SAMINNET-Article

Tomcat-8 SSL

Oracle
- WebLogic Reset (227) Tue04,11:01am
  WebLogic襍ｷ蜍輔☆繧九◆縺ｳ縺ｫ繝ｦ繝ｼ繧ｶ蜷阪→繝代せ繝ｯ繝ｼ繝峨ｒ閨槭＞縺ｦ縺阪※辣ｩ繧上＠縺九▲縺溘�縺ｧ蝗樣∩縺励◆繝｡繝｢縲� ﾂ�ﾂ�ﾂ� security繝輔か繝ｫ繝繧剃ｽ懈� ﾂ�ﾂ�ﾂ� $ mkdir $DOMAIN_HOME/servers/AdminServer/security ﾂ�ﾂ�ﾂ� boot.properties繧剃ｽ懈�ﾂ�ﾂ�ﾂ� boot.properties ﾂ�ﾂ�ﾂ� username=weblogicﾂ�ﾂ�ﾂ� password=password ﾂ�ﾂ�ﾂ� 窶ｻ蟷ｳ譁�〒OK ﾂ�ﾂ�ﾂ� nohup & 縺ｧWeblogic繧定ｵｷ蜍� ﾂ�ﾂ�ﾂ� $ nohup sh $DOMAIN_HOME/startWebLogic.sh & ﾂ�ﾂ�ﾂ� 窶ｻnohup.out縺ｫ蜷舌°繧後ｋ縺ｮ縺後＞繧�□縺｣縺溘ｉ驕ｩ蠖薙↓繝ｪ繝繧､繝ｬ繧ｯ繝医＆縺帙ｋﾂ�ﾂ�ﾂ� boot.properties縺梧囓蜿ｷ蛹悶＆繧後※繧九％縺ｨ繧堤｢ｺ隱� ﾂ�ﾂ�ﾂ� $ ca…
  
  Read More...

Tomcat-8 SSL

This took me a day to setup on a new CentOS Amazon image. To be honest I窶囘 never configured SSL for tomcat before, and this was the first time that I窶囘 used tomcat8. So I just want to go over the steps I had to do so I窶冤l remember all of the tweeks needed.

Configuring SSL was more painful than I expected. First issue was that I had to break up the Microsoft IIS formated certificate I had. Fortunatly that I窶况e done before. Fromﾂ�novell

First create a new folder for all of this.
Type: mkdir cert Type: cd cert
Now get the Intermediate and root certificates from your CA place them in the folder.
Get the .pfx certificate and put it in the folder.

To export the private key without a passphrase or password.
Type: openssl pkcs12 -in filename.pfx -nocerts -nodes -out key.pem

To Generate a public version of the private RSAkey
Type: openssl rsa -in key.pem -out server.key

To export the Certificate
Type: openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

The directory will now have a file cert.pem and a key.pem

Now fromﾂ�//mail-archives.apache.org/mod_mbox/tomcat-users/200409.mbox/% This email address is being protected from spambots. You need JavaScript enabled to view it. %3E" target="_blank" style="color: rgb(23, 114, 175); text-decoration: none;">apache.org
Assuming:

* key.pem 窶� your certificate窶冱 private key
* cert.pem 窶� your certificate
* domainIntermediate.crt 窶� Organization Validation intermediate
* inter.crt 窶� the intermediate CA that signed your certificate
* root.crt 窶� the root CA that signed the intermediate CA

First, concatenate the CA certs, make sure the intermediate CA goes first:
Note on this 窶� For the chain ON A NORMAL LOAD BALANCER, it窶冱 intermediate first then domain Intermediate then the root, BUT if you want a unified cert like we are doing here the order is different, it would be domain Intermediate, then CA Intermediate, then the CA Root.ﾂ� Makes no sense to me but forﾂ�Comodo it is so.

$ cat domainIntermediate.crt inter.crt root.crt > chain.crt

Next, export the pkcs12 file:

$ openssl pkcs12 -export -chain -inkey key.pem -in cert.pem\
-name 窶徭erver窶� -CAfile chain.crt -out server.p12

When prompt for export password, enter something and don窶冲 leave it empty.

Now, use keytool to verify:

$ keytool -list -v -storetype pkcs12 -keystore server.p12

Enter the export password for the keystore password. Then you should see
a line like this from the output:

窶ｦ.
Certificate chain length: 3
窶ｦ.

Tomcat8 should now be able to use that server.p12 file as it窶冱 keystore.
Move the server.p12 to the tomcat home directory which is /usr/share/tomcat8/
Make sure tomcat is the owner, Type: chmod tomcat:tomcat server.p12
This server needs to use 443 instead of 8443. To do that we need to tweek java permissions.
I used the guide atﾂ�confluenceﾂ�but used the 5th option:

If using Linux 2.6.24 or later, you can set up a file capability on the java executable, to give elevated privileges to allow opening privileged ports only, and no other superuser privileges:
# setcap cap_net_bind_service+ep /path/to/bin/java
After setting this you may notice errors when starting Java like this, for example:
$ java -version
/path/to/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
This means that the library is being imported from a dynamic path, and not in the trusted ld.so path. See http://bugs.sun.com/view_bug.do?bug_id=7157699 for details. To fix this, you need to locate the library, and add its path to the ld.so configuration. Note that the below is an example, and this may differ depending on Linux distribution. Replace JAVA_HOME with the correct location:
$ find JAVA_HOME -name 窶詫ibjli.so窶�
JAVA_HOME/lib/amd64/jli/libjli.so

# echo 窶廱AVA_HOME/lib/amd64/jli窶� > /etc/ld.so.conf.d/java-libjli.conf
# ldconfig -v
After setting this all up, you need to make sure that Confluence only starts java with the direct binary path, and not via a symbolic link, otherwise the capability will not be picked up.
Setting this up means that any user can open privileged ports using Java, which may or may not be acceptable for you

At this point I usually switch user to tomcat. to do that edit /etc/passwd and change tomcat user to use /bin/bash
then as root su tomcat

We need to edit /etc/tomcat8/server.xml
Add a new connector like this:
<Connector
protocol=窶捐rg.apache.coyote.http11.Http11NioProtocol窶�
port=窶�443窶ｳ maxThreads=窶�200窶ｳ
scheme=窶拮ttps窶� secure=窶掖rue窶� SSLEnabled=窶掖rue窶�
keystoreFile=窶�${user.home}/server.p12窶ｳ keystoreType=窶抉KCS12窶ｳ keystorePass=窶拂hangeit窶�
clientAuth=窶拉alse窶� sslProtocol=窶抖LS窶�/>

Also in my case the application was to live on the root so to do that find the host section and add Context like so:

exit out of the tomcat account change it back to nologin then restart tomcat. Easy right?

Comments

0 #1 Guest 2019-09-01 01:03

Greetings from Idaho! I'm bored to death at work so I decided to check out your blog on my iphone during lunch
break. I really like the info you provide here and can't wait to take
a look when I get home. I'm amazed at how quick your
blog loaded on my phone .. I'm not even using WIFI, just 3G ..
Anyhow, very good blog!

Review my web blog; keyword

Quote

Refresh comments list
RSS feed for comments to this post

Add comment

JComments