Menu
▾
▴
Re: [ebxmlms-general] MSH over SSL with Tomcat
|
From: Gait B. <gai...@ti...> - 2002-10-23 14:19:57
|
thnx Patrick,
adding the certificate to the cacerts for JRE did it.
I also tried setting the MSH-client communication to HTTPS, but that =
still gives me a "couldn't find trusted certificate" error. I was =
expecting this to use the same certificates and stores as for MSH-MSH =
loopback.
Gait.
----- Original Message -----=20
From: Patrick Yee=20
To: Patrick Yee=20
Cc: EbXMLms List (E-mail)=20
Sent: Wednesday, October 23, 2002 6:13 AM
Subject: Re: [ebxmlms-general] MSH over SSL with Tomcat
Sorry, I forgot to CC the answer to the list. Please find the answer =
below.
And I want to further clarify 2 points:=20
1. If computer A wish to connect to computer B using SSL, computer B =
should be pre-configured with SSL first, and computer B's public key =
should be imported into computer A's trusted keystore.
2. In that case, the URL that computer A is using to connect should be =
using the same hostname or IP as the one computer B used to generate the =
key. I mean, if computer B use IP as CN to generate the key, computer A =
should use the URL with IP to connect. If computer B use hostname as CN, =
computer A should use hostname to connect.
Regards, -Patrick
--
Patrick Yee
System Architect
Center for E-Commerce Infrastructure Development (CECID)
Dept. of Computer Science and Information Systems
The University of Hong Kong
Tel: (852) 22415674
Fax: (852) 25474611
----- Original Message -----=20
From: Patrick Yee=20
To: Gait Boxman=20
Sent: Wednesday, October 23, 2002 12:07 PM
Subject: Re: [ebxmlms-general] MSH over SSL with Tomcat
Hi Gait,
In our experience, you should do the following to make SSL on Tomcat =
to work.
1. Generate key with alias to be "tomcat", and with CN to be the =
correct hostname or IP of the server
2. specify the keystore details in Tomcat's configuration files.
3. up to this point, you can test with a browser. You need to accept =
that cert on a prompt
4. Export the public key of the generated keypair to a file using =
keytool
5. Input the public key exported in (4) into a keystore located at =
the RECEIVING computer. The keystore is located at:
$JAVA_HOME/jre/lib/security/cacerts. This keystore is the so-called =
trusted public keys recognized by the JRE.=20
Step 5 is conceptually the same as accepting that cert on a prompt =
at browsers in step (3). One is for machine, one is for human.
Hope this helps.
Regards, -Patrick
--
Patrick Yee
System Architect
Center for E-Commerce Infrastructure Development (CECID)
Dept. of Computer Science and Information Systems
The University of Hong Kong
Tel: (852) 22415674
Fax: (852) 25474611
----- Original Message -----=20
From: Gait Boxman=20
To: ebx...@li...=20
Sent: Wednesday, October 23, 2002 2:32 AM
Subject: [ebxmlms-general] MSH over SSL with Tomcat
Hi,
I'm having some problems getting SSL to work with the MSH.
I've set up tomcat with a certificate using 'keytool -genkey =
-alias tomcat -keyalg RSA'
I entered my server name as the CN, and added some real values for =
the other X.500 fields.
I enabled port 8443 in server.xml, and I managed to hook up to the =
MSH with https://my_server_name:8443/msh, after accepting the =
certificate in IE.
I exported the key, and imported it into /tmp/cacerts. I took care =
of all the correct passwords, so that is working.
I then tried the loopback.java with toMSHURL set to the url above, =
but that gives problems in tomcat, which tells me it can't find a =
trusted certificate. Running the same test over the normal http channel =
works fine. Did I miss something here, should I import the certificate =
to yet another store?
TIA, Gait.
PS Next test will be digital signatures, hints are welcome..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Gait Boxman
Manager Advanced Technology & Standards
TIE Product Development BV
Amsterdam, The Netherlands
Tel: +31 20 658 9091 Fax: +31 20 658 9945
E-mail: gai...@ti... WWW: www.TIEglobal.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
