I have an application which is hosted on AWS instance and we used elastic load balancer with AWS SSL certificate. We used tomcat server. As we used AWS SSL certificate we have not configured 443 port on tomcat. Now we want to implement two way SSL certificate. I have searched for the same but most of the information is saying use SSLEnable=true in tomcat's server.xml but this will not work in my case. Can someone please help me in this situation to implement Two way SSL.
This is how i've setup it,
(server.xml)
<Connector
port="8081"
protocol="HTTP/1.1"
proxyPort="443"
scheme="https"
secure="true"
proxyName="mydomain.com"
connectionTimeout="50000"
URIEncoding="UTF-8"
redirectPort="8443" />
Related
I have a java web application that supplies a REST-API for which I want to implement client certificate authentication. I am using Tomcat 9 Web Server to deploy the application as a warfile.
I only want this validation for the REST API and not for other applications deployed on the same server or other requests (for example the user interface).
Requests without a certificate or without a valid certificate should therefore not be blocked by my Web Server so I can verify the client certificate in my application code.
If I do not configure Tomcat for client certification, I cannot retrieve the certificate within my application code.
I have tried to use the following configuration:
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keyAlias="tthserver" keystoreFile="C:\Temp\keystore\keystore.jks" keystorePass="PW"
truststoreFile="C:\Temp\keystore\truststore.jks" trustStorePass="PW"
clientAuth="want" sslProtocol="TLS" />
This however blocks requests with an invalid client certificate.
You will need to add the CLIENT-CERT login-configuration in the web.xml of the webapplication deployed in tomcat that needs client authentication. Other, web applications need not have this configuration, so when client access resources of other web application, the client authentication will not take place.
For more details you may refer to the link below: -
https://users.tomcat.apache.narkive.com/C1hxh39a/tomcat-and-client-certificates
I have configured Tomcat Server (apache-tomcat-9.0.1) with self-signed certificate. On this added required configuration on server.xml, and copied .jks file on conf folder.
Create Self Signed Certificate
Configure Tomcat with SSL Stuff
HTTPS Works on browser as expected.
disableSSL Verification while making HttpsURLConnection call to fetch an REST API
Certificate Exception Stuff
Disable Certificate Exception
It works ! -
On Server.xml -= only 8443 port configured.
On Web Application Security Constraint Configured:
<security-constraint>
<web-resource-collection>
<web-resource-name>OVS</web-resource-name>
<!-- all URLs are protected -->
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<!-- redirect all requests to HTTPS -->
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Tomcat Server starts without showing any exception on anywhere.
But SSL/TLS communication not happening with Tomcat Server on using self-signed certificate ? . Wireshark captured the packets , expected to see TLS Packets or SSL Handshake But nothing, Only TCP Packets.
Why SSL Handshake not happening ?, Its like because Its verifying only SSL server certificate ? ( as Client Authentication is false )
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="150"
port="8443" keyAlias="london" keystoreFile="conf/londonkey.jks" keystorePass="sumit123"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Have you ever tested after configuring the self-signed certificate etc stuff to see If SSL/TLS Communication take place ?
Edit
AS Far as I know that to have SSL Communication between two network entity say A and B, both must have their own private key and public certificate, but on above we have configured only Server with Certificate and Private Key stuff nothing with Client ?, Please correct ?
I have checked various example : posts , but all talking about the generating the key and only configuring the Tomcat Server. For Test, Its talking like browser would be showing certificate exception , accept that exception and all would be set, No Where I found discussion about the actual TLS/SSL handshaking for which we actually configuring the Tomcat Server.
No, ssl cert in tomcat is not enough if non browser
Clients
Do two way ssl:
Import the cert of tomcat on client side and import
Client ‘s cert in tomcat
This way u can achieve 2way ssl
You just have to either create proper ssl context
or override javax.ssl.* which includes keystore
Keystore password and key password if any
That’s it
I have been trying to run my java spring project in HTTPS mode in my localhost.
The project works perfectly in HTTP but form some features, i need it to run in HTTPS
i have changed the default port to 8443 in the server.xml in tomcat. When i run the spring project, its URL shows https://localhost:8443 instead of localhost:8080 but the page does not load. It says page not found.
Please help me resolve this issue.
You need to set up a Connector that listens on port 8443 and a SSL certificate (keystore file in the example below, set the location as you see fit):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${user.home}/keystore" keystorePass="tomcat" keyAlias="tomcat"/>
You can buy a SSL certificate or locally sign it yourself (although you’ll get a browser exception that will ask manual confirmation to accept it). To do the latter you can use Java’s keytool.
I'm having regarding a java web app running on apache.
One of the pages is invoking an applet which code is an external server.
The company responsible of the applet told us to use HTTPS when invoking the page showing the applet as we had problems when we invoked the page using HTTP.
The problem is that when I browse the page in HTTPS , I have an ssl_error_rx_record_too_long error.
The address I want to browse looks like :
https://www.myurl.com:8084/myWebApp/pageContainingApplet.jsp?parameter1=value1¶meter2=value2
I looked for the server.xml file under /conf and added this tag:
<Connector port="8084" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
Still nothing
Error code: ssl_error_rx_record_too_long
This usually means the implementation of SSL on your server is not correct. The error is usually caused by a server side problem which the server administrator will need to investigate. Below are some things we recommend trying.
Ensure that port 443 is open and enabled on your server. This is the
standard port for https communications.
If SSL is using a non-standard port then FireFox 3 can sometimes give
this error. Ensure SSL is running on port 443.
If using Apache2 check that you are using port 443 for SSL. This can
be done by setting the ports.conf file as follows
Listen 80 Listen 443 https Make sure you do not have more than one
SSL certificate sharing the same IP. Please ensure that all SSL
certificates utilise their own dedicated IP.
If using Apache2 check your vhost config. Some users have reported
changing to default resolved the error.
Make sure that your SSL certificate is not expired
Try to specify the Cipher:
SSLCipherSuite
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:+SSLv3
Also check this : https://support.servertastic.com/error-code-ssl-error-rx-record-too-long/
Hi i have configured SSL in tomcat 5.5, server.xml entry is as below.
**
<Connector port="6922" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
keystoreFile="/home/mrsx/cert/keystore.keystore"
keystorePass="XXXX"
truststoreFile="/home/mrsx/cert/keystore.keystore"
truststorePass="XXXXX" clientAuth="true" sslProtocol="TLS" />
**
When CLient is trying to access application, application is throwing exception because of "javax.servlet.request.X509Certificate" parameter in request is NULL.
i have created a keystore and imported CA certs to the keystore.. Can any one please tell me why i am Getting NULL certificates. I have not imported any client certificates in keystore.
Based on what you have given above, the SSLEnabled="true" statement is missing.
If that does not help, try adding ssl debugging on the client side and you should be able to obtain some more details.
As #Krroae27 pointed out, you have enabled two way SSL/TLS:
clientAuth="true"
Only do this if you expect clients to provide credentials using certificates. If you are going to do this you usually need to setup a Realm configuration like tomcat-users.xml that will map client certificates to a local principal.