23 Jul
2012
23 Jul
'12
4:35 p.m.
Hello,
when setting up the back-end do I still need to install djigo-web as well as the engine ?
Have followed the guide but when Djigzo starts I see the following in the log file:
rethrown from
java.io.IOException: Protocol mismatch for port 9001: engine's protocol is http, the
url protocol is https
--
Thanks, Phil
24 Jul
24 Jul
10:14 a.m.
On 07/23/2012 04:35 PM, Phil Daws wrote:
when setting up the back-end do I still need to
install djigo-web as well as the engine ? Have followed the guide but when Djigzo starts I
see the following in the log file:
rethrown from
java.io.IOException: Protocol mismatch for port 9001: engine's protocol is http, the
url protocol is https
You can install the back-end on a different server than the front-end.
It is not required to install the front-end, you can only install the
back-end.
Is this error message from the djigzo log or from the Tomcat log?
Kind regards,
Martijn
--
DJIGZO email encryption
10:55 a.m.
Martijn,
that message was from the djigzo log ... on the back-end server I have not installed
Tomcat yet, which I am guessing I will need to ? If I follow the
http://djigzo.com/documents/djigzo-separate-front-and-back-end.pdf document it says I
should copy into place a file to provide the HTTPS listener yet that does not exist as
djigzo-web has not been installed.
--
Thanks, Phil
----- Original Message -----
On 07/23/2012 04:35 PM, Phil Daws wrote:
when setting up the back-end do I still need to
install djigo-web
as well as the engine ? Have followed the guide but when Djigzo
starts I see the following in the log file:
rethrown from
java.io.IOException: Protocol mismatch for port 9001: engine's
protocol is http, the url protocol is https
You can install the back-end on a different server than the
front-end.
It is not required to install the front-end, you can only install the
back-end.
Is this error message from the djigzo log or from the Tomcat log?
Kind regards,
Martijn
--
DJIGZO email encryption
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users
25 Jul
25 Jul
10:19 a.m.
On 07/24/2012 10:55 AM, Phil Daws wrote:
that message was from the djigzo log ... on the
back-end server I have not installed Tomcat yet, which I am guessing I will need to ? If I
follow the http://djigzo.com/documents/djigzo-separate-front-and-back-end.pdf document it
says I should copy into place a file to provide the HTTPS listener yet that does not exist
as djigzo-web has not been installed.
It seems that the guide is missing a relevant and important part. In the
file soap.xml you should uncomment the part which setups the https
connection for the soap server back-end.
Look for the following line in the file soap.xml
<!-- Enable if SOAP over HTTPS should be supported -->
Uncomment the xml fragment and provide the correct parameters (path to
pfx file and password of the pfx).
Then restart the back-end.
Kind regards,
Martijn
--
DJIGZO email encryption
10:43 a.m.
That be the magic :) Cheers Martijn.
--
Thanks, Phil
----- Original Message -----
On 07/24/2012 10:55 AM, Phil Daws wrote:
that message was from the djigzo log ... on the
back-end server I
have not installed Tomcat yet, which I am guessing I will need to
? If I follow the
http://djigzo.com/documents/djigzo-separate-front-and-back-end.pdf
document it says I should copy into place a file to provide the
HTTPS listener yet that does not exist as djigzo-web has not been
installed.
It seems that the guide is missing a relevant and important part. In
the
file soap.xml you should uncomment the part which setups the https
connection for the soap server back-end.
Look for the following line in the file soap.xml
<!-- Enable if SOAP over HTTPS should be supported -->
Uncomment the xml fragment and provide the correct parameters (path
to
pfx file and password of the pfx).
Then restart the back-end.
Kind regards,
Martijn
--
DJIGZO email encryption
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users
26 Jul
26 Jul
10:46 a.m.
Hello,
next hurdle am having problems with is trusting the back-end certificate. We have our own
PKI and issued certificates for the back-end and front-end servers. I have updated the
keystore information in Tomcats server.xml including the PKCS12 password. On CentOS there
is no update-ca-certificates so where would Tomcat pull the CA bundle details from ?
When I connect to the front-end and attempt to sign in I see within the back-end
djigzo.log the following:
26 Jul 2012 04:31:05 | WARN EXCEPTION (org.mortbay.log) [1310202490@qtp-649430934-0]
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1763)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1006)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1217)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1201)
at
org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:632)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
--
Thanks, Phil
----- Original Message -----
That be the magic :) Cheers Martijn.
--
Thanks, Phil
----- Original Message -----
On 07/24/2012 10:55 AM, Phil Daws wrote:
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users
that message was from the djigzo log ... on the
back-end server I
have not installed Tomcat yet, which I am guessing I will need to
? If I follow the
http://djigzo.com/documents/djigzo-separate-front-and-back-end.pdf
document it says I should copy into place a file to provide the
HTTPS listener yet that does not exist as djigzo-web has not been
installed.
