Hello,
when setting up the back-end do I still need to install djigo-web as well as the engine ? Have followed the guide but when Djigzo starts I see the following in the log file:
rethrown from
java.io.IOException: Protocol mismatch for port 9001: engine's protocol is http, the url protocol is https
--
Thanks, Phil
You can install the back-end on a different server than the front-end.
It is not required to install the front-end, you can only install the
back-end.
Is this error message from the djigzo log or from the Tomcat log?
Kind regards,
Martijn
On 07/23/2012 04:35 PM, Phil Daws wrote:
when setting up the back-end do I still need to install djigo-web as well as the engine ? Have followed the guide but when Djigzo starts I see the following in the log file:
rethrown from
java.io.IOException: Protocol mismatch for port 9001: engine's protocol is http, the url protocol is https
--
DJIGZO email encryption
Martijn,
that message was from the djigzo log ... on the back-end server I have not installed Tomcat yet, which I am guessing I will need to ? If I follow the http://djigzo.com/documents/djigzo-separate-front-and-back-end.pdf document it says I should copy into place a file to provide the HTTPS listener yet that does not exist as djigzo-web has not been installed.
--
Thanks, Phil
----- Original Message -----
On 07/23/2012 04:35 PM, Phil Daws wrote:
> when setting up the back-end do I still need to install djigo-web
> as well as the engine ? Have followed the guide but when Djigzo
> starts I see the following in the log file:
>
>
>
> rethrown from
> java.io.IOException: Protocol mismatch for port 9001: engine's
> protocol is http, the url protocol is httpsYou can install the back-end on a different server than the
front-end.
It is not required to install the front-end, you can only install the
back-end.Is this error message from the djigzo log or from the Tomcat log?
Kind regards,
Martijn
--
DJIGZO email encryption_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users
It seems that the guide is missing a relevant and important part. In the
file soap.xml you should uncomment the part which setups the https
connection for the soap server back-end.
Look for the following line in the file soap.xml
<!-- Enable if SOAP over HTTPS should be supported -->
Uncomment the xml fragment and provide the correct parameters (path to
pfx file and password of the pfx).
Then restart the back-end.
Kind regards,
Martijn
On 07/24/2012 10:55 AM, Phil Daws wrote:
that message was from the djigzo log ... on the back-end server I have not installed Tomcat yet, which I am guessing I will need to ? If I follow the http://djigzo.com/documents/djigzo-separate-front-and-back-end.pdf document it says I should copy into place a file to provide the HTTPS listener yet that does not exist as djigzo-web has not been installed.
--
DJIGZO email encryption
That be the magic 
Cheers Martijn.
--
Thanks, Phil
----- Original Message -----
On 07/24/2012 10:55 AM, Phil Daws wrote:
> that message was from the djigzo log ... on the back-end server I
> have not installed Tomcat yet, which I am guessing I will need to
> ? If I follow the
> http://djigzo.com/documents/djigzo-separate-front-and-back-end.pdf
> document it says I should copy into place a file to provide the
> HTTPS listener yet that does not exist as djigzo-web has not been
> installed.
>It seems that the guide is missing a relevant and important part. In
the
file soap.xml you should uncomment the part which setups the https
connection for the soap server back-end.Look for the following line in the file soap.xml
<!-- Enable if SOAP over HTTPS should be supported -->
Uncomment the xml fragment and provide the correct parameters (path
to
pfx file and password of the pfx).Then restart the back-end.
Kind regards,
Martijn
--
DJIGZO email encryption_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users
Hello,
next hurdle am having problems with is trusting the back-end certificate. We have our own PKI and issued certificates for the back-end and front-end servers. I have updated the keystore information in Tomcats server.xml including the PKCS12 password. On CentOS there is no update-ca-certificates so where would Tomcat pull the CA bundle details from ?
When I connect to the front-end and attempt to sign in I see within the back-end djigzo.log the following:
26 Jul 2012 04:31:05 | WARN EXCEPTION (org.mortbay.log) [1310202490(a)qtp-649430934-0]
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1763)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1006)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1217)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1201)
at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:632)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
--
Thanks, Phil
----- Original Message -----
That be the magic
--
Thanks, Phil----- Original Message -----
> On 07/24/2012 10:55 AM, Phil Daws wrote:
> > that message was from the djigzo log ... on the back-end server I
> > have not installed Tomcat yet, which I am guessing I will need to
> > ? If I follow the
> > http://djigzo.com/documents/djigzo-separate-front-and-back-end.pdf
> > document it says I should copy into place a file to provide the
> > HTTPS listener yet that does not exist as djigzo-web has not been
> > installed.
> >
>
> It seems that the guide is missing a relevant and important part.
> In
> the
> file soap.xml you should uncomment the part which setups the https
> connection for the soap server back-end.
