How do I configure Servoy SSL when using the http tunnel?

Frequently asked questions. Look here before posting questions. If you don't find an answer here you can post your question to the most appropriate forum.

How do I configure Servoy SSL when using the http tunnel?

Postby Jan Blok » Tue May 27, 2008 11:32 am

First generate an SSL certificate. Read the SSL howto to get a proper (not self-signed) certificate. For testing you can use a self-signed certificate like I do below. Fill in the correct webserver host at "What is your first and last name?" otherwise the tunnel will not work (I use localhost below).

Generate (test) SSL cert:

keytool -genkey -alias tomcat -keyalg RSA -keystore keystore
Enter keystore password: changeit
Re-enter new password: changeit
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: Web
What is the name of your organization?
[Unknown]: Acme Web Services
What is the name of your City or Locality?
[Unknown]: Sin City
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: NL
Is CN=www.mydomain.com, OU=Web, O=Acme Web Services, L=Sin City, ST=Unknown, C=NL correct?
[no]: yes

Enter key password for <tomcat>
(RETURN if same as keystore password):

The current version of Servoy does not automatically recognize that you want to use SSL, so you need to set the code base override. I'm using port 8443 for SSL, but if you have the privileges to bind to 443 (the official SSL port) you can use that instead.

In servoy.properties (only needed upto Servoy 3.5.6):
servoy.jnlpCodebaseOverride=https\://localhost:8443/

In server.xml add (under the regular connector):
Code: Select all
<Connector
                port="8443"
                maxThreads="150" connectionTimeout="60000"
                scheme="https" secure="true" SSLEnabled="true"
                keystoreFile="conf/keystore" keystorePass="changeit"
                clientAuth="false" sslProtocol="TLS"/>

Normak is the usage of port 8443. You can change this port, but if you do, change the redirectPort value in the regular connector as well!

At the end of web.xml in server/webapps/ROOT/web.xml (just before
the </web-app>) add:
Code: Select all
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Automatic SLL Forwarding</web-resource-name>
      <url-pattern>/</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

This will cause ALL traffic to be redirected to SSL. Note that this is probably what you want anyway because you want the client to be started from an SSL protected page (to avoid tampering with the webstart url).
Jan Blok
Servoy
Jan Blok
 
Posts: 2684
Joined: Mon Jun 23, 2003 11:15 am
Location: Amsterdam

Re: How do I configure Servoy SSL when using the http tunnel?

Postby Detox » Fri Jul 02, 2010 7:14 pm

I have followed the docs exactly,, and found that all references to Tomcat demand the keystore file h ave the extension of *.keystore.......... I built a self-signing cert and got a free one from instantssl,,,,,, either way,, it errors...
Here is excerpt from the errors on cmd line,,, with excerpt from server.xml to show how that looks also.

I cannot move forward in resolving the java v19 issues until I get this solved,,,, I am running servoy 3.12 on Centos 5.4 and
java -version
java version "1.5.0_14"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_14-b03)
Java HotSpot(TM) Server VM (build 1.5.0_14-b03, mixed mode)


So if anyone can please look at this and provide some insite,,, it would be great!

>>>>>>>>>>>>>>>>>> <<<<<<<<<<<<<<<<<<<<<<,

When using *.ks file

SEVERE: Catalina.start:
LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: java.io.FileNotFoundException: /srv/servoy/server/conf/keystore/2servoy.ks (No such file or directory)

(excerpt from server.xml)
<Connector
port="8443"
maxThreads="150" connectionTimeout="60000"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/keystore/2servoy.ks" keystorePass="secretpass"
clientAuth="false" sslProtocol="TLS"/>


when using a *.keystore file
SEVERE: Catalina.start:
LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: java.io.IOException: Invalid keystore format

(excerpt from server.xml)
<Connector
port="8443"
maxThreads="150" connectionTimeout="60000"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/keystore/2servoy.keystore" keystorePass="secretpass"
clientAuth="false" sslProtocol="TLS"/>


Thanks a bunch in advance!!
Detox
 
Posts: 73
Joined: Wed Dec 13, 2006 11:02 pm

Re: How do I configure Servoy SSL when using the http tunnel?

