I've followed this guide so as to setup my Tomcat 8 instance with SSL layer, producing a client and server keystores and a public client certificate autosigned.
The issue is, I guess, that I don't really know how to configure Tomcat's Connector...
Here you are my current server.xml file (removed unnecessary comments):
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
<Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<GlobalNamingResources>
<Resource auth="Container" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" name="UserDatabase" pathname="conf/tomcat-users.xml" type="org.apache.catalina.UserDatabase"/>
</GlobalNamingResources>
<Service name="Catalina">
<Connector connectionTimeout="40000" port="9090" protocol="HTTP/1.1" redirectPort="8443"/>
<!-- I've also tried using these ones: -->
<!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" /> -->
<!--<Connector clientAuth="true" port="8443" minSpareThreads="5"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 8.0\keys/server.jks" keystoreType="JKS" keystorePass="triple1327"
truststoreFile="C:\Program Files\Apache Software Foundation\Tomcat 8.0\keys/server.jks" truststoreType="JKS" truststorePass="triple1327"
sslProtocol="TLS" />-->
<!-- Don't work on tomcat8:
maxSpareThreads="75"
SSLVerifyClient="require"
SSLEngine="on"
SSLVerifyDepth="2"
-->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 8.0\keys\server.jks" keystoreType="JKS" keystorePass="triple1327"
truststoreFile="C:\Program Files\Apache Software Foundation\Tomcat 8.0\keys\server.jks" truststoreType="JKS" truststorePass="triple1327"
/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Engine defaultHost="localhost" name="Catalina">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log" suffix=".txt"/>
<Context path="/rutas" docBase="C:\Users\IN006\cavwebapp" reloadable="true" crossContext="false">
</Context>
</Host>
</Engine>
</Service>
</Server>
Using this, I've tried to access to the tomcat welcome page:
localhost:8443
https://localhost
https://localhost:8443
But none of them worked...
Any tip?
Thank you!
EDIT
Solution:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/tomcat7/server.jks"
keystorePass="changeit" />
I've been able to access to it through https://localhost:8443
You question lacks important details such as tomcat's log and the structure of your keystore. For example, key placed in the keystore can be password protected itself. The port you want to use can be already occupied, etc, etc. There are many things that can go wrong.
In common, I can advise you to keep things as simple as you can.
Try this snippet:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/tomcat7/server.jks"
keystorePass="changeit" />
Related
I have multiple services defined in server.xml and below is the one which i need to restart(stop and start again) using tomcat manager application/api.
<Service name="myService">
<Executor name="myExecutorPool" namePrefix="my-http-pool"
maxThreads="10" minSpareThreads="1"/>
<Connector
port="8701" protocol="org.apache.coyote.http11.Http11Nio2Protocol" SSLEnabled="true"
executor="myExecutorPool"
maxSavePostSize="-1"
scheme="https" secure="true"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100"
sslEnabledProtocols="${sslEnabledProtocolsMediumSecurity}" server=" "
allowUnsafeLegacyRenegotiation="false"
clientAuth="want"
bindOnInit="false"
URIEncoding="UTF-8"
useBodyEncodingForURI="true"
keystoreType="PKCS11"
keyAlias="server"
trustManagerClassName="com.example.com.myproj.cert.RestTrustManager"
sendReasonPhrase="true"
sslImplementationName="com.example.com.myproj.cert.MyProjImplementation"
ciphers="${tls.ciphers}"
/>
<Engine name="myEngine" defaultHost="localhost">
<Valve className="org.apache.catalina.valves.MethodsValve" methodsSupported="GET,POST,PUT,DELETE,HEAD" />
<Host name="localhost" appBase="mywebapp"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="" docBase="../webapps/ROOT" >
<Valve className="org.apache.catalina.valves.RedirectValve" sendToApp="/myapp/" />
</Context>
</Host>
</Engine>
</Service>
When i do curl -username:password http://localhost:8080/manager/text/list , i don't see this above service listed. It means i assume that, this service is not running as a separate service but contained inside appserver.
So i won't be able to do something like http://localhost:8080/manager/text/reload?path=/myService.
Can you please help here, how do i stop/start (restart) this particular service using tomcat manager app?
If JMX can be used here, can you please provide any links/resources for the same mentioning how to do that?
My application use ssl in tomcat, and run fine when I use port 8080, when I access http://localhost:8080, it redirect to https://localhost:8443.
But when I use a non 8080 port (8081,8082, etc) and I access http://localhost:8081 (or http://localhost:8082, etc), it does a infinite redirect loop to http://localhost:8081 (or http://localhost:8082, etc)
here my server.xml with 8080
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector SSLEnabled="true" clientAuth="false" keyAlias="key" keystoreFile="webapps/ROOT/META-INF/my.keystore" keystorePass="pass" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<!-- Define the default virtual host
Note: XML Schema validation will not work with Xerces 2.2.
-->
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
</Engine>
</Service>
</Server>
and here my server.xml with 8081
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8081" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector SSLEnabled="true" clientAuth="false" keyAlias="key" keystoreFile="webapps/ROOT/META-INF/my.keystore" keystorePass="pass" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<!-- Define the default virtual host
Note: XML Schema validation will not work with Xerces 2.2.
-->
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
</Engine>
</Service>
</Server>
Can anyone help me?
I'm using tomcat 6
Another thing to try is to forcibly enable HTTPS for all the apps, in the default web.xml (it should be in tomcat/conf folder next to server.xml),
by adding the following to it:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Note: The below applies to the Tomcat instances with ARP enabled (i.e. most Linux-based installations), but as OP is running a windows-based Tomcat, with the ARP connector already disabled (or not available), it does not apply to him.
