SSL Config on Tomcat
Hi Experts:
My Apache+SSL is working now - thanks to you all. I checked it using https://www.hari.com.
However, I have a small Application which contains JSP+Servlets which calls Oracle DB via JDBC. This application is working fine when I type http://www.hari.com:8080/hari/index.jsp but when I try HTTPS as https://www.hari.com:8080/hari/index.jsp it does'nt work - ie page does'nt shows up.
I know that HTTPS listens to port 443 and my Application(Tomcat+JBoss) listens to port 8080 - so how do I integrate both the ports to work together? Any useful information on above is appreciated.
THANKS!
HARI
Hi
I guess that you haven't changed the pot that Tomcat listens for SSL connections.If not the default port for SSL is 8443 for Tomcat. SO if you want your application to run via SSL you must use s.g like https://localhost:8443/......
if u use 8080 it won't run. The connection to the database should be again to the 8080 port, but the servlet should listen to 8443 for SSL. Check the port in the server.xml file
Similar Messages
-
Https ssl config Oracle AS, webcache, portal...almost works
Hi,
I have searched the forums and I havent found anything that works for me.
I have Oracle infrastructure on one server, and Oracle App server/portal on another server. I can get as far as the http server showing the "welcome to oracle" page in https form. When I try to access a page in the portal (plsql) I get a blank page. It does convert the "https://myserver:xxxx//pls/portal/url/page/IRWEB/HOME
" to "https://myserver:xxxx/portal/page?_pageid=73,86254,73_86264:73_86316:73_8632...." but nothing comes up.
Also, it uses the Infrastructure server for single-sign-on...so I need to make the app server do the single sign-on. I've tried by adding /pls/orasso entry in DADS.conf of http server..
So as far as I can tell...the http server IS operating in https/ssl, but the single-sign-on and the pages in the portal are not.
I have to do everything manually since I am using 10.1.2 (no Oracle Collab Suite installed, so no SSLConfigTool and other assistants)
Here is what I've done to get https://myserver:xxxx/ to come up ok.
server 1: Oracle Infrastructure and Oracle database release 1 10.1.2.0.0
server 2: Oracle Application Server / Portal with webcache release 2 10.1.2
using Oracle Wallet for certificate,
http server -> process management "ssl-enabled",
http server -> advanced -> ssl.config: SSLWallet file:, SSLWalletPassword, virtual host for ssl
webcache -> added settings for ssl (I used the current entries for non-ssl as a guide for the ssl entries)
Interesting issue...with the ports in the ssl.conf file example:
Port 4459
Listen 4459
VirtualHose myserver.blah.edu:4450
Port 4458
When I get the blank page trying to use ssl and 4459, I can manually change the url in my browser to 4458 (or maybe its the other way around) and get this message: "Error: The portlet could not be contacted"
Is this a problem with webcache? Do I have to do any ssl config on the server with the database?
I've even tried disabling the webcache, both with the oracle sql script and through web interface but neither made a difference...same problem.
Any help would be greatly appreciated..I feel as if I'm almost there.
If I did not post enough info for accurate help, please ask what you need to know to provide help! Thanks in advance.Hi,
Yes you can go for SSl configuration without re-installing any of the components.
Regards,
access_tammy -
Dear Sir,
I have a pair of 11501, which load balance two SSL server behind them. The cert is stored in SSL server(10.106.13.20 & 21). The external vip is 10.106.13.224.
I read the SSL Config Gide and made the below configuration. Can you check if my config below is ok?
ssl-proxy-list PIS-SSL-LIST
backend-server 1
backend-server 1 type backend-ssl
backend-server 1 ip address 10.106.13.224
backend-server 1 server-ip 10.106.13.20
backend-server 1 version ssl3
backend-server 1 session-cache 300
backend-server 1 tcp virtual ack-delay 0
backend-server 2
backend-server 2 type backend-ssl
backend-server 2 ip address 10.106.13.224
backend-server 2 server-ip 10.106.13.21
backend-server 2 version ssl3
backend-server 2 session-cache 300
backend-server 2 tcp virtual ack-delay 0
active
service PIS-SSL-SERVICE
type ssl-accel-backend
ip address 10.106.13.224
add ssl-proxy-lit PIS-SSL-LIST
active
owner PIS-SSL-OWNER
content PIS-SSL-VIP-1
vip adddress 10.106.13.224
port 80
advanced-balance arrowpoint-cookie
url "/*"
add service PIS-SSL-SERVICE
active
Thanksthis is totally wrong unfortunately.
