I'm trying to setup SSL in my local Tomcat 6 installation. For this, I followed the official How-To doing the following:
我正在尝试在本地Tomcat 6安装中设置SSL。为此,我听从了官方的指导:
$JAVA_HOME/bin/keytool -genkey -v -keyalg RSA -alias
tomcat -keypass changeit -storepass changeit
$JAVA_HOME/bin/keytool -export -alias tomcat -storepass
changeit -file /root/server.crt
Then changing the $CATALINA_BASE/conf/server.xml, in-commenting this:
然后改变CATALINA_BASE美元/ conf /服务器。xml,评论:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/root/.keystore" keystorePass="changeit" />
After starting Tomcat, I get this Exception:
在启动Tomcat之后,我得到了这个异常:
INFO: Initializing Coyote HTTP/1.1 on http-8080
30.06.2011 10:15:24 org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SCHWERWIEGEND: Failed to load keystore type JKS with path /root/.keystore
due to Invalid keystore format
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:633)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
When I look into the keystore with keytool -list I get
当我使用keytool -list查看密钥库时。
root@host:~# $JAVA_HOME/bin/keytool -list
Enter key store password: changeit
Key store type: gkr
Key store provider: GNU-CRYPTO
Key store contains 1 entry(ies)
Alias name: tomcat
Creation timestamp: Donnerstag, 30. Juni 2011 - 10:13:40 MESZ
Entry type: key-entry
Certificate fingerprint (MD5): 6A:B9:...C:89:1C
Obviously, the keystore types are different. How can I change the type and will this fix my problem? Thank you!
显然,密钥存储类型是不同的。我如何改变类型,这能解决我的问题吗?谢谢你!
4 个解决方案
#1
13
It looks like the keytool you're using the GNU implementation, not the one from Oracle/Sun or OpenJDK. From the output of keytool -list, it generates a gkr store type, which is a GNU Keyring Store.
它看起来像使用GNU实现的关键工具,而不是Oracle/Sun或OpenJDK中的关键工具。从keytool -list的输出中,它生成一个gkr存储类型,这是一个GNU Keyring存储。
I'm not sure whether your run Apache Tomcat using an OpenJDK or Sun/Oracle JRE, in which case this format wouldn't be supported without additional security providers.
我不确定您是使用OpenJDK还是Sun/Oracle JRE来运行Apache Tomcat,在这种情况下,如果没有额外的安全提供者,这种格式就不会得到支持。
If you run Apache Tomcat with a GNU JRE that supports gkr (or at least a JRE where you've added a security provider that supports gkr), you can try keystoreType="gkr" in your <Connector /> configuration.
如果使用支持gkr的GNU JRE运行Apache Tomcat(或者至少添加了支持gkr的安全性提供者的JRE),那么可以在 <连接器 />配置中尝试keystoreType="gkr"。
However, the easiest is probably to use keytool as provided by Oracle or OpenJDK and use the JKS storetype (which would be the default type if you run Apache Tomcat with the OpenJDK or Sun/Oracle JRE). It was probably installed with your JRE but it doesn't look like the $JAVA_HOME you're using point to an Oracle or OpenJDK JAVA_HOME. Some Linux distributions have mechanisms to install multiple JREs and configure links (update-alternatives in the Debian/Ubuntu family).
但是,最简单的方法可能是使用Oracle或OpenJDK提供的keytool,并使用JKS storetype(如果您使用OpenJDK或Sun/Oracle JRE运行Apache Tomcat,这将是默认类型)。它可能安装在您的JRE上,但它看起来不像您使用的$JAVA_HOME指向Oracle或OpenJDK JAVA_HOME。一些Linux发行版有安装多个JREs和配置链接的机制(Debian/Ubuntu家族中的更新替代品)。
(As a side-note, it's usually not recommended to run Apache Tomcat as root, which you seem to be doing since $HOME/.keystore is /root/.keystore in your example.)
