on 03-04-2020 9:44 AM
Hi there,
I am running into problems when trying to change the communication between CCOm and CCO to https.
I applied a certificate to the tomcat of the CCOM and therefore changed the server.xml like this:
<Connector port="9090" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="200" maxHttpHeaderSize="8192" URIEncoding="UTF-8" SSLEnabled="true" keystoreFile="xxx.p12" keystorePass="xxx" keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS" > </Connector>
After that, I can access the CCOM via https://xxx/ccos (with a certificate warning). But CCO shows the error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Which should be solved, according to KBA 2694514, section "Error Message when connecting to the SAP Business One system How to connect one B1i system with a self-signed certificate via https" by adding
to the java properties of the tomcat.
Unfortunately this leads to a timeout, in the browser as well as in CCO when trying to access CCOm.
In the official documentation only the https connection between cco backend and frontend is documented.
Can anyone help me? Has anyone experience with setting this up?
I figured it out, the certificates had to be imported into the POS Java keystore, then it works like a charm!
You also don't need the JAVA properties from KBA 2694514.
More information here: https://stackoverflow.com/questions/11617210/how-to-properly-import-a-selfsigned-certificate-into-ja...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello marcoschoenmann
Within your server.xml of the tomcat where CCOM is running you have to add a Connector like the following within the Service Tag. Just change the port, keystoreFile, keyAlias and keystore Password like you have choosen when creating the keystore. In my example I used a Keystore of type jks. With this CCOM should run encrypted on port 9443.
On CCO side you have to check the cacerts (JRE Installationparth\lib\security\cacerts) keystore, if the CA certificate is already listed. If not you have to add it.
Best Regards
Klaus
Please vote: IR257988, IR257530, IR257531, IR254835
<Connector
port="9443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="200"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA"
keystoreFile="Path and Name of keystore.jks"
keyAlias="tomcat"
keystorePass="yourKeyStorePassword"
server=" "
/>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Klaus
Just created "mykeystore.jks" on my side with following command:
keytool -import -trustcacerts -alias <myalias> -file "C:\Program Files\Apache Software Foundation\Tomcat 8.5_Tomcat8_CCO\etc\ssl\certificate.crt" -keystore "C:\Program Files\Apache Software Foundation\Tomcat 8.5_Tomcat8_CCO\conf\mykeystore.jks"
So, keystore is available and certificate is in it.
On server.xml i added following connector:
<Connector port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="200" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA" keystoreFile="conf/mykeystore.jks" keyAlias="myalias" keystorePass="mypw" server="myadress" />
After restaring Tomcat Service i'm still not able to connect to https://myadress:9443/ccos
It shows a timeout(Site is not reachable)
Connecting to http://myadress:9090/ccos is still possible...
Can't see where the problem is...
any ideas?
Best regards
Marco
Hello marcoschoenmann
The server tag should be server=" ". Further, to be sure that the keystore reference is correct, I would set the keystoreFile Tag with the full path to the keystore file. If that does not help, then what error messages do you find in tomcat logs?
And at the end I'm sure you checked necessary firewall settings?
Best Regards
Klaus
Hello Marco Schönmann
Thank's for feedback. Maybe you wanna have a look at my Improvement Requests (IR257988, IR257530, IR257531, IR254835) and vote for some of them,..
Best Regards
Klaus
Hi Arne
Thank you very much for this explanations. Unfortunately i'm still struggling with this...
Tried it different ways, but never had a keystore file(.p12) like you mention in your server.xml config.
Do i need to create a new keystore and upload my certificate? Where do i need to store the certificate?
I have my certificate in following formats:
certificate.crt(plus ca_bundle.crt and private.key)
certificate.pfx
certificate.p7b
After creating keystore and import .crt file into it with keytool and changing server.xml like you explain, CCOM is still available on http port, but not with https...
Maybe you can give me some more hints regarding this keystoreFile?
Best regards
Marco
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
3 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.