Tuesday, August 24, 2010

Creating keystore for Tomcat 6

I've been training on Ping Identity's Ping Federate server the last two weeks. This week I'm setting up separate Tomcat servers to interact with the Ping Federate servers; on both the identity and service provider servers. Before, I hosted the quickstart apps on the same server instance as Ping Federate.

To setup SSL with Tomcat I needed to edit the server.xml file under the conf directory and then create a keystore file that Tomcat will use to verify trusted certificates sent from the federated servers.

The initial command I ran was:

>>>> : keytool -genkey -alias amf -keyalg RSA -keystore tomcat.keystore [-file 111C353A88F.crt]

The last part of the command with the -file command line argument wasn't needed. I basically created a keystore file named tomcat.keystore and a new self-signed certificate where the Java keytool prompted me with some questions listed below:

Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Andrew Fernandez
What is the name of your organizational unit?
[Unknown]: Engineering
What is the name of your organization?
[Unknown]: Ping Identity
What is the name of your City or Locality?
[Unknown]: Denver
What is the name of your State or Province?
[Unknown]: CO
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Andrew Fernandez, OU=Engineering, O=Ping Identity, L=Denver, ST=CO, C=US correct?
[no]: yes

Enter key password for
(RETURN if same as keystore password):


After this I verified what was in my keystore using this command:

>>>> : keytool -list -v -keystore tomcat.keystore

Since I didn't yet have the certificate from the federate side I then ran this command, making sure I had the *.crt file I needed to place in the keystore in the same directory:

>>>>> : keytool -import -trustcacerts -alias amf2 -file 111C353A88F.crt -keystore tomcat.keystore

Finally I use export the base certificate from Tomcat and import into my Federated server

>>>>> : keytool -exportcert -alias amf -file amfIDP -keystore tomcat.keystore

Where -alias is what the certificate goes by in the keystore file, -file is what I want to call the exported certifacate, and -keystore the actually keystore where I'll be getting the certifcate to export from.

Deletion is pretty straighforward:

>>>>> : keytool -delete -alias amf -keystore tomcat.keystore

Just specify -delete, -alias the certificate you want to delete, and the keystore you want to delete from
at

1 comment:

Anonymous said...
This comment has been removed by a blog administrator.
1/23/2011 9:47 AM

Post a Comment

Subscribe to: Post Comments (Atom)

Exploring ELK (Elastic) Stack for hack-a-thon

At my current gig, our group finally got to do hack-a-thon week and I joined a team project that tied together a few of the technologies I&#...