Skip to main content
1-Visitor
February 7, 2019
Solved

SSL connection Tomcat 8.5

  • February 7, 2019
  • 1 reply
  • 4990 views

I have installed a certificate issued and signed by a trusted Certification Authority (CA) in my Tomcat 8.5.23 Ubuntu server.

 

I have followed these steps: https://www.ptc.com/en/support/article?n=CS193947

I can connect to Composer over https and over http it redirects me to https.

 

When I try the SteamSensorConsole app with this url: wss://aaa.bbb.com:433/Thingworx/WS I get this error:

[Error] Error intializing socket connection. Err = -1
[Error] twWs_Connect: Error restarting socket. Error 0

I have tried these configurations:

config.AllowSelfSignedCertificates = false;
config.DisableCertValidation = true;

And these:

config.AllowSelfSignedCertificates = false;
config.DisableCertValidation = false;

Both with same results.

 

Do I have to configure something else? Or I have to change something in Tomcat configuration?

Best answer by konyicska

Finally my configuration that works is this:

config.AllowSelfSignedCertificates = false;
config.DisableCertValidation = true;

server.xml

<Connector 
 	port="443" 
 	protocol="org.apache.coyote.http11.Http11NioProtocol"
		maxThreads="150"
		SSLEnabled="true" 
		scheme="https" 
		secure="true"
		keystoreFile="*"
		keystorePass="*" 
		clientAuth="false" 
		sslProtocol="TLS"
		acceptorThreadCount="2"
		socket.txBufSize="24576"
		ciphers="TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA" />

Take a look at sslProtocol, if I put TLSv1,TLSv1.1,TLSv1.2 I can´t access Composer. I get

ERR CONNECTION TIMED OUT

 

Differences between TLS and TLSv1, TLSv1.1, TLSv1.2: https://security.stackexchange.com/questions/705/what-are-the-differences-between-the-versions-of-tls?answertab=votes#tab-top

 

I have one question:

config.DisableCertValidation = true; if I change this to false I have to provide the browser/public certificate? What is the best practice in production?

 

Thanks @tmisner !!!

1 reply

16-Pearl
February 7, 2019

Hello konyicska,

 

When looking into this error internally I believe it may a disconnect between the SSL protocols and ciphers available between the edge application and the server.

 

The proposed resolution is to expand the protocols and ciphers allowed by the Tomcat server by editing the server.xml file. See the following example:

<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
acceptorThreadCount="2"
maxThreads="1000"
socket.txBufSize="24576"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="Keystore_File"
keystorePass="Keystore_Password"
clientAuth="false"
sslProtocol="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
/>

Please refer to this article for further details:

https://www.ptc.com/en/support/article?n=CS286924

 

Regards,

Tyler Misner

ThingWorx Technical Support Engineer

konyicska1-VisitorAuthor
1-Visitor
February 7, 2019

I made that change and nothing, I got same results.

 

EDIT:

I made a mistake, I used port 433 instead 443. Now my error is:

[Error] Error intializing SSL connection
[Error] twWs_Connect: Error restarting socket. Error 0
16-Pearl
February 7, 2019

Hello again konyicska,

 

Thank you for the update here.

 

I had seen port 433 mentioned in the post and had figured that was simply a typo when submitting your initial inquiry. My apologies for not mentioning that as a potential issue in my response.

 

Lets verify a couple of things here:

  1. Confirm the Application Key you are using is not expired
  2. Provide the URI you are entering at the command line when running the application

 

In the meantime I will proceed to configure the SteamSensorConsole example myself and report back.

 

Regards,

Tyler Misner

ThingWorx Technical Support Engineer