cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Did you get called away in the middle of writing a post? Don't worry you can find your unfinished post later in the Drafts section of your profile page. X

SSL connection Tomcat 8.5

konyicska
5-Regular Member

SSL connection Tomcat 8.5

I have installed a certificate issued and signed by a trusted Certification Authority (CA) in my Tomcat 8.5.23 Ubuntu server.

 

I have followed these steps: https://www.ptc.com/en/support/article?n=CS193947

I can connect to Composer over https and over http it redirects me to https.

 

When I try the SteamSensorConsole app with this url: wss://aaa.bbb.com:433/Thingworx/WS I get this error:

[Error] Error intializing socket connection. Err = -1
[Error] twWs_Connect: Error restarting socket. Error 0

I have tried these configurations:

config.AllowSelfSignedCertificates = false;
config.DisableCertValidation = true;

And these:

config.AllowSelfSignedCertificates = false;
config.DisableCertValidation = false;

Both with same results.

 

Do I have to configure something else? Or I have to change something in Tomcat configuration?

1 ACCEPTED SOLUTION

Accepted Solutions
konyicska
5-Regular Member
(To:tmisner)

Finally my configuration that works is this:

config.AllowSelfSignedCertificates = false;
config.DisableCertValidation = true;

server.xml

<Connector 
    	port="443" 
    	protocol="org.apache.coyote.http11.Http11NioProtocol"
		maxThreads="150"
		SSLEnabled="true" 
		scheme="https" 
		secure="true"
		keystoreFile="*"
		keystorePass="*" 
		clientAuth="false" 
		sslProtocol="TLS"
		acceptorThreadCount="2"
		socket.txBufSize="24576"
		ciphers="TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA" />

Take a look at sslProtocol, if I put TLSv1,TLSv1.1,TLSv1.2 I can´t access Composer. I get

ERR CONNECTION TIMED OUT

 

Differences between TLS and TLSv1, TLSv1.1, TLSv1.2: https://security.stackexchange.com/questions/705/what-are-the-differences-between-the-versions-of-tls?answertab=votes#tab-top

 

I have one question:

config.DisableCertValidation = true; if I change this to false I have to provide the browser/public certificate? What is the best practice in production?

 

Thanks @tmisner !!!

View solution in original post

6 REPLIES 6

Hello konyicska,

 

When looking into this error internally I believe it may a disconnect between the SSL protocols and ciphers available between the edge application and the server.

 

The proposed resolution is to expand the protocols and ciphers allowed by the Tomcat server by editing the server.xml file. See the following example:

<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
acceptorThreadCount="2"
maxThreads="1000"
socket.txBufSize="24576"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="Keystore_File"
keystorePass="Keystore_Password"
clientAuth="false"
sslProtocol="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
/>

Please refer to this article for further details:

https://www.ptc.com/en/support/article?n=CS286924

 

Regards,

Tyler Misner

ThingWorx Technical Support Engineer

konyicska
5-Regular Member
(To:tmisner)

I made that change and nothing, I got same results.

 

EDIT:

I made a mistake, I used port 433 instead 443. Now my error is:

[Error] Error intializing SSL connection
[Error] twWs_Connect: Error restarting socket.  Error 0

Hello again konyicska,

 

Thank you for the update here.

 

I had seen port 433 mentioned in the post and had figured that was simply a typo when submitting your initial inquiry. My apologies for not mentioning that as a potential issue in my response.

 

Lets verify a couple of things here:

  1. Confirm the Application Key you are using is not expired
  2. Provide the URI you are entering at the command line when running the application

 

In the meantime I will proceed to configure the SteamSensorConsole example myself and report back.

 

Regards,

Tyler Misner

ThingWorx Technical Support Engineer

Hello k,

 

After a bit of setup and some testing internally I was able to get the SteamSensorConsole example from the .NET SDK to work correctly.

 

I was able to reproduce the error you had mentioned in your latest post. The resolution for me did indeed turn out to be related to ciphers. Please try utilizing this more extensive list of ciphers in your deployment:

ciphers="TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 
	TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, 
	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 
	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 
	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
	TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA" 

Regards,

Tyler Misner

ThingWorx Technical Support Engineer

konyicska
5-Regular Member
(To:tmisner)

Finally my configuration that works is this:

config.AllowSelfSignedCertificates = false;
config.DisableCertValidation = true;

server.xml

<Connector 
    	port="443" 
    	protocol="org.apache.coyote.http11.Http11NioProtocol"
		maxThreads="150"
		SSLEnabled="true" 
		scheme="https" 
		secure="true"
		keystoreFile="*"
		keystorePass="*" 
		clientAuth="false" 
		sslProtocol="TLS"
		acceptorThreadCount="2"
		socket.txBufSize="24576"
		ciphers="TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA" />

Take a look at sslProtocol, if I put TLSv1,TLSv1.1,TLSv1.2 I can´t access Composer. I get

ERR CONNECTION TIMED OUT

 

Differences between TLS and TLSv1, TLSv1.1, TLSv1.2: https://security.stackexchange.com/questions/705/what-are-the-differences-between-the-versions-of-tls?answertab=votes#tab-top

 

I have one question:

config.DisableCertValidation = true; if I change this to false I have to provide the browser/public certificate? What is the best practice in production?

 

Thanks @tmisner !!!

Hello konyicska,

 

Glad you were able to get this working.

 

With respect to setting config.DisableCertValidation = false in the future you will indeed need to point the edge application at a valid certificate which corresponds to the certificate used by Tomcat.

 

The best practice for these settings in Production is having DisableCertValidiation set to false (so that certs are checked). config.AllowSelfSignedCertificates should also be set to false (as Self Signed Certificates are not very secure).

 

The way to go about setting certificate validation is noted in the Dotnet Developers guide on Page 29 under the "ClientConfigurator: Client/Server CertificateValidation" section.

 

Regards,

Tyler Misner

ThingWorx Technical Support Engineer

 

Top Tags