|
true
if you want Tomcat to require
all SSL clients to present a client Certificate in order to use
this socket. Set this value to <code>want if you want Tomcat
to request a client Certificate, but not fail if one isn't presented.
</td>
</tr>
<tr>
<td>
Use this attribute to enable SSL traffic on a connector.
To turn on SSL handshake/encryption/decryption on a connector
set this value to <code>true.
The default value is <code>false.
When turning this value <code>true you will want to set the
<code>scheme and the secure
attributes as well
to pass the correct <code>request.getScheme() and
<code>request.isSecure() values to the servlets
</td>
</tr>
<tr>
<td>keystoreFile
<td>Add this attribute if the keystore file you created is not in
the default place that Tomcat expects (a file named
<code>.keystore in the user home directory under
which Tomcat is running). You can specify an absolute pathname,
or a relative pathname that is resolved against the
<code>$CATALINA_BASE environment variable.
</tr>
<tr>
<td>keystorePass
<td>Add this element if you used a different keystore (and Certificate)
password than the one Tomcat expects (<code>changeit).
</tr>
<tr>
<td>keystoreType
<td>Add this element if using a keystore type other than
<code>JKS.
</tr>
<tr>
<td>sslProtocol
<td>The encryption/decryption protocol to be used on this socket.
It is not recommended to change this value if you are using Sun's
JVM. It is reported that IBM's 1.4.1 implementation
of the TLS protocol is not compatible with some popular browsers.
In this case, use the value <code>SSL.
</tr>
<tr>
<td>ciphers
<td>The comma separated list of encryption ciphers that this socket is
allowed to use. By default, any available cipher is allowed.</td>
</tr>
<tr>
<td>algorithm
<td>The X509
algorithm to use. This defaults to the Sun
implementation (<code>SunX509). For IBM JVMs you should use
the value <code>IbmX509. For other vendors, consult the JVM
documentation for the correct value.
</td>
</tr>
<tr>
<td>truststoreFile
<td>The TrustStore file to use to validate client certificates.
</tr>
<tr>
<td>truststorePass
<td>The password to access the TrustStore. This defaults to the value
of <code>keystorePass.
</tr>
<tr>
<td>truststoreType
<td>Add this element if your are using a different format for the
TrustStore then you are using for the KeyStore.</td>
</tr>
<tr>
<td>keyAlias
<td>Add this element if your have more than one key in the KeyStore.
If the element is not present the first key read in the KeyStore
will be used.</td>
</tr>
</table>
<p>After completing these configuration changes, you must restart Tomcat as
you normally do, and you should be in business. You should be able to access
any web application supported by Tomcat via SSL. For example, try:</p>
<source>
https://localhost:8443
</source>
<p>and you should see the usual Tomcat splash page (unless you have modified
the ROOT web application). If this does not work, the following section
contains some troubleshooting tips.</p>
</subsection>
</section>
<section name="Installing a Certificate from a Certificate Authority">
<p>To obstain and install a Certificate from a Certificate Authority (like verisign.com, thawte.com
or trustcenter.de) you should have read the previous section and then follow these instructions:</p>
<subsection name="Create a local Certificate Signing Request (CSR)">
<p>In order to obtain a Certificate from the Certificate Authority of your choice
you have to create a so called Certificate Signing Request (CSR). That CSR will be used
by the Certificate Authority to create a Certificate that will identify your website
as "secure". To create a CSR follow these steps:</p>
<ul>
<li>Create a local Certificate (as described in the previous section):
<source>keytool -genkey -alias tomcat -keyalg RSA \
-keystore <your_keystore_filename></source>
Note: In some cases you will have to enter the domain of your website (i.e. <code>www.myside.org)
in the field "first- and lastname" in order to create a working Certificate.
