SSL :Certificates to JVM keystore?
Scott Battaglia
scott.battaglia at gmail.com
Tue Sep 26 13:41:07 EDT 2006
I generally use the default keystoreFile:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS" />
-Scott
On 9/26/06, kike velez <kike_velez at hotmail.com> wrote:
>
>
> Hello,
>
> I did this:
>
> %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg
> RSA
> %JAVA_HOME%\bin\keytool -export -alias tomcat -keypass changeit -file
> server.crt
> %JAVA_HOME%\bin\keytool -import -file server.crt -alias tomcat -keypass
> changeit -keystore
> %JAVA_HOME%/jre/lib/security/cacerts
>
> with Tomcat configuration like this:
>
> <Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
> port="8443" minProcessors="5" maxProcessors="75"
> enableLookups="true" disableUploadTimeout="true"
> acceptCount="100" debug="0" scheme="https" secure="true";
> clientAuth="false" sslProtocol="TLS"
> keystoreFile="%JAVA_HOME%/jre/lib/security/cacerts"
> keystorePass="changeit"/>
>
> but when I start Tomcat always be in a loop with this error:
>
> ..........................................
>
> SSLException: No available certificate or key corresponds to the
> SSL cipher suites which are enabled.
>
> ...........................................
>
> I was looking for a solution but always with the same error.
>
> SOLUTION:
>
> I did this:
>
> %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg
> RSA
> -keystore
> %JAVA_HOME%/jre/lib/security/cacerts
>
> that is I created the certificated directly to the jvm keystore And tomcat
> starts without problems now.
>
> Anybody know this issue?
>
> Thanks in advance
>
>
>
>
> >From: "kike velez" <kike_velez at hotmail.com>
> >Reply-To: Yale CAS mailing list <cas at tp.its.yale.edu>
> >To: cas at tp.its.yale.edu
> >Subject: RE: SSL :Certificates to JVM keystore?
> >Date: Sun, 24 Sep 2006 20:26:46 +0200
> >MIME-Version: 1.0
> >X-Originating-IP: [80.102.225.80]
> >X-Originating-Email: [kike_velez at hotmail.com]
> >X-Sender: kike_velez at hotmail.com
> >Received: from pantheon-po09.its.yale.edu ([130.132.50.55]) by
> >bay0-mc1-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Sun,
> 24
> >Sep 2006 11:33:13 -0700
> >Received: from tp.its.yale.edu (tp.its.yale.edu [130.132.59.225])by
> >pantheon-po09.its.yale.edu (8.12.11.20060308/8.12.11) with ESMTP id
> >k8OIRCxA005708;Sun, 24 Sep 2006 14:27:19 -0400
> >Received: from mr3.its.yale.edu (mr3.its.yale.edu [130.132.50.9])by
> >tp.its.yale.edu (8.13.1/8.13.1) with ESMTP id k8OIRAU3030492for
> ><cas at tp.its.yale.edu>; Sun, 24 Sep 2006 14:27:10 -0400
> >Received: from bay0-omc3-s10.bay0.hotmail.com
> >(bay0-omc3-s10.bay0.hotmail.com[65.54.246.210])by mr3.its.yale.edu
> >(8.12.11.20060308/8.12.11) with ESMTP idk8OIR9KO005796for
> ><cas at tp.its.yale.edu>; Sun, 24 Sep 2006 14:27:09 -0400
> >Received: from hotmail.com ([65.55.131.94]) by
> >bay0-omc3-s10.bay0.hotmail.comwith Microsoft SMTPSVC(6.0.3790.1830); Sun,
> >24 Sep 2006 11:26:47 -0700
> >Received: from mail pickup service by hotmail.com with Microsoft
> >SMTPSVC;Sun, 24 Sep 2006 11:26:47 -0700
> >Received: from 65.55.131.123 by by126fd.bay126.hotmail.msn.com with
> >HTTP;Sun, 24 Sep 2006 18:26:46 GMT
> >X-Message-Info: LsUYwwHHNt0m0GlE8CESSIfHVaxuaGz5EYIV1GrkGmk=
> >X-OriginalArrivalTime: 24 Sep 2006 18:26:47.0645
> >(UTC)FILETIME=[FED538D0:01C6E006]
> >X-YaleITSMailFilter: Version 1.2c (attachment(s) not renamed)
> >X-Yale-Not-Spam: For more info see:
> >http://www.yale.edu/email/spam/content.html
> >X-Yale-Spam-Score: (-0.001)
> >X-Scanned-By: MIMEDefang 2.52 on 130.132.50.9
> >X-BeenThere: cas at tp.its.yale.edu
> >X-Mailman-Version: 2.1.6
> >Precedence: list
> >List-Id: Yale CAS mailing list <cas.tp.its.yale.edu>
> >List-Unsubscribe:
> ><http://tp.its.yale.edu/mailman/listinfo/cas>,<mailto:
> cas-request at tp.its.yale.edu?subject=unsubscribe>
> >List-Archive: <http://tp.its.yale.edu/pipermail/cas>
> >List-Post: <mailto:cas at tp.its.yale.edu>
> >List-Help: <mailto:cas-request at tp.its.yale.edu?subject=help>
> >List-Subscribe:
> ><http://tp.its.yale.edu/mailman/listinfo/cas>,<mailto:
> cas-request at tp.its.yale.edu?subject=subscribe>
> >Errors-To: cas-bounces at tp.its.yale.edu
> >Return-Path: cas-bounces at tp.its.yale.edu
> >
> >Thank you Petro for your reply and for clarify my doubts.
