CA Service Management

  • Private Community
 View Only

  • 1.  CA Tuesday Tip - Tomcat SSL - What,Who,Where?

    Posted Feb 19, 2013 12:54 PM
    Hello All,
    This week I want to go over a topic for which several issues have been raised over the past few weeks here in CA Support. The topic is SSL, more specifically SSL configurations for Tomcat. Many sites have SSL requirements that must be met. To meet those you may need to configure the web client to run in SSL, via IIS and Tomcat. Configuring SSL for IIS is very simple, however there tends to be a bit more confusion when it comes to configuring SSL for Tomcat. So thats what I would like to focus on here.

    To get us started, first we must understand that SSL requires the use of what is known as a valid SSL certificate. There are many ways to obtain an SSL certificate, including through a certified vendor such as Verisign, GoDaddy or DigiCert, and even ways to generate and use a self-signed certificate (although these are not preferred as they are not as secure and often dont work properly with Tomcat).

    What do we mean by a "valid" SSL certificate? In order to be "valid" a certificate must be from a certified vendor, and must be generated based on the specific information for each individual server - which is generated into what is known as a "certificate request" - which is then sent to the vendor, and used to generate a certificate for the given server(s) on which the certificate request was generated.

    So the first step to implmenting SSL on Tomcat is to first decide what servers will need certificates - which will most likely be any server where Service Desk is installed.

    Next, you will follow the steps (also stated in the admin guide for the product) to create what is called a Keystore. A Keystore is a "store" or storage unit for certificates, in which the certificates will be imported to, and then Tomcat will be pointed to use that Keystore and certificates for SSL.

    To create the Keystore, follow these steps on each server that will require an SSL certificate:
    1. create a directory under the C: drive (or whatever LOCAL drive you choose) called "certificates"
    2. on the command line navigate to the JRE bin directory (for the JRE installed with Service Desk - usually /SC/JRE)
    3. run the command "keytool -genkey -alias tomcat -keyalg RSA -keystore c:/certificates/keystore.jks"
    4. fill in the fields as appropriate (make sure to note what you filled in each filed as you may need this info later)

    You should now see a keystore.jks file located in the C:\certificates\ directory.

    Next, you need to generate the Certificate Request for each server:
    1. on the command line navigate to the JRE bin directory (for the JRE installed with Service Desk - usually /SC/JRE)
    2. run the command "keytool -certreq -alias tomcat -keystore c:/certificates/keystore.jks -file servername-certreq.csr"

    After performing the above steps, you should see a .csr file in the c:/certificates directory on each server where you generated the certificate request.

    Next, you will take those .csr files and send them off to the vendor of your choice. The vendor will then generate the appropriate certificates you need based on the certificate request, for each server, and will then send you back the certificates for each.

    The next part is where the confusion can get in the way sometimes, and here's why...

    Each vendor is different. Some vendors will send you multiple certificated possibly including a root certificate, an intermediate certificate, and a certificate of authority. That said, each vendor has different instructions on which certificates they provide need to be imported into the keystore. So the key here is to ask the specific vendor that you used to generate the certificates for you, for specific instructions on how to import their certificates into a tomcat keystore.

    Once you recived the specific instructions from the vendor, you can follow those to import the appropriate certificates into the keystore on each server. Once that is complete, you can now configure Tomcat on the Service Desk side of things to point it to that keystore where the certificates have been imported.

    To configure Service Desk Tomcat to use SSL follow these steps on each server where you are configuring SSL for Tomcat:
    1. open the \bopcfg\www\CATALINA_BASE\conf\server.xml file using a text editor
    2. locate the following:

    <-- <Connector port="8443" maxHttpHeaderSize="8192"
    maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="keystoreFile="C:\Documents and Settings\user\.keystore"
    keystorePass="password"/> -->

    Change it as follows:
    **NOTE - be sure to remove the <-- and --> tags that currently comment out the HTTPS/SSL connector for Tomcat, and set the appropriate path and password for your keystore that you generated in the beginning