It seems that the guide is missing a relevant and important part.
In
the
file soap.xml you should uncomment the part which setups the https
connection for the soap server back-end.
Look for the following line in the file soap.xml
<!-- Enable if SOAP over HTTPS should be supported -->
Uncomment the xml fragment and provide the correct parameters (path
to
pfx file and password of the pfx).
Then restart the back-end.
Kind regards,
Martijn
--
DJIGZO email encryption
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users
6:07 p.m.
This is driving me bonkers!:( On the front-end I have tried creating a Java Keystore and
importing the PKCS12 server certificate and the back-end PEM certificate. Then changing
the Tomcat server.xml to point too the JKS file. All starts up well and listening on 8443.
I can go to the Djigzo interface but as soon as I try and authenticate I see the same
error message appear in the djigzo.log on the back-end :(
--
Thanks, Phil
----- Original Message -----
Hello,
next hurdle am having problems with is trusting the back-end
certificate. We have our own PKI and issued certificates for the
back-end and front-end servers. I have updated the keystore
information in Tomcats server.xml including the PKCS12 password. On
CentOS there is no update-ca-certificates so where would Tomcat pull
the CA bundle details from ?
When I connect to the front-end and attempt to sign in I see within
the back-end djigzo.log the following:
26 Jul 2012 04:31:05 | WARN EXCEPTION (org.mortbay.log)
[1310202490@qtp-649430934-0]
javax.net.ssl.SSLHandshakeException: Received fatal alert:
certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at
sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1763)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1006)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1217)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1201)
at
org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:632)
at
org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
--
Thanks, Phil
----- Original Message -----
That be the magic :) Cheers Martijn.
--
Thanks, Phil
----- Original Message -----
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users
On 07/24/2012 10:55 AM, Phil Daws wrote:
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users
that message was from the djigzo log ... on the
back-end server
I
have not installed Tomcat yet, which I am guessing I will need
to
? If I follow the
http://djigzo.com/documents/djigzo-separate-front-and-back-end.pdf
document it says I should copy into place a file to provide the
HTTPS listener yet that does not exist as djigzo-web has not
been
installed.
It seems that the guide is missing a relevant and important part.
In
the
file soap.xml you should uncomment the part which setups the
https
connection for the soap server back-end.
Look for the following line in the file soap.xml
<!-- Enable if SOAP over HTTPS should be supported -->
Uncomment the xml fragment and provide the correct parameters
(path
to
pfx file and password of the pfx).
Then restart the back-end.
Kind regards,
Martijn
--
DJIGZO email encryption
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users
27 Jul
27 Jul
10:04 p.m.
On 07/26/2012 10:46 AM, Phil Daws wrote:
next hurdle am having problems with is trusting the
back-end
certificate. We have our own PKI and issued certificates for the
back-end and front-end servers. I have updated the keystore
information in Tomcats server.xml including the PKCS12 password. On
CentOS there is no update-ca-certificates so where would Tomcat pull
the CA bundle details from ?
When I connect to the front-end and attempt to sign in I see within
the back-end djigzo.log the following:
26 Jul 2012 04:31:05 | WARN EXCEPTION (org.mortbay.log)
[1310202490@qtp-649430934-0] javax.net.ssl.SSLHandshakeException:
Received fatal alert: certificate_unknown at
sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at
[snip]
Java by default trusts all the trusted certificates stored in the
cacerts JKS keystore. The Debian script update-ca-certificates reads a
directory of certificates and updates the cacerts keystore using the
keytool java tool. On RedHat/CentOS you can use keytool directly to add
your own root to cacerts, On Ubuntu the default cacerts keystore can be
found at ./usr/lib/jvm/java-6-openjdk-amd64/jre/lib/security/cacerts. I
do not have a working CentOS at the moment so you should search for
cacerts (as root).
you can view all entries in the cacerts store with the following command:
keytool -list -keystore
/usr/lib/jvm/java-1.6.0-openjdk/jre/lib/security/cacerts
The default password for the cacerts store is:
changeit
Importing a trusted cert can be done I think with:
keytool -importcert -trustcacerts -alias your_alias -keystore
/usr/lib/jvm/java-1.6.0-openjdk/jre/lib/security/cacerts -file <cert_file>
Change the path to the cacerts file for your system, select an alias and
specify the cert to import (note: I haven't tested this)
Hope this helps.
Kind regards,
Martijn
--
DJIGZO email encryption
3580
days inactive
3584
days old
7 comments
2 participants
participants (2)
-
Martijn Brinkers -
Phil Daws