What are you trying to achieve here ?
Normally the connection between CSS and server does not need to be encrypted because they are close to each other.
You probably want to encrypt the connection from the client to the CSS since this connection goes throug the Internet.
Is this what you need ?
Here are sample configs:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/examples.html#wp999094
backend-ssl is @
SSL Transparent Proxy Configuration - HTTP and Back-End SSL Servers
You will see that you did many mistakes, like ip addresses used in the ssl-proxy-list.
Gilles. -
Hi,
can you tell me a link to a useful documentation how to install ssl on a tomcat 5.0 / jvm 1.5 (downloading JSSE doesn't work due to Error: Transaction stopped. The selected product(s) cannot be provided to your location.) ?
Many thanks & best regards
DirkJSSE is already contained in Java 1.4, 1.5, 1.6, ... You don't need to download anything. You just need to follow the Tomcat instructions for the SSL Connector.
-
SSL-Config: Oc4J does not reload keystore/truststore at runTime
Hi all, i have a little question about the SSL-Config into OC4J.
I have a webApp bound to a secure web site that requires mutual-authentication. If I add at run-time (without stopping OC4J) a trusted entry (a CA) to the keystore the secure-web-site is related to, OC4J does not "reload" the keystore with the new entry. Thus, i have to restart the OC4J to be able to accept SSLconnection that are authenticated by means of that new CA. The qeustion is: Does it exist a conifguration that has to be performed to reload at run-time a keystore in OC4J or it's necessary to restart OC4J each time a new entry to a keystore mapped for a given secure-web-site is added?
I hope someone can give me a tip,
Best RegardsHi I tried this with latest 10.1.3 Developer Preview 4 and it worked great and I could start OC4J standalone in https mode. Can you please download the latest version of OC4J 10.1.3 DP4 stand-alone and try in there ? The OC4J version embedded with JDev 10.1.3 Preview is pretty old and there have been many bugs fixed since then
http://www.oracle.com/technology/tech/java/oc4j/index.html
-Debu -
SSL and Apache Tomcat 5.5.20
Hi
Maybe java forum is not right place where to put this post, but it is worth a try...
im using tomcat 5.5.20 and i have read tomcat-docs how to configure server for ssl... i have done everything (checked so many times...), restart my server too, but still ssl does not work...
when i try to open https://localhost:8443 but it takes so much time "loading the page" and then fails...
when i try http://localhost:8443 it work but with no ssl... :(
my server.xml config file :
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
any help?i have found the cause of problem, but i cent solve it....
problem is because i use winxp for server (apache). On winxp there is no default enviromental variable for USER_HOME or sth like that...
the server.xml use home variable where .keystore is stored... and on linux where home variable is explicitly defined and it works...
when i was try to move .keystroe file to another directory and rename it to tomcat.keystore and in server.xml use the following parameter inside Connector tag, keystoreFile="path-to-file\tomcat.keystore" in it does not work any more... -
2 way ssl config in WLS 8.1
Problem: Server(any web app runing on WLS 8.1 SP2 on win2000) need to authenticate
clients(browser) without prompting for userid & passwords just through digital
certificate. With out writing any programming in deployed Java app . Only through
server side config can be done.
Soluton : We are trying to use the 2-way ssl in WLS 8.1 SP2 running on win2000.
To begin with development, we are just using the Demo cert. This is being tested
on same machine both client and server. This works perfectly fine for 1-way ssl
no need to do any config. To extend this config for 2-way.
I need a one more digital cert for client.
I create the client digital cert/private key using Cert Gen utility.
Now the confusing part how to add this to Server Trust key store.
There are no proper doc on how to continue further.
Different places say different things to do.
If any one can provide some example steps how to do it will be great.
Thanks in advance.
--PravDid you use the Demo CA to issue the new certificate (CertGen uses it by default)?
Then you do not need to do anything. The CA certificate already exists in the
DemoTrust.jks.
Otherwise you can use keytool to import trusted certificate into a keystore. See
this page for more info: http://e-docs.bea.com/wls/docs81/secmanage/ssl.html#1178523
Pavel.
"prav" <[email protected]> wrote:
>
Problem: Server(any web app runing on WLS 8.1 SP2 on win2000) need to
authenticate
clients(browser) without prompting for userid & passwords just through
digital
certificate. With out writing any programming in deployed Java app .
