Hi i have configured SSL in tomcat 5.5, server.xml entry is as below.
**
<Connector port="6922" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
keystoreFile="/home/mrsx/cert/keystore.keystore"
keystorePass="XXXX"
truststoreFile="/home/mrsx/cert/keystore.keystore"
truststorePass="XXXXX" clientAuth="true" sslProtocol="TLS" />
**
When CLient is trying to access application, application is throwing exception because of "javax.servlet.request.X509Certificate" parameter in request is NULL.
i have created a keystore and imported CA certs to the keystore.. Can any one please tell me why i am Getting NULL certificates. I have not imported any client certificates in keystore.
Based on what you have given above, the SSLEnabled="true" statement is missing.
If that does not help, try adding ssl debugging on the client side and you should be able to obtain some more details.
As #Krroae27 pointed out, you have enabled two way SSL/TLS:
clientAuth="true"
Only do this if you expect clients to provide credentials using certificates. If you are going to do this you usually need to setup a Realm configuration like tomcat-users.xml that will map client certificates to a local principal.
Related
testing server uses centos 7 and tomcat 9
originally, testing server tomcat use http, this tomcat contains 4 web apps: a.war, b.war, c.war and d.war, it works fine and its server.xml looks like:
<Connector
port="80"
protocol="HTTP/1.1"
connectionTimeout="60000"
keepAliveTimeout="15000"
maxKeepAliveRequests="-1"
maxThreads="1000"
minSpareThreads="200"
maxSpareThreads="300"
minProcessors="100"
maxProcessors="900"
acceptCount="1000"
enableLookups="false"
executor="tomcatThreadPool"
maxPostSize="-1"
compression="on"
compressionMinSize="1024"
redirectPort="443" />
then i tried to use https with self signed ssl via keytool:
<Connector
port="443"
protocol="HTTP/1.1"
minSpareThreads="5"
maxSpareThreads="75"
enableLookups="true"
disableUploadTimeout="true"
acceptCount="100"
maxThreads="200"
maxPostSize="-1"
scheme="https"
secure="true"
SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="/opt/test.keystore"
keystorePass="123456"/>
however, after login, my webapp always shows loading:
I checked the log and found that there was an exception nullpointerexception because request.getParameter('key') returns null(actually both request.getParameterMap() and request.getParameterNames() return empty), but from the browser network, this parameter has been sent.
sometimes there is no any error in the log, but my webapp still always shows loading.
for #1 above, when login success, a.war will send requests to b.war, c.war and d.war, the request parameters includes an array(has 85 items and each item contains 7 fields) and key.
if i remove the array from the request parameter, only keep the request parameter key, then there is no always shows loading in https.
after checked the tomcat documents, i tried to change protocol for https connector.
If i changed the protocol from HTTP/1.1 to org.apache.coyote.http11.Http11Nio2Protocol, then there is no any problem in https, and i can send the request parameter array too.
so i don't understand:
send request parameter array(has 85 items and each item contains 7 fields) and key in https with protocol HTTP/1.1 sometimes will cause request.getParameterMap(), request.getParameterNames() return empty and request.getParameter('key') return null
why if i remove request parameter array in https with protocol HTTP/1.1, then it works fine.
why there is no any problem in http with protocol HTTP/1.1
why using org.apache.coyote.http11.Http11Nio2Protocol in https can solve my problems.
I have an application which is hosted on AWS instance and we used elastic load balancer with AWS SSL certificate. We used tomcat server. As we used AWS SSL certificate we have not configured 443 port on tomcat. Now we want to implement two way SSL certificate. I have searched for the same but most of the information is saying use SSLEnable=true in tomcat's server.xml but this will not work in my case. Can someone please help me in this situation to implement Two way SSL.
