In a lab setup i have successfully set up all (stock- 4.6) applications
on http ( tomcat, osp, userapp, sspr etc.), everything functions as
expected.

However when following the directions in enabling SSL i am running into
issues.

As described in the documentation i have created my keystore, added
a/the certificate (in my case a wildcard -one)
(created a keystore, as described in the documentation, then deleted the
created certificate and added my (valid) wildcard -one, as i havent
found out how to create an empty keystore and then adding my certificate
directly)
After adding the directives to tomcat and then restarting my
catalina.out just blows up in the face, throwing a ton of stack errors.

Basically before altering the settings in my applications to point to
the SSL-secured url/port i added (tried to) the listener to tomcat's
server.xml as described in the documentation for port 8443.


Code:
--------------------

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/opt/netiq/idm/apps/tomcat/conf/idmapps.keystore"
keystorePass="TopSecretPassword" />

--------------------


This code leads to an initial classnotfound error :

Code:
--------------------

Mar 12, 2017 2:44:56 AM org.apache.catalina.connector.Connector <init>
SEVERE: Protocol handler instantiation failed
java.lang.ClassNotFoundException: org.apache.coyote.http11.Http11Protocol
..................
..................
(too many lines to paste)

--------------------


Then in testing around (as i'm not the easy give-up type) using the Nio
implementation


Code:
--------------------

<Connector
protocol="org.apache.coyote.http11.Http11NioProtoc ol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/opt/netiq/idm/apps/tomcat/conf/idmapps.keystore" keystorePass="TopSecretPassword"
clientAuth="false" sslProtocol="TLS"/>

--------------------


This lets Tomcat start without any errors, but when trying to access the
SSL-port it comes back (in firefox) with a "Cannot communicate securely
with peer: no common encryption algorithm(s). Error code:
SSL_ERROR_NO_CYPHER_OVERLAP" error.

So i am missing something here , but cant seem to grasp what ...
Have the tomcat directives changed since we are dealing with a 8.x
version as delivered by the installer off the 4.6 media and the
documentation is not adjusted ?

any assistance would be greatly appreciated

- Michael


--
Shadowm
------------------------------------------------------------------------
Shadowm's Profile: https://forums.netiq.com/member.php?userid=6005
View this thread: https://forums.netiq.com/showthread.php?t=57533