Wednesday, June 16, 2010

Another Tomcat Post :: SSL (Part 2)

Oh no-- Not more Tomcat SSL! Yes. But. In the immortal words of Bullwinkle J. Moose: "This time for sure!"

This entry is a follow up to a post a few days ago quaintly titled Another Tomcat Post :: SSL. Since that post, I have made a momentous discovery regarding Tomcat encryption.

There is an annoying error message that writes to catalina.out on Tomcat restart, that it turns out is relevant to why this SSL has been such a mess.
Jun 16, 2010 8:55:14 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path:
This is telling us that we are not using packages optimized for Tomcat. The message can be cleared by installing the tomcat-native RPM:
yum install -y tomcat-native
On restart, the irritating little message is gone.

One of the things that this package does is to include an updated crypto stack for Tomcat that includes x509. Glory to the mighty Gods of Olympus! Once installed, we modify the SSL stanza in the server.xml file:
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
We've removed the keystore directives and used commands to point to our x509 cert and key. Restart Tomcat.

To test:
echo | openssl s_client -connect localhost:8443 | \
grep subj
If you are not using RPMs, but Apache's Tomcat release, look in CATALINA HOME's bin directory for a tar file.

No comments:

Post a Comment