|
»
»
tomcat https
|
View:
New views
11 Messages
—
Rating Filter:
Alert me
|
 |
tomcat https
by torleif
::
Rate this Message:
Hi
I am trying to set up tomcat to use https. I used "keytool -genkey -alias tomcat -keyalg RSA" If I use "changeit" as password for keystore everything works ok. If I use a different password it does not work. I have modified "server.xml" with keystorePass="newpassword" My .keystore is located in default place. If I use "changeit" as password, will this be a security risk since this is a widely known password? Also I run a mailserver with https web interface. Can I use a different https certificate in tomcat or must it be the same as my mailserver? Thank you!! --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: tomcat https
by Nilesh Patil-4
::
Rate this Message:
Dear Torleif
Why you r Using Default Location to Store Keystore.. ypu can Use following command to generate keystore * c:/keytool -genkey -keyalg RSA -alias tomcat -keystore tomcat.keystore -storepass tomcat* Then above command will generate tomcat keystore in current working directory. and now you can change password in server.xml as *tomcat. * Regards, Nilesh P On Wed, Nov 4, 2009 at 2:20 AM, Torleif <torleif@...> wrote: > Hi > > I am trying to set up tomcat to use https. > I used "keytool -genkey -alias tomcat -keyalg RSA" > If I use "changeit" as password for keystore everything works ok. > If I use a different password it does not work. > I have modified "server.xml" with keystorePass="newpassword" > My .keystore is located in default place. > > If I use "changeit" as password, will this be a security risk since this > is a widely known password? > > Also I run a mailserver with https web interface. > Can I use a different https certificate in tomcat or must it be the same > as my mailserver? > > Thank you!! > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@... > For additional commands, e-mail: users-help@... > > |
|
|
Re: tomcat https
by Ognjen Blagojevic-3
::
Rate this Message:
Torleif wrote:
> I am trying to set up tomcat to use https. > I used "keytool -genkey -alias tomcat -keyalg RSA" > If I use "changeit" as password for keystore everything works ok. > If I use a different password it does not work. > I have modified "server.xml" with keystorePass="newpassword" > My .keystore is located in default place. It could help if you tell us what Tomcat version, OS and version are you using and what is "default place". .keystore file should be on the home directory of the user running Tomcat. E.g. /home/tomcat on Linux, or "C:\Documents and Settings\ognjen\" on Windows XP. Also note: "Finally, you will be prompted for the key password, which is the password specifically for this Certificate (as opposed to any other Certificates stored in the same keystore file). You MUST use the same password here as was used for the keystore password itself. (Currently, the keytool prompt will tell you that pressing the ENTER key does this for you automatically.)" (tomcat SSL docs) > If I use "changeit" as password, will this be a security risk since this > is a widely known password? The way I see it, the security risk is not too big. .keystore file will most probably have the same access rights as your server.xml where the keystore password is stored in cleartext. So, if the unauthorized user is able to access .keystore file it will also be able to access the server.xml, and read the keystore password. However, if your configuration, backup strategy, or anything else introduces the possibility for unauthorized person to access only the .keystore file (and not server.xml) - or you are simply paranoid - you should change the default password. > Also I run a mailserver with https web interface. > Can I use a different https certificate in tomcat or must it be the same > as my mailserver? It really depends of your configuration. Are both webmail and Tomcat on the same port? Do you run webmail application under Tomcat or not? Do you use httpd or not? Do you have more than one IP address available for the server? If you use two servers, two different IP addresses OR two different ports on the same IP address, you can have different certificates. In other cases, you can't. Regards, Ognjen --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: tomcat https
by torleif
::
Rate this Message:
Hi