(顺便说一下,通常不建议将Apache Tomcat作为根来运行,因为您从$HOME/开始就开始这么做了)。密钥存储库是/root/.密钥存储库的例子。)
#2
1
As Bruno said, I used the "wrong" keytool!
正如布鲁诺所说,我使用了“错误”的关键工具!
There are those keytools on my Debian 6 installation
我的Debian 6安装有一些关键工具。
root@host:~# locate keytool
/etc/alternatives/keytool
/etc/alternatives/keytool.1.gz
/root/glassfish3/jdk/bin/keytool
/root/glassfish3/jdk/jre/bin/keytool
/root/glassfish3/jdk/man/ja_JP.eucJP/man1/keytool.1
/root/glassfish3/jdk/man/man1/keytool.1
/root/glassfish3/mq/bin/imqkeytool
/root/glassfish3/mq/bin/imqkeytool.exe
/usr/bin/gkeytool
/usr/bin/gkeytool-4.4
/usr/bin/keytool
/usr/bin/jre1.6.0_25/bin/keytool
/usr/bin/jre1.6.0_25/man/ja_JP.eucJP/man1/keytool.1
/usr/bin/jre1.6.0_25/man/man1/keytool.1
/usr/lib/jvm/java-1.5.0-gcj-4.4/bin/keytool
/usr/lib/jvm/java-1.5.0-gcj-4.4/jre/bin/keytool
/usr/lib/jvm/java-1.5.0-gcj-4.4/man/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/bin/keytool
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/keytool
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/man/ja/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/man/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/man/ja/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/man/man1/keytool.1.gz
/usr/share/man/man1/gkeytool-4.4.1.gz
/usr/share/man/man1/gkeytool.1.gz
/usr/share/man/man1/keytool.1.gz
/var/lib/dpkg/alternatives/keytool
root@host:~# echo $JAVA_HOME
/usr
Now I used
现在我使用
/usr/lib/jvm/java-6-sun-1.6.0.24/bin/keytool -genkey -v -keyalg RSA -alias tomcat
-keypass changeit -storepass changeit
To create the keystore- file. Tomcat starts without any problems!
创建密钥存储库文件。Tomcat启动时没有任何问题!
#3
0
Try specifying your storetype: -storetype JKS (see: http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html)
尝试指定您的storetype: -storetype JKS(参见:http://download.oracle.com/javase/6/docs/techtes/solaris/keytool.html)
#4
0
If you use the GNU jvm and keytool, you can add the following options to the Tomcat connector in server.xml in order get it to work: keystoreType="gkr" algorithm="JessieX509"
如果您使用GNU jvm和keytool,您可以在服务器的Tomcat连接器上添加以下选项。xml为了使其工作:keystoreType="gkr"算法="JessieX509"
The algorithm is mentioned at here
这里提到了算法。
#1
13
It looks like the keytool you're using the GNU implementation, not the one from Oracle/Sun or OpenJDK. From the output of keytool -list, it generates a gkr store type, which is a GNU Keyring Store.
它看起来像使用GNU实现的关键工具,而不是Oracle/Sun或OpenJDK中的关键工具。从keytool -list的输出中,它生成一个gkr存储类型,这是一个GNU Keyring存储。
I'm not sure whether your run Apache Tomcat using an OpenJDK or Sun/Oracle JRE, in which case this format wouldn't be supported without additional security providers.
我不确定您是使用OpenJDK还是Sun/Oracle JRE来运行Apache Tomcat,在这种情况下,如果没有额外的安全提供者,这种格式就不会得到支持。
If you run Apache Tomcat with a GNU JRE that supports gkr (or at least a JRE where you've added a security provider that supports gkr), you can try keystoreType="gkr" in your <Connector /> configuration.
