Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Tomcat7 HTTPS on 12.1

  1. #1

    Default Tomcat7 HTTPS on 12.1

    Hi, I hope this is the right place to report an issue with Tomcat7 (published under Java project). Installation of 12.1 fresh from DVD is straightfoward, launch Firefox and use 1-Click install function to add Tomcat7 into repository, then start the service. It is painless and just work as expected. So I did test on http://localhost:8080, no issue then I move on enabling https by customizing server.xml, then use keytool to generate self-sign certs and restart tomcat7 service.

    For your ref, this is the keytool command I used and server.xml config.

    keytool -genkeypair -keyalg RSA -alias tomcat -keystore testkey -validity 999 -keysize 2048

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="200" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="/usr/share/tomcat7/webapps/testkey"
    keystorePass="testme" />

    Looking at catalina.out, here's the error.

    Dec 27, 2011 9:26:29 AM org.apache.coyote.AbstractProtocol init
    SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-apr-8443"]
    java.lang.Exception: Connector attribute SSLCertificateFile must be defined when using SSL with APR
    at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:472)
    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:498)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:909)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:596)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:616)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
    Dec 27, 2011 9:26:29 AM org.apache.catalina.core.StandardService initInternal
    SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
    org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:596)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:616)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
    Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:911)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    ... 12 more
    Caused by: java.lang.Exception: Connector attribute SSLCertificateFile must be defined when using SSL with APR
    at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:472)
    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:498)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:909)
    ... 13 more

    Once I connect https://localhost:8443, my browser status keeps "connecting" and never get any respond from website. When I check local netstat port, 8443 is listening.

    tcp 1 0 :::8443 :::* LISTEN

    I tried to install twice fresh from DVD, still end up with same issue. Any thoughts here?

    Thank you and Happy New Year!

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Tomcat7 HTTPS on 12.1

    Sounds like you need to read this, particularly the part about the difference between JSSE and APR.

    Apache Tomcat 7 (7.0.23) - SSL Configuration HOW-TO

  3. #3

    Default Re: Tomcat7 HTTPS on 12.1

    Hmm, I am toying with Java SSL blocking and non-blocking config, both shows different result and I still can't connect via 8443.

    Server xml: <Connector protocol="org.apache.coyote.http11.Http11Protocol" ....>

    SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-8443"]
    org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]

    Server xml: <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" .../>
    SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-nio-8443"]
    org.apache.catalina.LifecycleException: Failed to initialize component [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]

    Does anyone have the simplest server.xml config using JSSE? What's the default tomcat7 "package" downloaded from Opensuse come with? JSSE or APR?

    Cheers!

  4. #4
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Tomcat7 HTTPS on 12.1

    As the instructions state, Tomcat usually uses APR, so you should use regular cert files instead of keystores. You just need to export the cert in the keystore and follow the instructions for APR.

  5. #5

    Default Re: Tomcat7 HTTPS on 12.1

    Thanks Ken. The keystore cert "testkey"

    keystoreFile="/usr/share/tomcat7/webapps/testkey

    is generated from OpenSSL (not keytool) so it is definitely PKCS12 format but it doesn't work either. I just want to make sure my server.xml is correct, can you post yours for my reference?

  6. #6
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Tomcat7 HTTPS on 12.1

    I don't actually have a Tomcat 7 server. I only looked at your problem out of curiosity about what I would have to do if a paying customer asked me to set a Tomcat 7 server up. Sorry to disappoint you about that amount of help I can offer.

  7. #7

    Default Re: Tomcat7 HTTPS on 12.1

    Quote Originally Posted by ken_yap View Post
    I don't actually have a Tomcat 7 server. I only looked at your problem out of curiosity about what I would have to do if a paying customer asked me to set a Tomcat 7 server up. Sorry to disappoint you about that amount of help I can offer.
    I had the same problem so I don't want to make a new topic. I downloaded Tomcat7 to may /opt folder. It run well with default cofig in HTTP. However when a change to HTTPS, I got them same error like above. I tried a lot of way. I also checked with netstat command. There is a service running in TCP 8443 and when I connect https://localhost:8443 it show "Connected to localhost" but nothing happen. It waiting forever....
    Please help me because I don't know what is the essential problem? OpenSUSE? my config(very similar above)? or Tomcat7?
    It really make me confuse
    Thanks!