</li>
<li>The CSR is then created with:
<source>keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr \
-keystore <your_keystore_filename></source>
</li>
</ul>
<p>Now you have a file called certreq.csr
that you can submit to the Certificate Authority (look at the
documentation of the Certificate Authority website on how to do this). In return you get a Certificate.</p>
</subsection>
<subsection name="Importing the Certificate">
<p>Now that you have your Certificate you can import it into you local keystore.
First of all you have to import a so called Chain Certificate or Root Certificate into your keystore.
After that you can procede with importing your Certificate.</p>
<ul>
<li>Download a Chain Certificate from the Certificate Authority you obtained the Certificate from.<Factory>
element in the <a href="#Edit the Tomcat Configuration File">Tomcat
configuration file</a>.
</blockquote>
<li>When Tomcat starts up, I get an exception like
"java.io.FileNotFoundException: Keystore was tampered with, or
password was incorrect".
<blockquote>
<p>Assuming that someone has not actually tampered with
your keystore file, the most likely cause is that Tomcat is using
a different password than the one you used when you created the
keystore file. To fix this, you can either go back and
<a href="#Prepare the Certificate Keystore">recreate the keystore
file</a>, or you can add or update the keystorePass
attribute on the <code><Connector> element in the
<a href="#Edit the Tomcat Configuration File">Tomcat configuration
file</a>. REMINDER - Passwords are case sensitive!
</blockquote>
<li>When Tomcat starts up, I get an exception like
"java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No
available certificate or key corresponds to the SSL cipher suites which are
enabled."
<blockquote>
<p>A likely explanation is that Tomcat cannot find the alias for the server
key withinthe specified keystore. Check that the correct
<code>keystoreFile and keyAlias
are specified in the
<code><Connector> element in the
<a href="#Edit the Tomcat Configuration File">Tomcat configuration file.
<strong>REMINDER - keyAlias
values may be case
sensitive!</p>
</blockquote>
</ul>
<p>If you are still having problems, a good source of information is the
<strong>TOMCAT-USER mailing list. You can find pointers to archives
of previous messages on this list, as well as subscription and unsubscription
information, at
<a href="http://tomcat.apache.org/lists.html">http://tomcat.apache.org/lists.html.
</section>
<section name="Miscellaneous Tips and Bits">
<p>To access the SSL session ID from the request, use:Here is a short list of links related to this Tomcat ssl-howto.xml source code file:
Tomcat example source code file (ssl-howto.xml)
The Tomcat ssl-howto.xml source code<?xml version="1.0"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <!DOCTYPE document [ <!ENTITY project SYSTEM "project.xml"> ]> <document url="ssl-howto.html"> &project; <properties> <author email="ccain@apache.org">Christopher Cain <author email="yoavs@apache.org">Yoav Shapira <title>SSL Configuration HOW-TO </properties> <body> <section name="Quick Start"> <p>IMPORTANT NOTE: This Howto refers to usage of JSSE, that comes included with jdk 1.5 and higher. When using APR, Tomcat will use OpenSSL, which uses a different configuration.</b> <blockquote> <p>The description below uses the variable name $CATALINA_HOME to refer to the directory into which you have installed Tomcat 6, and is the base directory against which most relative paths are resolved. However, if you have configured Tomcat 6 for multiple instances by setting a CATALINA_BASE directory, you should use $CATALINA_BASE instead of $CATALINA_HOME for each of these references.</p> </em> <p>To install and configure SSL support on Tomcat 6, you need to follow these simple steps. For more information, read the rest of this HOW-TO.</p> <ol> <li>Create a certificate keystore by executing the following command: <p>Windows: <source> %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA </source> <p>Unix: <source> $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA </source> <p> and specify a password value of "changeit".</li> | SSLEnabled |
... this post is sponsored by my books ... | |
#1 New Release! |
FP Best Seller |
Copyright 1998-2021 Alvin Alexander, alvinalexander.com
All Rights Reserved.
A percentage of advertising revenue from
pages under the /java/jwarehouse
URI on this website is
paid back to open source projects.