Setting up SSL
Sanket Gupte
This might not be exactly an Xnat question, but I am not able to find a proper response, from anywhere, and I thought there must be someone in the community who would have a little bit experience in this matter.
So I want to have SSL for the Xnat webapp, and for that I did everything that is mentioned on this page <http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html >
My certificate authority gave me 3 trust certificates ( I think they are trust certificates) and a server certificate.
They are all in DER formats.
I tried all combinations but cannot get this working. I combined the 3 trust cert into 1. I also tried converting and importing the PEM format of those certificates.
The self signed certificate that I had, had an alias 'tomcat' in the keystore. So I am assuming I have to import my server certificate with the alias 'tomcat'.
(Everything was working fine with the self-signed cert )
I can give additional details and information about my problem if someone wants. But I would really appreciate it if someone could help me to get it work. I have been struggling with this for more than a month now. I will send you a box of chocolates for thanksgiving if you can help me. :P ( Had to make that bold, only way to catch attention )
Thanksssss :)
Herrick, Rick
Hey Sanket,
I’ve attached a copy of a working server.xml configuration to this email. You do need a tomcat alias within the keystore. You also need to set the password correctly, obviously. If you think the issue is your keystore, you can verify it with this command:
keytool -list -keystore /path/to/keystore
I’m not certain about your actual signing certificates, but I think what you need to do is follow the procedure in the section on that Tomcat page entitled, “Importing the Certificate”. That should give you a keystore with the appropriate alias. Put that somewhere your Tomcat can access it, configure server.xml appropriately, and restart.
--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/xnat_discussion/-/iWK5uHVJA68J.
To post to this group, send email to
xnat_di...@googlegroups.com.
To unsubscribe from this group, send email to
xnat_discussi...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/xnat_discussion?hl=en.
The material in this message is private and may contain Protected Healthcare Information (PHI). If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.
Sanket Gupte
Well, It worked totally fine when I had a self signed certificate. Which I think would imply that my server.xml is fine. The problem I believe is with the importing. BTW I think you forgot to attach the file. :)
I am able to import the certs correctly into the right keystore in the proper way. And when I do keytool -list -keystore /path/to/keystore, it does show up the imported certs.
Does the MD5 of the received server cert have to be equal to the md5 of the cert request file (which I made to send to the Certificate Authority) ? Coz it's not.
But when I try to open my webpage https://mydomainname:8443 (which doesn't have xnat but a simple html page in the root directory of tomcat saying "Hoorah It worked !" ) , it gives the following errors
On Firefox
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
On Chrome
Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.
On Internet Explorer.
NOTHING :P IE is as such never useful. Well, the best browser to download another browser.
I googled the errors. Couldn't find anything that could help.
Any suggestions?
Torsten Rohlfing
Not sure if this option is of interest to you, but we have had some rather good experience running Tomcat behind Apache. In this setup, Apache handles the SSL bits, then acts as a proxy and forwards traffic internally to Tomcat via simple, unencrypted HTTP.
Since our server also handles other services, e.g., Subversion, we had to run Apache anyway. Of course there's probably a bit of increased latency due to the forwarding process, but better than not getting SSL I suppose.
All that's required on the Apache end is to create a file in the httpd/conf.d directory with the following content:
ProxyPass /xnat http://localhost:8080/xnat ProxyPassReverse /xnat http://localhost:8080/xnat
(This assuming Tomcat is listening on port 8080).
Best,
Torsten
Herrick, Rick
We do something similar on our production servers but with mod_jk instead of the proxy. Apache has a rewrite directive to push http traffic to https:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
SSL is configured in an Apache configuration file. In that configuration, SSL isn’t handled at the Tomcat level at all, just as Torsten says.
Other than that, I would guess that you’re correct about issues importing your certificates, but I haven’t ever really done that myself. I’ve only configured self-signed certificates. The IT staff wherever I’ve been working has always handled the CA-issued cert installations.
And yes, I did forget to attach the server.xml! It’s attached here…
--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To view this discussion on the web visit https://groups.google.com/d/msg/xnat_discussion/-/tYZXPG7Bx2YJ.
To post to this group, send email to
xnat_di...@googlegroups.com.
To unsubscribe from this group, send email to
xnat_discussi...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/xnat_discussion?hl=en.