  8. #8

    Default Re: Tomcat7 HTTPS on 12.1

    Could you post the commands you used to generate certs, where you put
    them, the path of the keystore (that's how I setup HTTPS in Tomcat 7
    recently, anyway), and your server.xml configuration for 8443?

    Good luck.

  9. #9

    Default Re: Tomcat7 HTTPS on 12.1

    Quote Originally Posted by ab View Post
    Could you post the commands you used to generate certs, where you put
    them, the path of the keystore (that's how I setup HTTPS in Tomcat 7
    recently, anyway), and your server.xml configuration for 8443?

    Good luck.
    Thanks for your reply!
    This my command:
    Code:
     %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA \
      -keystore \home\bosua\caskey\casserver.keystore
    That's mean I put it a folder \home\bosua\caskey\ which named is casserver.keystore
    And this is my server.xml
    Code:
    <?xml version='1.0' encoding='utf-8'?>
    <!--
      Licensed to the Apache Software Foundation (ASF) under one or more
      contributor license agreements.  See the NOTICE file distributed with
      this work for additional information regarding copyright ownership.
      The ASF licenses this file to You under the Apache License, Version 2.0
      (the "License"); you may not use this file except in compliance with
      the License.  You may obtain a copy of the License at
    
          http://www.apache.org/licenses/LICENSE-2.0
    
      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
    -->
    <!-- Note:  A "Server" is not itself a "Container", so you may not
         define subcomponents such as "Valves" at this level.
         Documentation at /docs/config/server.html
     -->
    <Server port="8005" shutdown="SHUTDOWN">
      <!-- Security listener. Documentation at /docs/config/listeners.html
      <Listener className="org.apache.catalina.security.SecurityListener" />
      -->
      <!--APR library loader. Documentation at /docs/apr.html -->
      <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
      <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
      <Listener className="org.apache.catalina.core.JasperListener" />
      <!-- Prevent memory leaks due to use of particular java/javax APIs-->
      <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
      <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
      <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
    
      <!-- Global JNDI resources
           Documentation at /docs/jndi-resources-howto.html
      -->
      <GlobalNamingResources>
        <!-- Editable user database that can also be used by
             UserDatabaseRealm to authenticate users
        -->
        <Resource name="UserDatabase" auth="Container"
                  type="org.apache.catalina.UserDatabase"
                  description="User database that can be updated and saved"
                  factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
                  pathname="conf/tomcat-users.xml" />
      </GlobalNamingResources>
    
      <!-- A "Service" is a collection of one or more "Connectors" that share
           a single "Container" Note:  A "Service" is not itself a "Container",
           so you may not define subcomponents such as "Valves" at this level.
           Documentation at /docs/config/service.html
       -->
      <Service name="Catalina">
    
        <!--The connectors can use a shared executor, you can define one or more named thread pools-->
        <!--
        <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
            maxThreads="150" minSpareThreads="4"/>
        -->
    
    
        <!-- A "Connector" represents an endpoint by which requests are received
             and responses are returned. Documentation at :
             Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
             Java AJP  Connector: /docs/config/ajp.html
             APR (HTTP/AJP) Connector: /docs/apr.html
             Define a non-SSL HTTP/1.1 Connector on port 8080
        -->
        <Connector port="8080" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   redirectPort="8443" />
        <!-- A "Connector" using the shared thread pool
      
        <Connector executor="tomcatThreadPool"
                   port="8080" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   redirectPort="8443" />
       -->
        <!-- Define a SSL HTTP/1.1 Connector on port 8443
             This connector uses the JSSE configuration, when using APR, the
             connector should be using the OpenSSL style configuration
             described in the APR documentation -->
        <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    
        maxThreads="150" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" 
        keystoreFile="/home/bosua/caskey/casserver.keystore"
        keystorePass="changeit" 
        keystoreAlias="casserver"/>
      