如果使用支持gkr的GNU JRE运行Apache Tomcat(或者至少添加了支持gkr的安全性提供者的JRE),那么可以在 <连接器 />配置中尝试keystoreType="gkr"。
However, the easiest is probably to use keytool as provided by Oracle or OpenJDK and use the JKS storetype (which would be the default type if you run Apache Tomcat with the OpenJDK or Sun/Oracle JRE). It was probably installed with your JRE but it doesn't look like the $JAVA_HOME you're using point to an Oracle or OpenJDK JAVA_HOME. Some Linux distributions have mechanisms to install multiple JREs and configure links (update-alternatives in the Debian/Ubuntu family).
但是,最简单的方法可能是使用Oracle或OpenJDK提供的keytool,并使用JKS storetype(如果您使用OpenJDK或Sun/Oracle JRE运行Apache Tomcat,这将是默认类型)。它可能安装在您的JRE上,但它看起来不像您使用的$JAVA_HOME指向Oracle或OpenJDK JAVA_HOME。一些Linux发行版有安装多个JREs和配置链接的机制(Debian/Ubuntu家族中的更新替代品)。
(As a side-note, it's usually not recommended to run Apache Tomcat as root, which you seem to be doing since $HOME/.keystore is /root/.keystore in your example.)
(顺便说一下,通常不建议将Apache Tomcat作为根来运行,因为您从$HOME/开始就开始这么做了)。密钥存储库是/root/.密钥存储库的例子。)
#2
1
As Bruno said, I used the "wrong" keytool!
正如布鲁诺所说,我使用了“错误”的关键工具!
There are those keytools on my Debian 6 installation
我的Debian 6安装有一些关键工具。
root@host:~# locate keytool
/etc/alternatives/keytool
/etc/alternatives/keytool.1.gz
/root/glassfish3/jdk/bin/keytool
/root/glassfish3/jdk/jre/bin/keytool
/root/glassfish3/jdk/man/ja_JP.eucJP/man1/keytool.1
/root/glassfish3/jdk/man/man1/keytool.1
/root/glassfish3/mq/bin/imqkeytool
/root/glassfish3/mq/bin/imqkeytool.exe
/usr/bin/gkeytool
/usr/bin/gkeytool-4.4
/usr/bin/keytool
/usr/bin/jre1.6.0_25/bin/keytool
/usr/bin/jre1.6.0_25/man/ja_JP.eucJP/man1/keytool.1
/usr/bin/jre1.6.0_25/man/man1/keytool.1
/usr/lib/jvm/java-1.5.0-gcj-4.4/bin/keytool
/usr/lib/jvm/java-1.5.0-gcj-4.4/jre/bin/keytool
/usr/lib/jvm/java-1.5.0-gcj-4.4/man/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/bin/keytool
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/keytool
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/man/ja/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/man/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/man/ja/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/man/man1/keytool.1.gz
/usr/share/man/man1/gkeytool-4.4.1.gz
/usr/share/man/man1/gkeytool.1.gz
/usr/share/man/man1/keytool.1.gz
/var/lib/dpkg/alternatives/keytool
root@host:~# echo $JAVA_HOME
/usr
Now I used
现在我使用
/usr/lib/jvm/java-6-sun-1.6.0.24/bin/keytool -genkey -v -keyalg RSA -alias tomcat
-keypass changeit -storepass changeit
To create the keystore- file. Tomcat starts without any problems!
创建密钥存储库文件。Tomcat启动时没有任何问题!
#3
0
Try specifying your storetype: -storetype JKS (see: http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html)
尝试指定您的storetype: -storetype JKS(参见:http://download.oracle.com/javase/6/docs/techtes/solaris/keytool.html)
#4
0
If you use the GNU jvm and keytool, you can add the following options to the Tomcat connector in server.xml in order get it to work: keystoreType="gkr" algorithm="JessieX509"
如果您使用GNU jvm和keytool,您可以在服务器的Tomcat连接器上添加以下选项。xml为了使其工作:keystoreType="gkr"算法="JessieX509"
The algorithm is mentioned at here
这里提到了算法。