Thanks for all your help!! I am using Debian Lenny as OS. I am trying to set up a funambol server witch use Tomcat. ( http://bionicmessage.net/?q=node/18 ) I am not sure witch version of Tomcat it uses. (I am at work right now and cant check) By "default place" I mean /home/user/.keystore I run "keytool -genkey -alias tomcat -keyalg RSA" When I run this command it asks for password witch is "changeit" as default and everything works ok. If I choose a different password and modify "server.xml" accordingly it does not work. maybe I shuld use this command instead? ( "keytool -genkey -alias tomcat -keyalg RSA -keystore /home/user/.keystore -storepass mypassword" ) ?? I am ok with using "changeit" as password if this is no security risk. No one has access to my computer, but can they get access through https if they know the "changeit" password? I also have a mailserver on the same ip "citadel" witch uses "webcit" for webmail. The ports on my mailserver and Tomcat are different. Thanks again for all help!! Torleif > Wed Nov 04 2009 10:28:22 CET from "Ognjen Blagojevic" ><ognjen@...> Subject: Re: tomcat https > > Torleif wrote: > >>I am trying to set up tomcat to use https. >> I used "keytool -genkey -alias tomcat -keyalg RSA" >> If I use "changeit" as password for keystore everything works ok. >> If I use a different password it does not work. >> I have modified "server.xml" with keystorePass="newpassword" >> My .keystore is located in default place. >> >> > It could help if you tell us what Tomcat version, OS and version are you > using and what is "default place". > > .keystore file should be on the home directory of the user running > Tomcat. E.g. /home/tomcat on Linux, or "C:\Documents and > Settings\ognjen\" on Windows XP. > > Also note: "Finally, you will be prompted for the key password, which is > the password specifically for this Certificate (as opposed to any other > Certificates stored in the same keystore file). You MUST use the same > password here as was used for the keystore password itself. (Currently, > the keytool prompt will tell you that pressing the ENTER key does this > for you automatically.)" (tomcat SSL docs) > > > >>If I use "changeit" as password, will this be a security risk since this >> is a widely known password? >> >> > The way I see it, the security risk is not too big. .keystore file will > most probably have the same access rights as your server.xml where the > keystore password is stored in cleartext. So, if the unauthorized user > is able to access .keystore file it will also be able to access the > server.xml, and read the keystore password. > > However, if your configuration, backup strategy, or anything else > introduces the possibility for unauthorized person to access only the > .keystore file (and not server.xml) - or you are simply paranoid - you > should change the default password. > > > >>Also I run a mailserver with https web interface. >> Can I use a different https certificate in tomcat or must it be the same >> as my mailserver? >> >> > It really depends of your configuration. > > Are both webmail and Tomcat on the same port? Do you run webmail > application under Tomcat or not? Do you use httpd or not? Do you have > more than one IP address available for the server? > > If you use two servers, two different IP addresses OR two different > ports on the same IP address, you can have different certificates. In > other cases, you can't. > > Regards, > Ognjen > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@... > For additional commands, e-mail: users-help@... > > > > > |
|
|
Re: tomcat https
by Ognjen Blagojevic-3
::
Rate this Message:
Torleif wrote:
> By "default place" I mean /home/user/.keystore /home/user/.keystore? That's strange. Is it maybe /home/tomcat/.keystore? Or you have a user "user" on your system? Under what user did you create .keystore file? > If I choose a different password and modify "server.xml" accordingly it does > not work. Did you choose the same password for bot keystore AND certificate, as pointed in the Tomcat docs? > maybe I shuld use this command instead? ( "keytool -genkey -alias tomcat > -keyalg RSA -keystore /home/user/.keystore > -storepass mypassword" ) ?? No, that is not the source of the problem. > I am ok with using "changeit" as password if this is no security risk. No one > has access to my computer, but can they get access through https if they know > the "changeit" password? Well, anyone could access to you webapps (not to the entire file system) regardless of the keystore password. > I also have a mailserver on the same ip "citadel" witch uses "webcit" for > webmail. > > The ports on my mailserver and Tomcat are different. Then you can use different certificates. Regards, Ognjen > > > > Thanks again for all help!! > > > > Torleif >> Wed Nov 04 2009 10:28:22 CET from "Ognjen Blagojevic" >> <ognjen@...> Subject: Re: tomcat https >> >> Torleif wrote: >> >>> I am trying to set up tomcat to use https. >>> I used "keytool -genkey -alias tomcat -keyalg RSA" >>> If I use "changeit" as password for keystore everything works ok. >>> If I use a different password it does not work. >>> I have modified "server.xml" with keystorePass="newpassword" >>> My .keystore is located in default place. >>> >>> > >> It could help if you tell us what Tomcat version, OS and version are you >> using and what is "default place". >> >> .keystore file should be on the home directory of the user running >> Tomcat. E.g. /home/tomcat on Linux, or "C:\Documents and >> Settings\ognjen\" on Windows XP. >> >> Also note: "Finally, you will be prompted for the key password, which is >> the password specifically for this Certificate (as opposed to any other >> Certificates stored