Postby ptalbot » Fri Jul 02, 2010 7:30 pm

Java is telling you that your keystore is not of the right format. I would trust him to know what he wants ;-)

Are you sure you installed the key chain correctly, as stated here?
http://www.instantssl.com/ssl-certifica ... -java.html

Then maybe the extension is not needed, so in your server.xml, you could try
keystoreFile="conf/keystore/2servoy"
User avatar
ptalbot
 
Posts: 1612
Joined: Wed Mar 11, 2009 5:13 am
Location: Montreal, QC

Re: How do I configure Servoy SSL when using the http tunnel?

Postby Detox » Fri Jul 02, 2010 8:04 pm

Thanks for the quick read! When I remove the file extension....... ks / keystore / key......
all I get is error cannot find file

I rebuilt the certificate to make sure I did it correctly and it passes the tests and the steps were correct.... Arrgggg
Detox
 
Posts: 73
Joined: Wed Dec 13, 2006 11:02 pm

Re: How do I configure Servoy SSL when using the http tunnel?

Postby Detox » Fri Jul 02, 2010 8:06 pm

One last part,,,, on the Tomcat website,, is says specifically that eh ssl cert must have *.keystore as this is deufalut for tomcat,, and it looks for that extension........... is there somewhere else in servoy I need to adjust ?
Detox
 
Posts: 73
Joined: Wed Dec 13, 2006 11:02 pm

Re: How do I configure Servoy SSL when using the http tunnel?

Postby ptalbot » Fri Jul 02, 2010 8:23 pm

I just tried:
<Connector port="8443"
protocol="HTTP/1.1"
maxThreads="500" connectionTimeout="60000"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/keystore" keystorePass="secretpass"
clientAuth="false" sslProtocol="TLS" />

with the java certificate I use to sign my plugins/beans.
My keystore is simply named "keystore" - NO extension!

And Tomcat launched without any problem.
So there must be a problem with your keystore.
User avatar
ptalbot
 
Posts: 1612
Joined: Wed Mar 11, 2009 5:13 am
Location: Montreal, QC

Re: How do I configure Servoy SSL when using the http tunnel?

Postby Detox » Fri Jul 02, 2010 8:43 pm

[quote="ptalbot"]I just tried:
<Connector port="8443"
protocol="HTTP/1.1"
maxThreads="500" connectionTimeout="60000"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/keystore" keystorePass="secretpass"
clientAuth="false" sslProtocol="TLS" />

with the java certificate I use to sign my plugins/beans.
My keystore is simply named "keystore" - NO extension!

And Tomcat launched without any problem.
So there must be a problem with your keystore.[/quote]

OK,,,, I'm gonna ask a real dunderhead question now,,,,,, when you stated...." My keystore is simply named "keystore" - NO extension! "...........

are you saying when you created the keystore you named it keystore and not keystore.ks?

Also, can you speak a bit regarding the java certificate for your plugins? Are you referring to the post about problems with java 19?

Thanks so much for the help...
Detox
 
Posts: 73
Joined: Wed Dec 13, 2006 11:02 pm

Re: How do I configure Servoy SSL when using the http tunnel?

Postby ptalbot » Fri Jul 02, 2010 8:51 pm

Yes, when I created the keystore using the java keytool, I named it 'keystore' without extension (I don't think it is significant anyway, java doesn't care about the extension of the keystore files, as long

As to the java certificate for your plugins:
Yes, it is the one I use to sign my jars (using the jarsigner tool or signtester tool).

That's the only keystore I have, but the certificate in here is not a real ssl certificate (it is not linked to any url).
Even so, Tomcat did recognized it and launched without a glitch, and if I navigate to https://localhost/ I can see that the certificate is used (even though it errors in the browser because it is not linked to a url).

So I would try removing the extension from your keystore, and see it it works, otherwise, I guess that there is something broken in it.
Have you tried contacting the instantssl support?
User avatar
ptalbot
 
Posts: 1612
Joined: Wed Mar 11, 2009 5:13 am
Location: Montreal, QC


Return to FAQ

Who is online

Users browsing this forum: No registered users and 1 guest

cron