    <Connector port="8443" maxHttpHeaderSize="8192"
    maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="keystoreFile="C:\certs\keystore.jks"
    keystorePass="password"/>

    3. Save the server.xml file
    4. Recycle Tomcat by using the following commands
    **NOTE: it is always better if you can to recycle CA Service Desk Manager services as a whole - this better ensures a successfull restart of tomcat - however if you cannot do that, you can try to just recycle tomcat itself with these commands
    pdm_tomcat_nxd –c stop
    pdm_tomcat_nxd –c start

    Now, test your tomcat SSL connection by opening a browser and navigating to the Service Desk URL, using the HTTPS protocol, and the tomcat port - similar to this: "https://servername:8080/CAisd/pdmweb.exe" - which should bring you to the Service Desk Login Screen.

    That should be all you need to get SSL configured for Tomcat in Service Desk :)

    So in summary, the key points are that you need to select a certified vendor, and be sure when you send them the certificate requests for your servers that you generated, ask for the specific instructions on how to import their certificate(s) into a tomcat keystore.

    Have a great week all!

    Jon Israel
    Principal Support Engineer
    CA Technologies


  • 2.  RE: CA Tuesday Tip - Tomcat SSL - What,Who,Where?

     
    Posted Feb 20, 2013 01:08 PM
    Thanks for all the great info in this tip Jon! :grin:


  • 3.  Re: CA Tuesday Tip - Tomcat SSL - What,Who,Where?

    Posted Mar 02, 2016 10:53 PM

    Hello Everyone,

     

    Just giving some feedback from a site who went to load a new certificate and experienced:

     

    Error:

    ERR_SSL_VERSION_OR_CIPHER_MISMATCH

     

    Their resolution was:

     

    _________________________________

     

    Modify the server.xml with the following:

     

    <Connector SSLEnabled="true" clientAuth="false"

    keystoreFile="C:\Certifcate\<<Certificate name here>>.pfx"

    keystorePass="password"

    keystoreType="PKCS12"

     

    The .pfx extension is generic and doesn't need import from the keytool.

    _________________________________

     

    I hope this helps anyone who encounters the same issue.

     

    Thanks, Kyle_R.



  • 4.  Re: CA Tuesday Tip - Tomcat SSL - What,Who,Where?

    Posted Mar 03, 2016 03:04 AM

    may you not use a .pfx file  but a keystore (my prefered for various reason ) the way to go out from this error is to declare the ciphers in your connector to go around this error.

    Taking jon example above:

    <Connector port="8443" maxHttpHeaderSize="8192"

    maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

    enableLookups="false" disableUploadTimeout="true"

    acceptCount="100" scheme="https" secure="true"

    clientAuth="false" sslProtocol="TLS"

    keystoreFile="keystoreFile="C:\certs\keystore.jks"

    keystorePass="password" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,          TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />

     

    Note that this is also valid for .pfx but depending on how your .pfx was build he may or not generate the error

    Hope this help

    /J



  • 5.  Re: CA Tuesday Tip - Tomcat SSL - What,Who,Where?

    Posted Mar 04, 2016 02:12 AM

    Thanks Jerome,

     

    I appreciate the additional feedback and will put my client to this thread.

     

    Thanks, Kyle.

     

    Kyle Redgrove, Principal Support Engineer.

    CA Technologies, Global Customer Success.



  • 6.  Re: CA Tuesday Tip - Tomcat SSL - What,Who,Where?

    Posted Mar 03, 2016 02:55 AM

    If you are implementing SSL you also want to make sure that your users are using it and not continue to use non SSL port.

    That say users may forgot to add the http(s) in their url.

    Therefore, and depending of your company security policy, good practice will be to keep your http port  available but implement a security constraint that will force user to be redirected to your SSL port transparently.