in the same keystore file). You MUST use the same >> password here as was used for the keystore password itself. (Currently, >> the keytool prompt will tell you that pressing the ENTER key does this >> for you automatically.)" (tomcat SSL docs) >> >> >> >>> If I use "changeit" as password, will this be a security risk since this >>> is a widely known password? >>> >>> > >> The way I see it, the security risk is not too big. .keystore file will >> most probably have the same access rights as your server.xml where the >> keystore password is stored in cleartext. So, if the unauthorized user >> is able to access .keystore file it will also be able to access the >> server.xml, and read the keystore password. >> >> However, if your configuration, backup strategy, or anything else >> introduces the possibility for unauthorized person to access only the >> .keystore file (and not server.xml) - or you are simply paranoid - you >> should change the default password. >> >> >> >>> Also I run a mailserver with https web interface. >>> Can I use a different https certificate in tomcat or must it be the same >>> as my mailserver? >>> >>> > >> It really depends of your configuration. >> >> Are both webmail and Tomcat on the same port? Do you run webmail >> application under Tomcat or not? Do you use httpd or not? Do you have >> more than one IP address available for the server? >> >> If you use two servers, two different IP addresses OR two different >> ports on the same IP address, you can have different certificates. In >> other cases, you can't. >> >> Regards, >> Ognjen >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@... >> For additional commands, e-mail: users-help@... >> >> >> >> >> > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: tomcat https
by Christopher Schultz-2
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 All, On 11/4/2009 11:47 AM, Ognjen Blagojevic wrote: > Torleif wrote: >> By "default place" I mean /home/user/.keystore > > /home/user/.keystore? That's strange. Is it maybe > /home/tomcat/.keystore? Or you have a user "user" on your system? Under > what user did you create .keystore file? ...and what do you actually have in your server.xml for keystore configuration? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrxtDgACgkQ9CaO5/Lv0PD+ZgCdHRHNp7ryxfMI6ZHgYX1d8Zx1 MdUAn1zd+PfL215yv4IRi8xFyfmCWTfU =9xK7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: tomcat https
by torleif
::
Rate this Message:
Hi again. My server.xml: <Connector port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true"; clientAuth="false" sslProtocol="TLS" keystoreFile="/home/user/.keystore" keystorePass="mypassword" /> --> I run Tomcat as "user". I followed this guide: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html Maybe my cert password is not the same as keystore?? I thougt my keystore containing the cert was created with "keytool -genkey -alias tomcat -keyalg RSA" ?? Thanks everyone!! On Wed, 2009-11-04 at 17:47 +0100, Ognjen Blagojevic wrote: > Torleif wrote: > > By "default place" I mean /home/user/.keystore > > /home/user/.keystore? That's strange. Is it maybe > /home/tomcat/.keystore? Or you have a user "user" on your system? Under > what user did you create .keystore file? > > > > If I choose a different password and modify "server.xml" accordingly it does > > not work. > > Did you choose the same password for bot keystore AND certificate, as > pointed in the Tomcat docs? > > > > maybe I shuld use this command instead? ( "keytool -genkey -alias tomcat > > -keyalg RSA -keystore /home/user/.keystore > > -storepass mypassword" ) ?? > > No, that is not the source of the problem. > > > > I am ok with using "changeit" as password if this is no security risk. No one > > has access to my computer, but can they get access through https if they know > > the "changeit" password? > > Well, anyone could access to you webapps (not to the entire file system) > regardless of the keystore password. > > > > I also have a mailserver on the same ip "citadel" witch uses "webcit" for > > webmail. > > > > The ports on my mailserver and Tomcat are different. > > Then you can use different certificates. > > > Regards, > Ognjen > > > > > > > > > > Thanks again for all help!! > > > > > > > > Torleif > >> Wed Nov 04 2009 10:28:22 CET from "Ognjen Blagojevic" > >> <ognjen@...