This is how i've setup it,
(server.xml)
<Connector
port="8081"
protocol="HTTP/1.1"
proxyPort="443"
scheme="https"
secure="true"
proxyName="mydomain.com"
connectionTimeout="50000"
URIEncoding="UTF-8"
redirectPort="8443" />
I have configured Tomcat Server (apache-tomcat-9.0.1) with self-signed certificate. On this added required configuration on server.xml, and copied .jks file on conf folder.
Create Self Signed Certificate
Configure Tomcat with SSL Stuff
HTTPS Works on browser as expected.
disableSSL Verification while making HttpsURLConnection call to fetch an REST API
Certificate Exception Stuff
Disable Certificate Exception
It works ! -
On Server.xml -= only 8443 port configured.
On Web Application Security Constraint Configured:
<security-constraint>
<web-resource-collection>
<web-resource-name>OVS</web-resource-name>
<!-- all URLs are protected -->
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<!-- redirect all requests to HTTPS -->
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Tomcat Server starts without showing any exception on anywhere.
But SSL/TLS communication not happening with Tomcat Server on using self-signed certificate ? . Wireshark captured the packets , expected to see TLS Packets or SSL Handshake But nothing, Only TCP Packets.
Why SSL Handshake not happening ?, Its like because Its verifying only SSL server certificate ? ( as Client Authentication is false )
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="150"
port="8443" keyAlias="london" keystoreFile="conf/londonkey.jks" keystorePass="sumit123"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Have you ever tested after configuring the self-signed certificate etc stuff to see If SSL/TLS Communication take place ?
Edit
AS Far as I know that to have SSL Communication between two network entity say A and B, both must have their own private key and public certificate, but on above we have configured only Server with Certificate and Private Key stuff nothing with Client ?, Please correct ?
I have checked various example : posts , but all talking about the generating the key and only configuring the Tomcat Server. For Test, Its talking like browser would be showing certificate exception , accept that exception and all would be set, No Where I found discussion about the actual TLS/SSL handshaking for which we actually configuring the Tomcat Server.
No, ssl cert in tomcat is not enough if non browser
Clients
Do two way ssl:
Import the cert of tomcat on client side and import
Client ‘s cert in tomcat
This way u can achieve 2way ssl
You just have to either create proper ssl context
or override javax.ssl.* which includes keystore
Keystore password and key password if any
That’s it
I have been trying to run my java spring project in HTTPS mode in my localhost.
The project works perfectly in HTTP but form some features, i need it to run in HTTPS
i have changed the default port to 8443 in the server.xml in tomcat. When i run the spring project, its URL shows https://localhost:8443 instead of localhost:8080 but the page does not load. It says page not found.
Please help me resolve this issue.
You need to set up a Connector that listens on port 8443 and a SSL certificate (keystore file in the example below, set the location as you see fit):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${user.home}/keystore" keystorePass="tomcat" keyAlias="tomcat"/>
You can buy a SSL certificate or locally sign it yourself (although you’ll get a browser exception that will ask manual confirmation to accept it). To do the latter you can use Java’s keytool.
I am doing following settings in server.xml in tomcat 6.0.26 and my url is opening with the following message "Server's certificate is not trusted","The site's security certificate is not trusted!" in chrome and "This Connection is Untrusted" in firefox .
<Connector port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/home/hcl/10.10.105.76.crt"
SSLCertificateKeyFile="/home/hcl/keystore.jks"
SSLCertificateChainFile="/home/hcl/ThawteServerCA.pem"
SSLPassword="changeitssl"
keystoreFile="/home/hcl/keystore.jks" keystorePass="changeitssl"
keyAlias="10.10.105.76"
socketFactory="org.apache.tomcat.net.SSLSocketFactory"
clientAuth="false" SSLProtocol="TLS"/>
How do i make SSL site using self signed and trusted certificates ?
What are the proper steps to create SSL enabled website in java-tomcat-jboss without prompting any certificate message ?
Basically you cannot make a self-signed SSL-certificate that is deemed trusted.
You can get free SSL-certificates though, that are trusted.
You can get one at: http://cert.startcom.org