I am trying to verify if the client certificate (self-signed) which I generated with openssl is valid. I have created client certificate, client private key, client keystore, and server certificate, server private key, server keystore and server truststore.
I am trying to use the generated server key and certificate in Tomcat by putting the following in server.xml:
<Connector port="8443"
maxThreads="150"
scheme="https"
secure="true"
SSLEnabled="true"
truststoreFile="C:\New keys\Server\truststore.jks"
truststorePass="......"
keystoreFile="C:\New keys\Server\keystore_server"
keystorePass="......."
clientAuth="true"
keyAlias="......."
sslProtocol="TLS"/>
I have also added client certificate in Google Chrome.
But when I try to visit http://localhost:8443/ I get the error localhost refused to connect.
I added an inbound rule windows firewall to allow port 8443, yet, after doing this, when I test whether the port is open or closed with online tools, it shows that port 8443 is closed.
How do I open this port? Or is there anything else I can do to solve this?
Related
I have a tomcat server with microservice wars, one WAR that connects with another system, another system requires client authentication, and i have the certificate how to load the certificate with the communication with that system, i tried to use this certificate in the HTTPS encription but failed,
kindly advice i want to load a certififcate if the tomcat will connect with a certain URL,
i mean that the tomcat will be the client not the server,
i know how to make tomcat require client authentication as a server but if there is another system and the tomcat here is the client, how to insert the certificate in tomcat,
the application is java, and the os is linus redhat 7
i tried to inst the certificate to OS level and cacert but same
I'm at a loss since I'm not a Tomcat person. I use tomcat as a webserver for our Java application and now we are trying to integrate with one of our customers and they require Client Authentication via SSL, so they generated and issued me an SSL certificate to use it in tomcat during the communicating with their system. Unfortunately, this is as far as they support it and cannot give me any direction on how to actually use it.
So what I have is a Java application, a Tomcat app server running 8 on rehat 7, and the .p12 cert from the local CA from customer side.
now i have 2 certificates one for SSL and another as client authentication, how to define the client authentication and attache it with my communication dealing with another system, I tried to use SSLCACertificateFile attribute but no luck,
Connector port="443" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8446" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS"
keystoreFile="fileto.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreType="PKCS12" SSLCACertificateFile="CAfileto_T.p12" SSLCACertificatePass="changeit"
Realm className="org.apache.catalina.realm.LockOutRealm"
Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"
For some reason on one of my servers, SSL with mutual auth is not enforced.
The same server.xml config on another server does end up enforcing it.
So I am reaching out to you guys, do you know why this server.xml configuration allows the user to access the page WITHOUT asking for an SSL client certificate?
<Connector port="8444" protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
server="Apache" maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="path-to-server-ssl-keystore" keystorePass="hidden"
clientAut="true" sslProtocol="TLS" truststoreFile="path-to-truststore" truststorePass="hidden"/>
My trustore contains only one Certificate (I ensured that to make sure my testing was valid), and my HMTL client is NOT configure with this certificate.
When I reach to https://URL:8444/webappname/foo.html, it works!
As you can see in the wireshark trace below, the server is not asking for the client certificate.
On the other servers, I see the server asking for a Client certificate, as shown here:
At the moment I am simply trying to ensure the mutual auth is enforced so I am expecting to see an SSL error.
Any input would be welcome, thanks in advance.
I've been trying to configure SSL for Tomcat 8.5 server on the school I work to use HTTPS protocol. Since we haven't buy a certificate with a CA, I used certbot to get a free one. I did some configuration and my Tomcat is serving on HTTP but not yet on HTTPS, and there are no errors on the logs. Here is what I did.
-The Tomcat 8.5 is installed on Windows server 2012. It has worked perfectly for 2 years serving applications on regular HTTP.
-Certbot does not support Windows, therefore, I had to install Ubuntu 16.04 on a VM.
-I installed certboot successfully on Ubuntu.
-I used the folowing command to get my certbot certificates:
sudo certbot certonly --preferred-challenges http --manual -d theDomainOfMySchool.com
-After succeeding the ACME challenge, I got these 4 .pem files: cert1.pem, chain1.pem, fullchain1.pem and privkey1.pem.
-All 4 files are clear text in base64 like this extract I’m pasting here:
-----BEGIN CERTIFICATE-----
MIIFYTCCBEmgAwIBAgISAwyxKh7NQWpNnH6w2enPbOlxMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
-After fighting a while with permissions to copy the 4 files from /etc/letsencrypt/archive, I placed them in the folder of my Tomcat server in Windows.
