this is happening please?

Thanks again

AJF
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
.keystore is the default filename. In order to override that (and you usually do want to do that) you need to add the keystoreFile= option, which I can see you have done already - so I am not sure why the connector is looking for a file you haven't told it to use.

the example given on the tomcat site looks like this:

<Connector
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="${user.home}/.keystore" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"/>

do you want to post your current connector setup (mask the keystorePass with xxx if required) for comparison?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
I note that the documentation also says (however) -

The example above will throw an error if you have the APR and the Tomcat Native libraries in your path, as Tomcat will try to use the APR connector. The APR connector uses different attributes for SSL keys and certificates. An example of an APR configuration is: 

<Connector 
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           SSLCertificateFile="/usr/local/ssl/server.crt" 
           SSLCertificateKeyFile="/usr/local/ssl/server.pem"
           clientAuth="optional" SSLProtocol="TLSv1"/>

Open in new window


I am not sure why this would be the case for yourself, but an option is to have a crt and pem file instead of the keystore, and try adding the SSLxxx options above?
0
 

Author Comment

by:ajfarroll
Comment Utility
Hi.  Thanks again so much Dave.  This is my first project involving SSL.

My connector in server.xml is as follows;

<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
      
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
 maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
 clientAuth="false" sslProtocol="TLS" KeyStoreFile="C:\SSLKeys\OrionSSL.keystore" KeyStorePass="********" />

Can I ask is it okay to just delete a previous keystore or is there a more thorough process?

Also, I found the following commands that tried in the command prompt.  The commands run without error or output but hasn't made any difference (unless I need to reboot the server).

set SSL_OPTS=Djavax.net.ssl.keystore=C:\SSLKeys\OrionSSL.keystore
set SSL_OPTS=Djavax.net.ssl.keystorepassword=********

I found these on this site;
http://fusesource.com/docs/broker/5.3/security/SSL-SysProps.html

Regards

AJFarroll
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
Comment Utility
ah. I believe keystoreFile and keystorePass may be case sensitive - try adjusting the case to match what I have put here, and try again?
0
 

Author Comment

by:ajfarroll
Comment Utility
Dave.  I was just about to reply.  I just discovered that about 20 minutes ago and I made the change.  It is now using the keystore I created in C:\SSLKeys\OrionSSL.keystore.  However, when I look at https://localhost:8443/ it is saying there is something wrong with the certificate.  Although if I click on "continue to the website" it does open up tomcat in https with port 8443.  Am I correct in saying this is the point where I import my certificate from the host server??

Regards

AJFarroll
0
 

Author Closing Comment

by:ajfarroll
Comment Utility
This part got me further on Dave thanks a lot for all your assistance.  I imported the certificates and using WireShark packet inspection it appears to be encrypting the information

Regards

AJFarroll
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
odd that it says wrong cert; however, you can check that easily enough - just web browse to it and see what certificate it offers.

Wireshark is even better than that, because if you give it the secret key in PEM format, it will decode the encryption for you too ;)
0
 

Author Comment

by:ajfarroll
Comment Utility
Thanks.  How do I web browse to see the certificate?

Regards

AJFarroll
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
https://<ip of server>:8443/ - you already did this.

However, if you do it in most browsers (such as firefox) there will be an opportunity to view the certificate sent, which you can compare to what you thought you had added :)

You need to ensure what you type in https://servernamehere:8443/ for "servernamehere" matches the CN in the certificate if you want the error to go away.
0
 

Author Comment

by:ajfarroll
Comment Utility
Thanks again Dave.  I repeat this is my baptism of fire on SSL.

In Internet Explorer, as I mentioned if I enter "https://ourservernamehere:8443/" the web page states a message about "problem with certificate" and options for "Exit web site" and "Continue to website (Not recommended)".  If I select to continue to website, the Tomcat web page is displayed but the URL bar is red and at the end of the URL bar there is a small additional URL bar saying "certificate error".  If I click on certificate error a dialog appears stating "Untrusted certificate" with a link to "View Certificates".  If I click on View certificates a dialog appears named "Certificate" and shows the server domain name and a button to "Install certificate".  When I click on "Install Certificate" the certificate import wozard appears and shows options I am unsure of, i.e. "type of certificate" and "browse to install location" which shows directories that I assume are to do with the browser.

In Firefox, if I enter the URL "https://ourservernamehere:8443/", Firefox states "the connection is untrusted".  I expanded the option for "I understand the risks" and there is a button for "Add Exception".

Could you advise me on what way to handle this please?

Thanks for your patience and again its my first SSL project and previously came from a UNIX and Oracle role

Regards

AJFarroll
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
both are valid routes. if you use IE and view certificates, then on the very first page (general) should be "issued to:" which tells you what the browser would need to see as the ourservernamehere value before it didn't complain about the certificate.

in the firefox exception dialogue, there is  a "get certificate" then "view" option, and the view pulls up a similar dialogue with "Common Name (CN)" identifying the match field.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now