> >
> >And yes. I think this information must be on the page
> >http://www.ja-sig.org/wiki/display/CAS/Solving+SSL+issues
> >
> >Thanks again
> >
> >
> > >From: "Andrew Petro" <apetro at unicon.net>
> > >Reply-To: Yale CAS mailing list <cas at tp.its.yale.edu>
> > >To: "'Yale CAS mailing list'" <cas at tp.its.yale.edu>
> > >Subject: RE: SSL :Certificates to JVM keystore?
> > >Date: Sat, 23 Sep 2006 19:39:24 -0700
> > >MIME-Version: 1.0
> > >Received: from pantheon-po09.its.yale.edu ([130.132.50.55]) by
> > >bay0-mc1-f17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
> Sat,
> > >23 Sep 2006 19:45:04 -0700
> > >Received: from tp.its.yale.edu (tp.its.yale.edu [130.132.59.225])by
> > >pantheon-po09.its.yale.edu (8.12.11.20060308/8.12.11) with ESMTP id
> > >k8O2hMNJ022488;Sat, 23 Sep 2006 22:43:32 -0400
> > >Received: from mr2.its.yale.edu (mr2.its.yale.edu [130.132.50.8])by
> > >tp.its.yale.edu (8.13.1/8.13.1) with ESMTP id k8O2hKRs017682for
> > ><cas at tp.its.yale.edu>; Sat, 23 Sep 2006 22:43:20 -0400
> > >Received: from ns2.unicon.net (ns2.unicon.net [12.164.136.139])by
> > >mr2.its.yale.edu (8.12.11.20060308/8.12.11) with ESMTP
> >idk8O2hBAK001080for
> > ><cas at tp.its.yale.edu>; Sat, 23 Sep 2006 22:43:11 -0400
> > >Received: from saber.unicon.net (mailduit [12.164.148.152])by
> > >ns2.unicon.net (8.9.3/8.9.0) with ESMTP id TAA10282for
> > ><cas at tp.its.yale.edu>; Sat, 23 Sep 2006 19:39:26 -0700 (MST)
> > >Received: from Janus (ip68-99-95-247.ph.ph.cox.net
> > >[::ffff:68.99.95.247])(AUTH: LOGIN apetro, SSL:
> > >TLSv1/SSLv3,128bits,RC4-MD5)by saber.unicon.net with esmtp; Sat, 23 Sep
> > >2006 19:39:26 -0700id 002D71BD.4515EFDE.00006191
> > >X-Message-Info: LsUYwwHHNt3KJwDQ/nXFuYeaBLZZ9gPg7eIXAz0j4Is=
> > >X-Mailer: Microsoft Office Outlook 11
> > >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
> > >Thread-Index: AcbfYx0f5LqoC5PGSJ2f8911gYOB6QAHc3og
> > >X-YaleITSMailFilter: Version 1.2c (attachment(s) not renamed)
> > >X-Yale-Not-Spam: For more info see:
> > >http://www.yale.edu/email/spam/content.html
> > >X-Yale-Spam-Score: (0)
> > >X-Scanned-By: MIMEDefang 2.52 on 130.132.50.8
> > >X-MIME-Autoconverted: from quoted-printable to 8bit by tp.its.yale.edu
> > >idk8O2hKRs017682
> > >X-BeenThere: cas at tp.its.yale.edu
> > >X-Mailman-Version: 2.1.6
> > >Precedence: list
> > >List-Id: Yale CAS mailing list <cas.tp.its.yale.edu>
> > >List-Unsubscribe:
> > ><http://tp.its.yale.edu/mailman/listinfo/cas>,<mailto:
> cas-request at tp.its.yale.edu?subject=unsubscribe>
> > >List-Archive: <http://tp.its.yale.edu/pipermail/cas>
> > >List-Post: <mailto:cas at tp.its.yale.edu>
> > >List-Help: <mailto:cas-request at tp.its.yale.edu?subject=help>
> > >List-Subscribe:
> > ><http://tp.its.yale.edu/mailman/listinfo/cas>,<mailto:
> cas-request at tp.its.yale.edu?subject=subscribe>
> > >Errors-To: cas-bounces at tp.its.yale.edu
> > >Return-Path: cas-bounces at tp.its.yale.edu
> > >X-OriginalArrivalTime: 24 Sep 2006 02:45:04.0461 (UTC)
> > >FILETIME=[704F8FD0:01C6DF83]
> > >
> > >Hello,
> > >
> > >CAS is an authentication mechanism wherein the Central Authentication
> > >Service server serves as the "trusted intermediary" brokering
> > >authentication
> > >between participants. Participants need not trust one another so long
> as
> > >they all trust the CAS server.