-I configured Tomcat with the following nodes on server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/cert/certbot_gallery/privkey1.pem"
certificateFile="conf/cert/certbot_gallery/cert1.pem"
certificateChainFile="conf/cert/certbot_gallery/chain1.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
-When I start my Tomcat, there are no errors on the logs.
-The server starts fine and serves on HTTP with no problem.
-When I try to access the applications through HTTPS I get ERR_CONNECTION_RESET on the browser.
What am I doing wrong. Are this kind of certificates not suitable for this Tomcat connector? Am I missing any configuration?
Thank you all.
Solved! As it turns out, I'm an as$. The configuration on my server.xml is wrong. The connector for Http11NioProtocol should use the port 443 (which is the default for HTTPS), instead of 8443.
The rest of the configuration and the request of the certs on certboot is OK.
I think the use of 8443 is in case that your Tomcat is behind Apache or something else. Since I'm using directly, and only, Tomcat, the connector port should be 443.
Also, make sure that your firewall allows 443 port.
I have developed a Rest service and deployed it in tomcat 8 server. It is working fine with http URL. I have a requirement to install SSL certificate for the server.
But there is already a service running on this server which has SSL certificate.
Now my questions are
1) do I need to install another SSL certificate for the same server ?
2) How do i find that previously installed certificate belongs to server or service ?
3) if I install new SSL certificate what configuration changes are to be included in server.xml for port redirect ?
Kindly help me techies.
1) do I need to install another SSL certificate for the same server ?
Probably not, depending of the kind of the SSL service running. You need to stablish a connector from the SSL service to Tomcat to forward SSL requests in a path. Usually in Tomcat is done using the AJP connector and is not needed extra configuration. Check the documentation of the SSL Service
2) How do i find that previously installed certificate belongs to server or service ?
An SSL certificate is issued to a host name (Or infrequently to an IP), so it will be valid for the entire server
3) if I install new SSL certificate what configuration changes are to be included in server.xml for port redirect ?
If the previous SSL service is running in the standard port 443, you will need a new port. Configure a new connector in server.xml with the port, ssl activated and the keystore with the certificate chain. See https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
I'm trying to haproxy work in ssl mode with 2 tomcat instances on different VMs (see my previous question: HAProxy load balancing with tomcat SSL).
Currently, I managed to get haproxy to work with the following configuration:
defaults
log 127.0.0.1 local0
option tcplog
frontend ft_test
mode http
bind 0.0.0.0:8443 ssl crt haproxy.pem
timeout client 120000ms
default_backend bk
backend bk
mode http
cookie JSESSIONID prefix
server s1 vm1:80 cookie JSESSIONID_SERVER_1 check maxconn 32
server s2 vm2:80 cookie JSESSIONID_SERVER_2 check maxconn 32
timeout connect 5000ms
timeout server 120000ms
haproxy.pem is a file I copied from here (for testing purposes): http://blog.exceliance.fr/2012/09/04/howto-ssl-native-in-haproxy/
When I change the port from 80 to 8443 on the VMs, and I try to access https://haproxy.vm.ip:8443 (same as I did with the 80 port), I get a: 502 Bad Gateway error in my browser.
I'm guessing this has something to do with the ssl certificates, but I'm not sure how to solve this (these issues are new to me, and I wasn't able to find much information).
The server.xml for each tomcat VM (they're the same):
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${catalina.home}/conf/keystore"
keystorePass="password" />
Do I need to use the same certificate here as in the haproxy configuration? I tried that but it doesn't seem to work, and I didn't find an example for haproxy with a keystore file either.
So, help? Ideas? Thanks! :)
Had the same issue -
I was never able to get 1.5 to correctly and consistently process SSL traffic without receiving intermittent 502's and 503's.
We ended up using stunnel - http://www.stunnel.org/
Very simple to setup and configure. HAproxy just responds on port 80 and forwards over 443 so that internal traffic remains encrypted.
Here's a sample stunnel.conf file to start from:
sslVersion = all
options = NO_SSLv2
cert=/etc/stunnel/wildcard.pem
setuid = root
setgid = root
pid = /var/run/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
output = /var/log/stunnel.log
[service1]
accept = 10.0.0.10:443
connect = 10.0.0.10:80
TIMEOUTclose = 0
[service2]
accept = 10.0.0.11:443
connect = 10.0.0.11:80
TIMEOUTclose = 0