     

    You can do that by just adding the below at the bottom of your CAisd\WEB-INF\web.xml file (and web.xml.tpl) right before the </web-app> tag

     

    <!-- Forward all incoming traffic to the SSL port-->

    <security-constraint>

      <web-resource-collection>

        <web-resource-name>Automatic SLL Forwarding</web-resource-name>

        <url-pattern>/*</url-pattern>

      </web-resource-collection>

      <user-data-constraint>

        <transport-guarantee>CONFIDENTIAL</transport-guarantee>

      </user-data-constraint>

    </security-constraint>

     

    Hope this help.

    /J



  • 7.  Re: CA Tuesday Tip - Tomcat SSL - What,Who,Where?

    Posted Jul 11, 2016 11:35 AM

    Hi Both

     

    We are struggling with an SSL implementation for a customer in Denmark. They are planning to provide an interface to their  Tomcat 4.1.31 server on an r11.2 CASDM system (yes r11.2!) via https and are having problems.

    They have a PKCS type 12 certificate (.pfx or .p12 format) and they are saying that Tomcat v4.1.31 does not support PKCS type 12 certificates (only jks format)

      The keytool utility in a later release will convert a pkcs type 12 certificate to jks BUT this is only supported under java SE6 which is a later release than the java 1.4 version on the r11 Tomcat.

       I have seen a document which implies than you can import a type 12 certificate into Tomcat 4.x but it mentions using openssl which does not appear to be available on the r11 server:  

               (https://uk.godaddy.com/help/tomcat-4x5x6x-renew-a-certificate-5355

     

    Any help would be much appreciated.

    Regards Colin

     

     



  • 8.  Re: CA Tuesday Tip - Tomcat SSL - What,Who,Where?

    Posted Jul 13, 2016 07:18 PM

    Hello Colin,

     

    I'd suggest that we branch this question out to its own post, if you want to continue it, as that will flag it as a new question and get most eyes on it. Most people won't notice it, at the end of this old thread.

     

    You can upgrade Tomcat on the older releases - there is a document somewhere on this. However, the preferable course would be to upgrade to a certified release of CA Service Desk Manager/IT Service Management, which would make the whole conversation moot. CA Service Desk 11.2 is long in the tooth at this point, and it won't just be the Java (with the potential for significant security vulnerabilities) or Tomcat that is outdated.

     

    Let me know if you want a thread split.

     

    Thanks, Kyle_R.

    Mod.



  • 9.  Re: CA Tuesday Tip - Tomcat SSL - What,Who,Where?

    Posted Jul 14, 2016 09:57 AM

    Hi Kyle

    Thanks for that. I managed to get my PKCS12 certificate working by installing it in my certificates directory and changing server.xml as show below. Note that the keystoreType  and keystorePass directives did not exist in the original CA instructions (in the r11 admin guide)  but Tomcat was quite happy with them - so an undocumented feature.

    <Connector acceptCount="100" className="org.apache.coyote.tomcat4.CoyoteConnector" debug="0" disableUploadTimeout="true" enableLookups="true" maxProcessors="75" minProcessors="5" port="8443" scheme="https" secure="true" useURIValidationHack="false">

    <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" keystoreFile="C:\Certificates\test.pfx" keystorePass="changeit" keystoreType="PKCS12" protocol="TLS"/>

      </Connector>

     

    I also found that Tomcat 4.3.1 as shipped with r11 does not support certificates with a key size (or modulus) of > 2048. It gives an error --> 'Invalid RSA modulus size'.

    I was able to find out the modulus of my certificate  using openssl as follows:

     

    openssl pkcs12 -in test.pfx -clcerts -nokeys -out mycert.crt

    openssl x509 -in mycert.crt -text

    The text output of the openssl x509 command includes a Subject Public Key section, which will include fields that let you see if it's an RSA or DSA key (along with the key size).

     

    ....... and that's more than I want to know about certificates for another 30 years!

     

    Regards

    Colin  

     



  • 10.  Re: CA Tuesday Tip - Tomcat SSL - What,Who,Where?

    Posted Jul 20, 2016 11:47 PM

    Thanks Colin,


    Really appreciate the extra detail.

     

     

     

    Kyle_R.