Login

Consultor Eletrônico



Kbase P17381: How to configure Tomcat 4.1.x standalone for the SSL and AIA/S
Autor   Progress Software Corporation - Progress
Acesso   Público
Publicação   1/24/2008
Status: Verified

GOAL:

How to configure Tomcat 4.1.x standalone for the SSL and AIA/S

FACT(s) (Environment):

Progress 9.1x

FIX:

In order to configure Tomcat standalone 4.1.x for the AIA/S using the HTTPS and SSL it is required to have installed Tomcat and tested with the AIA using the HTTP/1.1 connector: http://hostname:8080/aia/Aia

For the SSL and HTTPS to work with the Tomcat JSE you need JDK 1.3.x with JSSE, or J2SDK 1.4.x which includes the Java security package. Make sure that the latest J2SDK version is used as there were problems with the J2SDK 1.4.0 version.

1) Download and install openssl or Microsoft Authenticode package in order to be able to manipulate with the certificates.

2) Create the CAcert root certificate that will be used for signing

3) Edit the Tomcat's server.xml and uncomment the SSL connector:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!-- -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="10" debug="0" scheme="https" secure="true"
useURIValidationHack="false">
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
keystoreFile="E:\JSE\Tomcat41\conf\.keystore" keystorePass="progress"
clientAuth="false" protocol="TLS" />
</Connector>
<!-- -->

4) Add the 'keystoreFile' and 'keystorePass' in the 'Factory' tag.

5) Run the 'keytool' to create the keystore and initial certificate:
keytool -genkey -alias tomcat -keysize 1024 -keyalg RSA -validity 365 -keystore <path_to_your_Tomcat_conf_dir>/.keystore

6) Start the Tomcat and test the SSL using https://hostname:8443

NB: At this point you can continue with the step 17) unless you want to avoid using the CAcert certificate which by its nature is a self signed certificate. If you do not want to use CAcert root certificate, then continue with the next step 7).

7) Generate the certificate request using the keytool:
keytool -certreq -alias tomcat -file tomcat.csr -keystore <path_to_your_Tomcat_conf_dir>/.keystore

8) Copy this file into the openssl working directory and sign it:
./openssl ca -policy policy_anything -out tomsigned.pem \
-config /usr/local/ssl/openssl.cnf -infiles tomcat.csr

9) Generate the DER version of the tomsigned.pem file:
openssl x509 -in tomsigned.pem -out tomsigned.der -outform DER

10) Do the same for the CAcert.pem (signing certificate):
openssl x509 -in CAcert.pem -out CAcert.der -outform DER

11) Copy these two files in Tomcat/conf directory

12) Import the CAcert.der in java 'cacerts' and '.keystore' certificate stores:
keytool -v -import -alias root -file CAcert.der -keystore $JAVA_HOME/jre/lib/security/cacerts
and
keytool -v -import -alias root -file CAcert.der -keystore <path_to_your_Tomcat_conf_dir>/.keystore

13) Import your tomsigned.der into the '.keystore':
keytool -v -import -alias tomcat -file tomsigned.der -keystore <path_to_your_Tomcat_conf_dir>/.keystore

14) Check the certificate store by using the -list option:
keytool -v -list -keystore <path_to_your_Tomcat_conf_dir>/.keystore

15) Start the Tomcat

16) Test the http://hostname:8080> and then https://hostname:8443

17) Edit the Progress ubroker.properties and change in the [AIA.Aia1]:
httpsEnabled=1

18) Test the Aia using https://hostname:8443/aia/Aia

19) Test Progress connection using:
"-URL https://hostname:8443/aia/Aia?AppService=asbroker1 -nohostverify".