    
        <!-- Define an AJP 1.3 Connector on port 8009 -->
        <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
    
    
        <!-- An Engine represents the entry point (within Catalina) that processes
             every request.  The Engine implementation for Tomcat stand alone
             analyzes the HTTP headers included with the request, and passes them
             on to the appropriate Host (virtual host).
             Documentation at /docs/config/engine.html -->
    
        <!-- You should set jvmRoute to support load-balancing via AJP ie :
        <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
        -->
        <Engine name="Catalina" defaultHost="localhost">
    
          <!--For clustering, please take a look at documentation at:
              /docs/cluster-howto.html  (simple how to)
              /docs/config/cluster.html (reference documentation) -->
          <!--
          <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
          -->
    
          <!-- Use the LockOutRealm to prevent attempts to guess user passwords
               via a brute-force attack -->
          <Realm className="org.apache.catalina.realm.LockOutRealm">
            <!-- This Realm uses the UserDatabase configured in the global JNDI
                 resources under the key "UserDatabase".  Any edits
                 that are performed against this UserDatabase are immediately
                 available for use by the Realm.  -->
            <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                   resourceName="UserDatabase"/>
          </Realm>
    
          <Host name="localhost"  appBase="webapps"
                unpackWARs="true" autoDeploy="true">
    
            <!-- SingleSignOn valve, share authentication between web applications
                 Documentation at: /docs/config/valve.html -->
            <!--
            <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
            -->
    
            <!-- Access log processes all example.
                 Documentation at: /docs/config/valve.html
                 Note: The pattern used is equivalent to using pattern="common" -->
            <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
                   prefix="localhost_access_log." suffix=".txt"
                   pattern="%h %l %u %t &quot;%r&quot; %s %b" />
    
          </Host>
        </Engine>
      </Service>
    </Server>
    I changed it to red color the XML element which I was modified.
    By the way, I do it follow this link Apache Tomcat 7 (7.0.41) - SSL Configuration HOW-TO

    Thank you again!

  10. #10

    Default Re: Tomcat7 HTTPS on 12.1

    > Thanks for your reply!
    > This my command:
    >
    > Code:
    > --------------------
    > %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA \
    > -keystore \home\bosua\caskey\casserver.keystore
    > --------------------


    Um.... what's the the backslashes? If you really used those, then this
    command almost certainly failed for a number of reasons. The environment
    variable looks wrong (should be $JAVA_HOME) and the path with escaped
    literal characters likely doesn't exist. Thank-you for using Code tags
    around things, though; that is a great practice.

    Try this command to see if a keystore actually exists where you think it
    does to list its contents:

    Code:
    ----------
    $JAVA_HOME/bin/keytool -list -keystore /home/bosua/caskey/casserver.keystore
    ----------

    > That's mean I put it a folder \home\bosua\caskey\ which named is
    > casserver.keystore


    Again, the incorrect use of escapes/backslashes does not instill
    confidence in the actions taken. Maybe it's just a typo, but we need to
    verify to avoid wild goose chases.


    > * <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    > maxThreads="150" scheme="https" secure="true"
    > clientAuth="false" sslProtocol="TLS"
    > keystoreFile="/home/bosua/caskey/casserver.keystore"
    > keystorePass="changeit"
    > keystoreAlias="casserver"/>*


    Here's mine, which is working:

    Code:
    ----------
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="/home/user/apps/apache-tomcat-7.0.41/.keystore"
    keystorePass="secretHere"
    truststoreFile="/home/user/apps/apache-tomcat-7.0.41/.truststore"
    truststorePassword="changeit" />
    ----------

    This is a little more complex because I'm using both a keystore (for SSL
    certs including a private key) and a truststore (for things requiring a
    truststore), so ignore the truststore part. What I see different is a
    lack of keystoreAlias in my example, for whatever that's worth (I've never
    seen/used that before).

    From the server try the following command to test the 8443 port:

    Code:
    ----------
    openssl s_client -connect ip.addr.goes.here:8443 -showcerts </dev/null
    ----------

    Good luck.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •