We have some problems with SSO (single sign on) authentication. We use JASIG CAS and our implmentation is not working. It is allert "You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS." But we added the sertificate to Tomcat server.xml
our settings in server.xml
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keyAlias="myalias"
keystoreFile="C:\Program Files\Java\jdk1.8.0_65\bin\ssoServer.jks"
keystorePass="12345678" />
If you did add the cert, then why are you going over localhost and 8080?
Related
I have created my Rest API in java and working fine with HTTP. But to secure transportation I have made some changes in server.xml file in eclipse.
First I have created self signed certificate and password for that and mentioned that information in server.xml file like below (All done in windows 7)
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="E:\\SSL\\Certificate.pfx" keystorePass="Certificate123" />
But sill am not able to connect webserver with HTTPS.
Can anyone tell me what am doing wrong here ?
It looks like you're using apache-tomact and it also looks like you have created a keystore in the pkcs12 format.
Try adding the keystoreType="PKCS12" attribute to the connector element.
You can find additional details here.
I've deployed a number of SSL configurations, including both Tomcat (cacerts + keytool) and IIS (Windows Certificate Store + netsh http sslcert) so I'm familiar with these procedures.
Has anyone come up with a way to point Tomcat's SSL connector to a Windows Store (i.e. configuration, extension, plugin, etc.)? Just looking to centralize management of SSL deployments to one store, vs. having multiple stores.
According to the answer on "SSL enabling in Tomcat Windows server" you can specify keystore type as "Windows-My" in configuration of connector in server.xml, it worked for me on Tomcat 8.0.22 as well
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keyAlias="<alias of the cert>"
keystoreFile=""
keystoreType="Windows-My"
clientAuth="false"
sslProtocol="TLS"
keepAliveTimeout="200000" />
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keyAlias="<alias of the cert>"
keystoreFile=""
keystorePass=""
keystoreType="Windows-My"
clientAuth="false"
sslProtocol="TLS"
keepAliveTimeout="200000" />
keystoreFile and keystorePass has to be set to empty string. see my comment at bz.apache.org "BUG 56021"
If not set they will default to values that causes trouble.
keyAlias should be either the friendly name (if it has one) or the common name of the certificate.
It seems not possible. From tomcat 8 documentation https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores.
Windows Store would require an specific connector similar to the 'WINDOWS-MY' of JSSE.
There is no reference in documentation to any plugin or connector to Windows Certificate Store.
While Dmitry's solution works on Tomcat 8.0, from Tomcat 8.5 onward there is a small caveat: you need to explicitly set JSSE as SSLImplementation. Hence the configuration becomes (considering also the new structure introduced in Tomcat 8.5):
<Connector port="8443"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
scheme="https" secure="true" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreType="Windows-MY"
certificateKeystoreFile=""
certificateKeyAlias="tomcat" />
</SSLHostConfig>
</Connector>
Alternatively, one can also set useOpenSSL="false" on the AprLifecycleListener.
I am trying to host my service with http and https. i have hosted in http and in https using keyStore generated using KeyStore tool.
Both of these worked.
Now i am trying to host x509 certificate and i am getting webpage is not available. i think issue is in configuring x509. let me know my mistake.
Working Setting, keystore
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:\apache server for hosting\keystore"
keystorePass="pass#word1" />
not working setting, x509 certificate
<Connector port="8444" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" SSLEngine="on"
SSLCertificateFile="C:\apache server for hosting\JavaWebserviceCert.cer"
SSLCertificateKeyFile="C:\apache server for hosting\JavaServicePrivateKey.pfx"
SSLVerifyClient="require" SSLVerifyDepth="10" />
Regards
I've got a problem setting up my tomcat on linux for secure connection. My servlets work fine for normal http requests, but when changing the server.xml file to https configuration, the servlet is only addressable through the intern IP. I created a .keystore file in my home directory. The fact, that the https connection(after accepting the certificate) works within the intern network makes me believe it is a router related problem (I opend and forwarded port 8443 on my router).
Thanks for any help!
Server.xml:
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" redirectPort="8443"/>
...
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/user/.keystore"
keystorePass="password" />
I have an application that runs on secure channel, I want to configure a secure port. I am adding following connector into my tomcat server.xml file
<Connector port="8443" protocol="HTTP/1.1"
maxThreads="150" secure="true"
clientAuth="false" />
It connects to server when I hit
https://localhost.com:8443
in browser, but I never get response back, it connects to server forever.
I would really appreciate any help on this.
Thanks.
It is because you configuration is not complete. Take a look at this tutorial:
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
It has to look more like this:
<Connector
protocol="HTTP/1.1"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
Without SSLEnabled="true" there will be no encryption.
I found the issue was due to a webservice was down that my application is depend upon, that is why request were stuck forever.
However the above configuration for configuring fake secure port worked for me.