I am trying to load SSL certificate to one of our site. We are using JBoss AS 7.0.2 for our application on Ubuntu Server 12.04, it's running successfully on http while on https it's not responding. Server is starting successfully without any exception. Kindly suggest the steps to debug this problem.
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="true" secure="true">
<ssl password="******" certificate-key-file="/mnt/jboss/******" verify-client="false" certificate-file="/mnt/jboss/********.key"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
Related
With IE dying off, I need to get Tomcat9 to use TLS1.2 only. I cant have TLS1.3 or any other protocol working. I have tried different connectors and the site becomes unreachable. I feel I am close with this config below, but with this Edge gives me unsupported protocol.
<Connector port="443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" SSLProtocol = "TLSv1.2"
SSLEngine="on"
connectionTimeout="20000"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256"
I have a single instance deployment of WSO2 and now I want to be able to access the carbon management services like publisher/store etc through http. I have tried the following configurations in catalina-server.xml. I also want to use nginx as reverse proxy through http port for carbon consoles. Please help. I have also tried editing the axis2.xml to add port mappings for nginx 80 and 443 port. Currently when i run carbon console through 9763 it gets redirected to 9443 and after adding mappings in axis2.xml it responds as requested url not found for /publisher/..../login.jag
<Server port="8005" shutdown="SHUTDOWN">
<Service className="org.wso2.carbon.tomcat.ext.service.ExtendedStandardService" name="Catalina">
<!--
optional attributes:
proxyPort="80"
-->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9763"
bindOnInit="false"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
URIEncoding="UTF-8"/>
<!--
optional attributes:
proxyPort="443"
Added sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" for poodle vulnerability fix
-->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
bindOnInit="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
enableLookups="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
clientAuth="false"
compression="on"
scheme="https"
secure="true"
SSLEnabled="true"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
keystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
keystorePass="wso2carbon"
URIEncoding="UTF-8"/>
<Engine name="Catalina" defaultHost="localhost">
<!--Realm className="org.apache.catalina.realm.MemoryRealm" pathname="${carbon.home}/repository/conf/tomcat/tomcat-users.xml"/-->
<Realm className="org.wso2.carbon.tomcat.ext.realms.CarbonTomcatRealm"/>
<Host name="localhost" unpackWARs="true" deployOnStartup="false" autoDeploy="false"
appBase="${carbon.home}/repository/deployment/server/webapps/">
<Valve className="org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve"/>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="${carbon.home}/repository/logs"
prefix="http_access_" suffix=".log"
pattern="combined"/>
<Valve className="org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve" threshold="600"/>
<Valve className="org.wso2.carbon.tomcat.ext.valves.CompositeValve"/>
</Host>
</Engine>
</Service>
Uncomment the following line in carbon.xml.
<EnableHTTPAdminConsole>true</EnableHTTPAdminConsole>
Please note this is not recommended in production environments.
I am using tomcat version 6. I want to configure ssl by specifying some ciphers in HTTP connector . I am following below link which describes how to configure HTTP connector to prevent logjam vulnerability.
https://weakdh.org/sysadmin.html
Before changes my connector configuration was like this
<Connector sslProtocols = "TLS" SSLEnabled="true" acceptCount="100" connectionTimeout="20000"
executor="tomcatThreadPool" keyAlias="tcserver"
keystoreFile="${catalina.base}/conf/tcserver.keystore" keystorePass="changeme"
maxKeepAliveRequests="15" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
redirectPort="8443" scheme="https" secure="true"/>
After changes my connector configuration is like this.I just added ciphers to it.
<Connector ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WIT_RC4_128_SHA"
sslProtocols = "TLS" SSLEnabled="true" acceptCount="100" connectionTimeout="20000"
executor="tomcatThreadPool" keyAlias="tcserver" keystoreFile="${catalina.base}/conf/tcserver.keystore" keystorePass="changeme" maxKeepAliveRequests="15"
port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="8443"
scheme="https" secure="true"/>
But its not working.To make it work i had to change from
protocol="org.apache.coyote.http11.Http11NioProtocol" to protocol="HTTP/1.1".
But i want to use org.apache.coyote.http11.Http11NioProtocol as it is non-blocking and more efficient.
Please tell me how to do this.
I just checked the logs of tomcat and i was getting illegal argument exception whenever i tried to hit my ssl enabled web page.
The issue was with ciphers. In Tomcat 6 some of ciphers won't work if i use org.apache.coyote.http11.Http11NioProtocol. I don't know the particular reason of it.But the name of the ciphers i removed from my connector are given below. Now, i can open my ssl enabled webpages.If anybody know the answer please post.
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
I had gone through multiple articles and SO Questions like - this, this, and this (and many others)
However none of them serves my issue. I would like to deploy two web roles in one cloud service. I tried deploying the same but found one is running whereas other web role throws – Internet Explorer cannot display the webpage / connection timeout in firefox.
Here is what I tried so far: -
I have two web roles (App and Service), when I deployed either App or Service to a cloudservice for e.g. http://xxxx.cloudapp.net, it works fine.
But when I tried deploying both App on port 8080 & Service on port 80 in http://xxxx.cloudapp.net, and tried browsing - http://xxxx.cloudapp.net, it displays Service page.
Whereas, while browsing App using - http://xxxx.cloudapp.net:8080, it throws error – Internet Explorer cannot display the webpage / connection timeout in firefox.
But my app works fine when just App is deployed on port 80.
Here is the ServiceDefinition file : -
<ServiceDefinition name="AppServiceAzure" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" schemaVersion="2013-03.2.0">
<WebRole name="MyService" vmsize="Small">
<Sites>
<Site name="Web">
<Bindings>
<Binding name="Endpoint1" endpointName="Endpoint1" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="Endpoint1" protocol="http" port="80" />
</Endpoints>
<Imports>
<Import moduleName="Diagnostics" />
</Imports>
<Certificates>
<Certificate name="mycert" storeLocation="LocalMachine" storeName="My" />
</Certificates>
</WebRole>
<WebRole name="MyApp" vmsize="Small">
<Sites>
<Site name="Web">
<Bindings>
<Binding name="Endpoint1" endpointName="Endpoint1" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="Endpoint1" protocol="http" port="8080" />
</Endpoints>
<Imports>
<Import moduleName="Diagnostics" />
</Imports>
<Certificates>
<Certificate name="mycert" storeLocation="LocalMachine" storeName="My" />
</Certificates>
</WebRole>
</ServiceDefinition>
What I am missing here?
Each Windows Azure Compute instance represents a virtual server of either of following role.
Windows Azure Compute instance
|
|_______[front-end] web server (Web role)
|
|
|_____Site1
|
|
|_____Site2
|
|
|_____Site3 etc.
or
|
|
|
|_______back-end/.NET] application server (Worker role)
or
|
|
|
|_______VM
I suggest two approaches:
1) create Multiple sites in one role.(you will get different endpoints)
2) Or deploy one webrole to staging and other role to production. (again you will get different endpoints)
i did a restart of my tomcat 7 web-server yesterday, because I deployed a second webapp. I have added a 'GlobalNamingResources' to server.xml but did not change anything else!
After the restart my ROOT App was not accessible anymore via http, only via https.
Here are my connectors from server.xml:
<Connector
port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"
compression="on"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml, .... [some more]"
/>
<Connector
port="8443"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="${catalina.base}/conf/.keystore"
keystorePass="***"
clientAuth="false"
sslProtocol="TLS"
compression="on"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml, .... [some more]"
/>
could it be that redirectPort="443" should better be redirectPort="8443"? However, this was working before.
highly appreciate any ideas. Thank you!