9

I'm trying to setup SSL in my local Tomcat 6 installation. For this, I followed the official How-To doing the following:

$JAVA_HOME/bin/keytool -genkey -v -keyalg RSA -alias tomcat -keypass changeit -storepass changeit $JAVA_HOME/bin/keytool -export -alias tomcat -storepass changeit -file /root/server.crt

Then changing the $CATALINA_BASE/conf/server.xml, in-commenting this:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/root/.keystore" keystorePass="changeit" />

After starting Tomcat, I get this Exception:

INFO: Initializing Coyote HTTP/1.1 on http-8080 30.06.2011 10:15:24 org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore SCHWERWIEGEND: Failed to load keystore type JKS with path /root/.keystore due to Invalid keystore format java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:633) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38) at java.security.KeyStore.load(KeyStore.java:1185)

When I look into the keystore with keytool -list I get

root@host:~# $JAVA_HOME/bin/keytool -list Enter key store password: changeit Key store type: gkr Key store provider: GNU-CRYPTO Key store contains 1 entry(ies) Alias name: tomcat Creation timestamp: Donnerstag, 30. Juni 2011 - 10:13:40 MESZ Entry type: key-entry Certificate fingerprint (MD5): 6A:B9:...C:89:1C

Obviously, the keystore types are different. How can I change the type and will this fix my problem? Thank you!

Improve this question

4 Answers 4

Reset to default
13
+50

It looks like the keytool you're using the GNU implementation, not the one from Oracle/Sun or OpenJDK. From the output of keytool -list, it generates a gkr store type, which is a GNU Keyring Store.

I'm not sure whether your run Apache Tomcat using an OpenJDK or Sun/Oracle JRE, in which case this format wouldn't be supported without additional security providers.

If you run Apache Tomcat with a GNU JRE that supports gkr (or at least a JRE where you've added a security provider that supports gkr), you can try keystoreType="gkr" in your <Connector /> configuration.

However, the easiest is probably to use keytool as provided by Oracle or OpenJDK and use the JKS storetype (which would be the default type if you run Apache Tomcat with the OpenJDK or Sun/Oracle JRE). It was probably installed with your JRE but it doesn't look like the $JAVA_HOME you're using point to an Oracle or OpenJDK JAVA_HOME. Some Linux distributions have mechanisms to install multiple JREs and configure links (update-alternatives in the Debian/Ubuntu family).

(As a side-note, it's usually not recommended to run Apache Tomcat as root, which you seem to be doing since $HOME/.keystore is /root/.keystore in your example.)

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Thank you so much for your answer :-) There are some minor additional questions ^^ which user should run Tomcat? How to know this keytool-stuff? This would be the last thing to think off that there are so many different versions on my computer?! And finally: I've created a .keystore and a server.crt with mentioned commands. Tomcat starts completely, but the browser still mentions that the certificate is not trustful... I'will create a bounty to give you some more points :-)
To configure your multiple Java installations, look at update-java-alternatives. It looks like you've installed Tomcat using the Debian package, so a tomcat or tomcat6 user was probably created. There's a /etc/init.d/tomcat6 script that should start/stop Tomcat under this user for you. /usr/share/doc/tomcat6/README.Debian.gz will certainly have more information about this.
Regarding the server certificate, since it's self-signed, you need to import it manually on the browsers your using: either add an exception by hand (you can verify it matches the .crt you've issued: you can look into it using openssl x509 -text -noout -in server.crt for example), or import the server.crt file into your browser directly.
@first comment: great, runs very smooth :-) @second comment: I've used the local ip as CN in the certificate, but I still get an ssl error in my browser after importing it. I'm always getting confused with the different certificate types... is the created certificate enough to use in this way?
Using the host name is better. You need the CN to match the host part of the URL you're talking to. A self-signed certificate is fine if it's for limited usage (i.e. you know the browsers where you'd going to import it). At worst, check the content of the certificate is the brower's alert message and "pin" it with a permanent exception if you're satisfied it's the one you created indeed (Firefox allows you to do that for example).
|
1

As Bruno said, I used the "wrong" keytool!

There are those keytools on my Debian 6 installation

root@host:~# locate keytool /etc/alternatives/keytool /etc/alternatives/keytool.1.gz /root/glassfish3/jdk/bin/keytool /root/glassfish3/jdk/jre/bin/keytool /root/glassfish3/jdk/man/ja_JP.eucJP/man1/keytool.1 /root/glassfish3/jdk/man/man1/keytool.1 /root/glassfish3/mq/bin/imqkeytool /root/glassfish3/mq/bin/imqkeytool.exe /usr/bin/gkeytool /usr/bin/gkeytool-4.4 /usr/bin/keytool /usr/bin/jre1.6.0_25/bin/keytool /usr/bin/jre1.6.0_25/man/ja_JP.eucJP/man1/keytool.1 /usr/bin/jre1.6.0_25/man/man1/keytool.1 /usr/lib/jvm/java-1.5.0-gcj-4.4/bin/keytool /usr/lib/jvm/java-1.5.0-gcj-4.4/jre/bin/keytool /usr/lib/jvm/java-1.5.0-gcj-4.4/man/man1/keytool.1.gz /usr/lib/jvm/java-6-sun-1.6.0.24/bin/keytool /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/keytool /usr/lib/jvm/java-6-sun-1.6.0.24/jre/man/ja/man1/keytool.1.gz /usr/lib/jvm/java-6-sun-1.6.0.24/jre/man/man1/keytool.1.gz /usr/lib/jvm/java-6-sun-1.6.0.24/man/ja/man1/keytool.1.gz /usr/lib/jvm/java-6-sun-1.6.0.24/man/man1/keytool.1.gz /usr/share/man/man1/gkeytool-4.4.1.gz /usr/share/man/man1/gkeytool.1.gz /usr/share/man/man1/keytool.1.gz /var/lib/dpkg/alternatives/keytool root@host:~# echo $JAVA_HOME /usr

Now I used

/usr/lib/jvm/java-6-sun-1.6.0.24/bin/keytool -genkey -v -keyalg RSA -alias tomcat -keypass changeit -storepass changeit

To create the keystore- file. Tomcat starts without any problems!

Improve this answer

Comments

0

Try specifying your storetype: -storetype JKS (see: http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html)

Improve this answer

1 Comment

If I use "-storetype JKS" I get the message "Provider fully qualified class name: ". Which classname do I have to provide? The one of JKS?
0

If you use the GNU jvm and keytool, you can add the following options to the Tomcat connector in server.xml in order get it to work: keystoreType="gkr" algorithm="JessieX509"

The algorithm is mentioned at here

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.