>
> Look for the following line in the file soap.xml
>
> <!-- Enable if SOAP over HTTPS should be supported -->
>
> Uncomment the xml fragment and provide the correct parameters (path
> to
> pfx file and password of the pfx).
>
> Then restart the back-end.
>
> Kind regards,
>
> Martijn
>
> --
> DJIGZO email encryption
>
>
> _______________________________________________
> Users mailing list
> Users(a)lists.djigzo.com
> http://lists.djigzo.com/lists/listinfo/users
>
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users
This is driving me bonkers!
On the front-end I have tried creating a Java Keystore and importing the PKCS12 server certificate and the back-end PEM certificate. Then changing the Tomcat server.xml to point too the JKS file. All starts up well and listening on 8443. I can go to the Djigzo interface but as soon as I try and authenticate I see the same error message appear in the djigzo.log on the back-end
--
Thanks, Phil
----- Original Message -----
Hello,
next hurdle am having problems with is trusting the back-end
certificate. We have our own PKI and issued certificates for the
back-end and front-end servers. I have updated the keystore
information in Tomcats server.xml including the PKCS12 password. On
CentOS there is no update-ca-certificates so where would Tomcat pull
the CA bundle details from ?When I connect to the front-end and attempt to sign in I see within
the back-end djigzo.log the following:26 Jul 2012 04:31:05 | WARN EXCEPTION (org.mortbay.log)
[1310202490(a)qtp-649430934-0]
javax.net.ssl.SSLHandshakeException: Received fatal alert:
certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at
sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1763)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1006)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1217)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1201)
at
org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:632)
at
org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
--
Thanks, Phil----- Original Message -----
> That be the magic
> --
> Thanks, Phil
>
> ----- Original Message -----
> > On 07/24/2012 10:55 AM, Phil Daws wrote:
> > > that message was from the djigzo log ... on the back-end server
> > > I
> > > have not installed Tomcat yet, which I am guessing I will need
> > > to
> > > ? If I follow the
> > > http://djigzo.com/documents/djigzo-separate-front-and-back-end.pdf
> > > document it says I should copy into place a file to provide the
> > > HTTPS listener yet that does not exist as djigzo-web has not
> > > been
> > > installed.
> > >
> >
> > It seems that the guide is missing a relevant and important part.
> > In
> > the
> > file soap.xml you should uncomment the part which setups the
> > https
> > connection for the soap server back-end.
> >
> > Look for the following line in the file soap.xml
> >
> > <!-- Enable if SOAP over HTTPS should be supported -->
> >
> > Uncomment the xml fragment and provide the correct parameters
> > (path
> > to
> > pfx file and password of the pfx).
> >
> > Then restart the back-end.
> >
> > Kind regards,
> >
> > Martijn
> >
> > --
> > DJIGZO email encryption
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users(a)lists.djigzo.com
> > http://lists.djigzo.com/lists/listinfo/users
> >
> _______________________________________________
> Users mailing list
> Users(a)lists.djigzo.com
> http://lists.djigzo.com/lists/listinfo/users
>
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users
[snip]
Java by default trusts all the trusted certificates stored in the
cacerts JKS keystore. The Debian script update-ca-certificates reads a
directory of certificates and updates the cacerts keystore using the
keytool java tool. On RedHat/CentOS you can use keytool directly to add
your own root to cacerts, On Ubuntu the default cacerts keystore can be
found at ./usr/lib/jvm/java-6-openjdk-amd64/jre/lib/security/cacerts. I
do not have a working CentOS at the moment so you should search for
cacerts (as root).
you can view all entries in the cacerts store with the following command:
keytool -list -keystore
/usr/lib/jvm/java-1.6.0-openjdk/jre/lib/security/cacerts
The default password for the cacerts store is:
changeit
Importing a trusted cert can be done I think with:
keytool -importcert -trustcacerts -alias your_alias -keystore
/usr/lib/jvm/java-1.6.0-openjdk/jre/lib/security/cacerts -file <cert_file>
Change the path to the cacerts file for your system, select an alias and
specify the cert to import (note: I haven't tested this)
Hope this helps.
Kind regards,
Martijn
On 07/26/2012 10:46 AM, Phil Daws wrote:
next hurdle am having problems with is trusting the back-end
certificate. We have our own PKI and issued certificates for the
back-end and front-end servers. I have updated the keystore
information in Tomcats server.xml including the PKCS12 password. On
CentOS there is no update-ca-certificates so where would Tomcat pull
the CA bundle details from ?When I connect to the front-end and attempt to sign in I see within
the back-end djigzo.log the following:26 Jul 2012 04:31:05 | WARN EXCEPTION (org.mortbay.log)
[1310202490(a)qtp-649430934-0] javax.net.ssl.SSLHandshakeException:
Received fatal alert: certificate_unknown at
sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at
--
DJIGZO email encryption