> Subject: Re: tomcat https > >> > >> Torleif wrote: > >> > >>> I am trying to set up tomcat to use https. > >>> I used "keytool -genkey -alias tomcat -keyalg RSA" > >>> If I use "changeit" as password for keystore everything works ok. > >>> If I use a different password it does not work. > >>> I have modified "server.xml" with keystorePass="newpassword" > >>> My .keystore is located in default place. > >>> > >>> > > > >> It could help if you tell us what Tomcat version, OS and version are you > >> using and what is "default place". > >> > >> .keystore file should be on the home directory of the user running > >> Tomcat. E.g. /home/tomcat on Linux, or "C:\Documents and > >> Settings\ognjen\" on Windows XP. > >> > >> Also note: "Finally, you will be prompted for the key password, which is > >> the password specifically for this Certificate (as opposed to any other > >> Certificates stored in the same keystore file). You MUST use the same > >> password here as was used for the keystore password itself. (Currently, > >> the keytool prompt will tell you that pressing the ENTER key does this > >> for you automatically.)" (tomcat SSL docs) > >> > >> > >> > >>> If I use "changeit" as password, will this be a security risk since this > >>> is a widely known password? > >>> > >>> > > > >> The way I see it, the security risk is not too big. .keystore file will > >> most probably have the same access rights as your server.xml where the > >> keystore password is stored in cleartext. So, if the unauthorized user > >> is able to access .keystore file it will also be able to access the > >> server.xml, and read the keystore password. > >> > >> However, if your configuration, backup strategy, or anything else > >> introduces the possibility for unauthorized person to access only the > >> .keystore file (and not server.xml) - or you are simply paranoid - you > >> should change the default password. > >> > >> > >> > >>> Also I run a mailserver with https web interface. > >>> Can I use a different https certificate in tomcat or must it be the same > >>> as my mailserver? > >>> > >>> > > > >> It really depends of your configuration. > >> > >> Are both webmail and Tomcat on the same port? Do you run webmail > >> application under Tomcat or not? Do you use httpd or not? Do you have > >> more than one IP address available for the server? > >> > >> If you use two servers, two different IP addresses OR two different > >> ports on the same IP address, you can have different certificates. In > >> other cases, you can't. > >> > >> Regards, > >> Ognjen > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscribe@... > >> For additional commands, e-mail: users-help@... > >> > >> > >> > >> > >> > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@... > For additional commands, e-mail: users-help@... > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: tomcat https
by Ognjen Blagojevic-3
::
Rate this Message:
Torleif wrote:
> Maybe my cert password is not the same as keystore?? > I thougt my keystore containing the cert was created with > "keytool -genkey -alias tomcat -keyalg RSA" ?? You must use the same password for both keystore and certificate. Keytool asks you for keystore password at the begining, and for the certificate password at the end. Regards, Ognjen --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: tomcat https
by torleif
::
Rate this Message:
Hi
That is what I used. In the end it says "press enter for same password" and that is what I did I also tried to enter same password instead of just pressing enter, but still doesnt work. I think it may be my server.xml file that is wrong somewhere? Everything is ok if I use "changeit" Torleif > Thu Nov 05 2009 09:44:49 CET from "Ognjen Blagojevic" ><ognjen@...> Subject: Re: tomcat https > > Torleif wrote: > >>Maybe my cert password is not the same as keystore?? >> I thougt my keystore containing the cert was created with >> "keytool -genkey -alias tomcat -keyalg RSA" ?? >> >> > You must use the same password for both keystore and certificate. > Keytool asks you for keystore password at the begining, and for the > certificate password at the end. > > Regards, > Ognjen > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@... > For additional commands, e-mail: users-help@... > > > > > |
|
|
RE: tomcat https
by Caldarale, Charles R
::
Rate this Message:
> From: Torleif [mailto:torleif@...]
> Subject: Re: tomcat https > > I think it may be my server.xml file that is wrong somewhere? > Everything is ok if I use "changeit" That suggests that perhaps your Tomcat is not running with the server.xml file you think it is. For example, if you start Tomcat via an IDE, the IDE often substitutes its own configuration, ignoring yours. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. |
|
|
Re: tomcat https
by Christopher Schultz-2
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Torleif, On 11/4/2009 4:25 PM, Torleif wrote: > My server.xml: > > <Connector > port="8443" minProcessors="5" maxProcessors="75" > enableLookups="true" disableUploadTimeout="true" > acceptCount="100" debug="0" scheme="https" secure="true"; > clientAuth="false" sslProtocol="TLS" keystoreFile="/home/user/.keystore" keystorePass="mypassword" /> > --> That closing comment looks suspicious. > Maybe my cert password is not the same as keystore?? The certificate can certainly have a different password as the keystore. Does your certificate have a password at all? Ususally they do not. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkry9OwACgkQ9CaO5/Lv0PDIXwCfYlpVeEOWMJoS+Upeahnh0ngB Fg0AoKcid4Kq+nnUBmZr3C34/66UJNpO =X0ST -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
| Free embeddable forum powered by Nabble | Forum Help |