Only through
server side config can be done.
Soluton : We are trying to use the 2-way ssl in WLS 8.1 SP2 running on
win2000.
To begin with development, we are just using the Demo cert. This is being
tested
on same machine both client and server. This works perfectly fine for
1-way ssl
no need to do any config. To extend this config for 2-way.
I need a one more digital cert for client.
I create the client digital cert/private key using Cert Gen utility.
Now the confusing part how to add this to Server Trust key store.
There are no proper doc on how to continue further.
Different places say different things to do.
If any one can provide some example steps how to do it will be great.
Thanks in advance.
--Prav -
hi everyone... i hope anyone can help me in this problem
i 've installed Apache Tomcat 4.1.12LE
and j2sdk1.4.1 .Yesterday i tried configuring SSL in tomcat for my login page.
so i followed the steps provided in the documentation. the documentation said choose
JSSE an installed extension by copying all three JAR files (jcert.jar, jnet.jar, and
jsse.jar) into your JAVA_HOME\jre\lib\ext directory but i could only find the jsse.jar
file so i copyied jsse.jar file to JAVA_HOME\jre\lib\ext after that i did the keytool
configuration from C:\j2sdk1.4.1 during keytool process i created my own password.
after that i removed the comments in the server.xml like shown below,
and added the keystore password with my own..password
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="10" debug="0" scheme="https" secure="true"
useURIValidationHack="false">
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS" keystorePass="mypassword" />
i restarted tomcat and typed https://localhost:8443/ and it displayed The page cannot
be displayed.. so my question is where did i go wrong and what should i do next...<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS" keystorePass="mypassword" />
You did not specify the keystore file location. -
Soap RECEIVER adapter ssl config
we are consuming a web service in sap ECC system via XI using SSL. So I configured receiver soap adapter. Imported the certificate provided by web service provider to J2EE visual admin key store. However I am not able to see my ceritificates popluated in my communication channel selection list.
Could you please provide steps to configure SSL in receiver soap adapter not for Sender adapter.
Thanks.
BijayOkay, so this is a client certificate and not a CA certificate, right?
In this case, you need to import the client certificate under ICM_SSL_xxx and you can find SSL_Provider if you scroll completly down. You need to import the private key of the client certificate under ICM_SSL_xxx.
Only CA certificates goes in TrustedCA view. You can create a new view ICM_SSL_xxx or put the certificate under any existing ICM_SSL_xxx view, it doesn't matter.
Do this step and let me know if it works. Might be, there is no requirement for private key at this point of time. It completely depends how the receiving system will accept and verify the call from PI server.
Since it's a client certificate, they must be having public and private keys. But this certificate has to be signed by some one like VeriSign and they provide a different key to make it more secured. But anyways, you don't need to go in so much of details right now.
Follow the steps that I mentioned above and hopefully, it should work.
Regards,
Neetesh -
To all the Portal Guru's out there....I have a two simple questions....
I have two servers - one that holds the MR (repository) and one that holds the OID Infrastructure and Portal tiers (2 different mount points)
This is a new install - and upgraded to 10.1.4. With the OID and portal tiers on the same server, it is possible to SSL enable access to the portal (i.e. HTTPS in place of currently HTTP) - without having to re-install.......the entire stack.....
Is it also wise to go ahead and do this - in other words, does religiously adhering to Sec 5.2 of the Oracle® Application Server Portal Configuration Guide
10g Release 2 (10.1.4) B19305-03 - get me to enable SSL through out the portal?
ThanksHi,
Yes you can go for SSl configuration without re-installing any of the components.
Regards,
access_tammy -
Console cannot connect to ldap after SSL config
Hi,
I configured our iplanet DS 5.0 to use SSL (requested cert from DS, signed and created a new cert with openSSL, verified that DS could read that cert, and turned on ssl). Restarted DS and admin-serv. The ldap is working but ldaps is not. The console is unable to connect to DS and just hangs when trying to connect. The console is configured to connect to ldap not ldaps, but when I view the configuration for DS in console it shows port 636. So -
- how do I make the console use port 389 to connect to the DS?
- What do I need to do to get ldaps working?
TIA.
Raj DolasThere are some limitations in using the Console when SSL is enabled for the Directory Server. These are documented... in the release notes at least.