Not sure on why do you get a redirect loop, but an apparent problem with your configuration is that you have the APR (native) SSL connector enabled, which does not really work with "keystoreFile", so you should be getting error messages like that in your logs:
java.lang.Exception: Connector attribute SSLCertificateFile must be defined when using SSL with APR
and SSL should not function for you at all, regardless of a port number used.
And easiest way to defeat it, is to comment out the APR listener:
<!-- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> -->
to make Tomcat use JSSE connector implementation instead.
i enabled both non-ssl(8440) connector and ssl(8445) connector in server.xml, when ever i started the server it redirects me to "http://localhost:8445/" but i given this port in ssl connector.
When i am trying to access http://localhost:8440 , it allows me to enter application ( it must redirect to the ssl port as i given redirect port)
every thing working fine , if i removed non-ssl connector.
tomcat version : tomcat 5.0.28
-thanks in advance
My server.xml entries
<Connector port="8440" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8445" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
connectionTimeout="20000" debug="0" disableUploadTimeout="true"
emptySessionPath="true" enableLookups="false" maxThreads="150"
minSpareThreads="25" name="SSL" port="8445" scheme="https"
secure="true" sslProtocol="TLS"/>
server.xml file
<!-- Test entry for demonstration purposes -->
<Environment name="simpleValue" type="java.lang.Integer" value="30"/>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users -->
<Resource auth="Container" description="User database that can be updated and saved" name="UserDatabase" type="org.apache.catalina.UserDatabase">
</Resource>
<ResourceParams name="UserDatabase">
<parameter>
<name>factory</name>
<value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
</parameter>
<parameter>
<name>pathname</name>
<value>conf/tomcat-users.xml</value>
</parameter>
</ResourceParams>
<Connector acceptCount="100" connectionTimeout="20000" debug="3" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" name="WebServer" port="8440" redirectPort="8445"/>
<Engine debug="0" defaultHost="localhost" name="Catalina">
<Realm allRolesMode="strictAuthOnly" appName="myapp" className="com.authentication.CustomJAASRealm" roleClassNames="com.authentication.RolePrincipal" userClassNames="com.authentication.UserPrincipal">
</Realm>
<Host appBase="webapps" autoDeploy="false" debug="0" name="localhost" unpackWARs="true" xmlNamespaceAware="false" xmlValidation="false">
<Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="0"/>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%u %U %S "%{Referer}i" %a %A %m %t %D %b %s "%{User-Agent}i"" prefix="access_log." resolveHosts="false" rotatable="false" suffix="txt"/>
<Logger className="org.apache.catalina.logger.FileLogger" directory="logs" prefix="localhost_log." suffix=".txt" timestamp="true"/>
<Context debug="0" docBase="${home}/webapps" path=""/>
<Context appBase="webapps" debug="0" docBase="${home}/help/" path="/help" reloadable="true"/>
</Host>
</Engine>
Please always read the documentation that help you to learn. You can check it HERE.
Go to your $TOMCAT_HOME/conf/server.xml and change redirect port:
<Connector port="8080"
enableLookups="false"
redirectPort="8440" />
<Connector port="8440" protocol="HTTP/
enableLookups="false"
redirectPort="8445" />
Cheers!!
Here I'm having a problem with server.xml file configuration on tomcat(8.0.9)
my tomcat works when SSLEnabled="false" but otherwise it
provides "This webpage is not available" or "SSL Connection error"
to get additional information I checked log file but
it doesn't give any exception or error.
below is the main part of my server.xml file
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
URIEncoding="UTF-8"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/home/tomcat_home/conf/some.jks"
keystorePass="somePW"
SSLEnabled="true"
clientAuth="false"
sslProtocols="TLSv1, TLSv1.1, TLSv1.2"
minSpareThreads="5"
maxSpareThreads="75"
enableLookups="true"
disableUploadTimeout="true"
acceptCount="100"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
>
please give me your kind advices.
You need to run https on port 8443. Change the connectors to this and change the password to fit your keystore:
<Connector port="8080" connectionTimeout="20000" protocol="HTTP/1.1" redirectPort="8443" />
<Connector port="8443" keystorePass="changeit" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
I have one web application, in which one specific service needs to go through secure https, and other all service should be http, I did:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="${user.home}/keystore/keystore.jks" keystorePass="test"
truststoreFile="${user.home}/keystore/keystore.jks" truststorePass="test"
truststoreType="JKS" disableUploadTimeout="true"
enableLookups="true" maxHttpHeaderSize="8192"
maxSpareThreads="75" minSpareThreads="25"
clientAuth="true" sslProtocol="TLS" />
but it expects every service as https, is their a way I can configure tomcat which fulfill my requirement?
You can run both both HTTP and HTTPS on same server, just add another connector for http.
<Connector port="80" protocol="HTTP/1.1"
maxThreads="150"
disableUploadTimeout="true"
enableLookups="true" maxHttpHeaderSize="8192"
maxSpareThreads="75" minSpareThreads="25" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="${user.home}/keystore/keystore.jks" keystorePass="test"
truststoreFile="${user.home}/keystore/keystore.jks" truststorePass="test"
truststoreType="JKS" disableUploadTimeout="true"
enableLookups="true" maxHttpHeaderSize="8192"
maxSpareThreads="75" minSpareThreads="25"
clientAuth="true" sslProtocol="TLS" />