> > >
> > >End users and their web browsers must trust the CAS server (otherwise
> the
> > >user shouldn't feel comfortable typing in her password!) They must
> also
> > >trust the channel of communication between one another. The standard
> way
> > >for securing the channel between browser and website is SSL. So it is
> > >obligatory that your CAS server be accessed by the end user over SSL.
> > >
> > >The "client application", the non-CAS web application that the user's
> > >really
> > >trying to authenticate to, must also trust the CAS server (otherwise it
> > >shouldn't care who the CAS server says the user is). And it must trust
> >the
> > >channel whereby it communicates with the CAS server. The standard way
> >for
> > >securing the channel over which web requests are fulfilled (and CAS
> > >services
> > >are really lightweight XML over HTTP "web services) is SSL. So it is
> > >obligatory that your CAS server offer the ticket validation services
> over
> > >SSL.
> > >
> > >SSL is a public key encryption technology. If you pay a good chuck of
> > >money
> > >for a "real" commercial SSL certificate, then it will be signed by a
> > >certifying authority that "everyone" trusts implicitly and it just
> works.
> > >For your real production CAS server it makes a lot of sense to throw
> >money
> > >at this problem and buy such an SSL certificate, with the resulting
> > >improved
> > >user factors both for end users and applications using CAS.
> > >
> > >For smaller CAS deployments and certainly in development it makes a lot
> >of
> > >sense to use a "self-signed" certificate. Since self-signed SSL
> > >certificates are essentially just made up on the fly, it is necessary
> to
> > >distribute the corresponding public key. Your self-signed SSL cert is
> >only
> > >meaningful to me inasmuch as I have by a secure mechanism already
> >received
> > >the corresponding public key.
> > >
> > >For Java web applications, installing that public key into the JVM
> >keystore
> > >of the client application will result in the Java CAS client in the
> >client
> > >application being able to verify the security of the channel (SSL)
> >between
> > >it and the CAS server and so it will be able to validate service
> tickets.
> > >
> > >
> > >That was a long way of saying "Yes, it is necessary to import the
> public
> > >key
> > >portion SSL certificate into the JVM keystore of any client Java web
> > >applications using your CAS server, unless your SSL certificate is
> > >implicitly trusted by virtue of its being expensive."
> > >
> > >And of course, whether you have a self signed certificate or a
> commercial
> > >certificate, you will need to install it into your Tomcat keystore for
> >your
> > >CAS server so that it can offer the CAS web application over SSL, if
> >Tomcat
> > >is going to be your SSL endpoint. (Apache, or some expensive hardware
> >box
> > >in front of your CAS server, might instead be your SSL endpoint for
> your
> > >CAS
> > >server.)
> > >
> > >This help any?
> > >
> > >Would it help if something very much like the above were pasted atop
> the
> > >CAS
> > >documentation page on SSL considerations?
> > >
> > >http://www.ja-sig.org/wiki/display/CAS/Solving+SSL+issues
> > >
> > >Andrew
> > >
> > > > -----Original Message-----
> > > > From: cas-bounces at tp.its.yale.edu [mailto:
> cas-bounces at tp.its.yale.edu]
> > >On
> > > > Behalf Of kike velez
> > > > Sent: Saturday, September 23, 2006 3:50 PM
> > > > To: cas at tp.its.yale.edu
> > > > Subject: SSL :Certificates to JVM keystore?
> > > >
> > > > Hello
> > > >
> > > > I looking for this question on the archive but i don�t have this
> issue
> > >to
> > > > clear.
> > > >
> > > > Its obligatory to import the ssl certificates to de jvm keystore?
> > > > if the answer is yes Why?
> > > >
> > > > I see in the Tomcat documentation and i don�t see nothing about it.
> > > >
> > > > Thanks in advance
> > >
> > >
> > >_______________________________________________
> > >Yale CAS mailing list
> > >cas at tp.its.yale.edu
> > >http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >_______________________________________________
> >Yale CAS mailing list
> >cas at tp.its.yale.edu
> >http://tp.its.yale.edu/mailman/listinfo/cas
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20060926/1f1b330e/attachment.html
More information about the cas
mailing list