Regards,
Ludovic. -
SSL Config for SAP webgui service of ABAP
Hi Gurus,
We have a duel stack system, details are as follows:
ECC 6.0 SR2
ABAP Stack 11
Java Stack 13
we want to access the webgui via internet and for this we have configured the webdispatcher which is behid the firewall. we had created the ccr and got the CA response which is imported in the Dispatcher. So the traffice from the end user to Dispatcher is SSL enabled. Then we did same thing for ABAP as well and now the completed trafic is SSL enabled. Our problem is...
when we use the URL to login to webgui it changes the url and hence does not work from internet. Please note that we dont want to expose our ECC system to public netowrk.
e.g :
https://portal.mycompany.com:8100 --> this is the web dispatcher URL this should give us the login screen and stay as it is all the time. But ......when it gives the login screen it gets changed to
https://ecc60server.mycompany.com:8000 --> and as the ECC server cant be accessed via internet this URL fails when we are outside the company network.
similarly for the Java stack of the same system also we have the URL and it works just fine.
rewards will be awarded for the solutions....
PravinHi Pravin,
So if I get it right, you need an End-to-End SSL setup for you WebDispatcher.
This means that the Webdispatcher simply re-directs the calls but still shows the official url to the client.
I think you have a problem in the webdispatcher profile.
there should be one entry like
icm/server_port_0 = PROT=ROUTER,PORT=443
This means that the webdispatcher is listening for traffic on port 443.
then there should be another entry like
icm/server_port_1 = PROT=HTTPS,PORT=0
this means that the webdispatcher does not listen to this port (PORT=0) but simply send data to it.
Then, the actual connection to the ABAP-system
ms/https_port = 8101 (or whatever port you used for https)
rdisp/mshost = <full.host.name.including.domain.name>
another important parameters is: wdisp/server_info_protocol = https -
Anyone knows how to configure the SSL for nodemanager?
please refer to http://e-docs.bea.com/wls/docs70/secmanage/ssl.html <br> for more
information.
Mike Han <[email protected]> wrote:
Anyone knows how to configure the SSL for nodemanager? -
Hi all,
I uploaded a cert file and I am getting a runtime error when I try to delete a wrong certificate from Key Store in Visual Admin.
Can you tell me how to delete the certificate?
Thank you in advance.
Regards,
SubuThis should not happen. Check if the entries in the orasso.wwsec_papp_configuration_in_t point portal to the right SSO entries. Also check if the OIDDAS operation url's are correct in the oid.
cu
Andreas -
Apache-Mod_jk-Tomcat and SSL certificate
Hi all.
I have Apache 2.0.55 working with Tomcat 5.5 via mod_jk connector.
I have generated a self-signed cerificate for Apache using openssl, and I use it to encrypt both URLs served by Apache and URLs served by Tomcat through mod_jk.
When a "https URL" is forwarded to Tomcat, an exception is thrown by the webapp, unless the certificate has not been set as "trusted" on Tomcat side.
So, it seems like I have to do the following:
1) generate a a self-signed cerificate for Apache using openssl.
2) import this certificate in a keystore
3) set the keystore as trusted (System.setProperty("javax.net.ssl.trustStore", PATH_TO_KEYSTORE));
I'm wondering if there's a better way to accomplish that, not forcing me to do all this steps and, above all, allowing me to "break" the link between the apache cert and the tomcat keystore.
Any help will be very appreciated!usually u generate a keystore for client, and mention that in ur SSL connector of tomcat
in apache, we need to configure things in ssl.conf
Maybe you are looking for
-
I had to get my hard drive replaced from Apple, I lost all of my music obviously. My question is, how can I get all my music off of my iPhone onto iTunes? Since it's a new hard drive, the iPhone isn't recognizing this as it's home computer.
-
Use of synchronized keyword with portal services
Hi, Can you confirm me if it is true that a portal service is a Singleton? I mean, when using an instance variable of a portal service I am able to set the value of the instance variable using one client app and get it afterwards using another client
-
I'm trying to open up some .cr2 files but nothing seems to be working. If I double click the image from Bridge it opens up photoshop CS3 and tells me the file format is not supported. The file- open in camera raw is grayed out from Bridge as well. My
-
Deleted my account. Can it be recovered?
I deleted an old account a long time ago. I got support from an "agent" using the instant messaging system that Skype has on their website where you can get help right on the spot. My question is if I deleted the account, is it possible to be recover
-
I have to use IE to get anything done. this is very annoying.