Develop Reference

Open Tomcat to external network

I have a CentOS 7 VM on Azure and having serious troubles to make it reachable from Internet.
Meanwhile it looks to be perfectly reachable by internal network:
[root#localhost bin]# telnet 192.168.200.128 8080
Trying 192.168.200.128...
Connected to 192.168.200.128.
Escape character is '^]'.
But i cannot reach it from internet by public IP:
> telnet x.x.x.x 8080
Connessione a x.x.x.x...Impossibile aprire una connessione con l'host. sulla porta 8080: Connessione non riuscita
(public IP removed for security purpose)
The port 8080 is correctly open on Azure NSG:
Priority
Name
Port
Protocol
Source
Destination
Action
350
Tomcat
8080
TCP
Any
Any
Allow
The port 8080 is correctly open and listening by Tomcat on VM:
[root#localhost ~]# netstat -tulpn | grep LISTEN
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 14987/java
tcp 0 0 0.0.0.0:5001 0.0.0.0:* LISTEN 14987/java
tcp 0 0 127.0.0.1:29130 0.0.0.0:* LISTEN 6594/mdsd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 616/rpcbind
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 14987/java
Firwall on VM is disabled :
[root#localhost ~]# service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
I really have no idea what I'm missing here...
This is my server.xml :
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
useIPVHosts="true"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8089" protocol="AJP/1.3" redirectPort="8443" />
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" resolveHosts="true"/>
</Host>
</Engine>
</Service>
</Server>
Any help would be really appreciated!
Note that NGINX on port 80 is working perfectly also from internet!

I tried to reproduce the same in my environment I got the same error to make reachable Internet as port 8080.
To resolve this issue:
First, I have installed default Java development and runtime in CentOS 7.
sudo yum install java-1.8.0-openjdk-devel
And try to download a Tomcat bin file. I have downloaded apache-tomcat-9.0.68.tar.gz file in my directory like below.
When download is completed, try using this command to extract the tar file.
tar -xf apache-tomcat-9.0.68.tar.gz
And move the source file to the /opt/tomcat directory.
sudo mv apache-tomcat-9.0.68 /opt/tomcat/
Try following below script:
sudo mv apache-tomcat-9.0.27 /opt/tomcat/
sudo ln -s /opt/tomcat/apache-tomcat-9.0.27 /opt/tomcat/latest
sudo chown -R tomcat: /opt/tomcat
sudo sh -c 'chmod +x /opt/tomcat/latest/bin/*.sh'
I used Sudo vi for text editor create a tomcat.service unit file and pasted from document content.
sudo vi /etc/systemd/system/tomcat.service
Try to start the tomcat:
Finally, when I try to run the firewall to access the tomcat interface from the outside of the local network it's works successfully.
Result:
Check whether you have added port 8080 in your vm as below:
In your virtual machine -> networking ->add inbound port rule -> add port 8080 like below.
Reference:
Install Tomcat 9 on CentOS 7 | Linuxize

cassandra node to node encryption throws unable to gossip with peers exception

We currently run a multi region cassandra cluster in AWS. It runs in four regions, 12 nodes per region. It runs without node to node encryption (or client encryption either). We are trying to enable inter datacenter node to node encryption. However, when we flip encryption over we get an exception that nodes are unable to gossip with any peers.
It could possibly be that we didn't build our jks keystore/truststores correctly (more on how we built these files below). But, we additionally do not see intra datacenter communication working (which should be set to unencrypted communication). Additionally, cqlsh cannot connect to the node either; even though we have (by default) client_auth_required set to false.
ERROR [main] 2019-08-15 18:46:32,241 CassandraDaemon.java:749 - Exception encountered during startup
java.lang.RuntimeException: Unable to gossip with any peers
at org.apache.cassandra.gms.Gossiper.doShadowRound(Gossiper.java:1435) ~[apache-cassandra-3.11.4.jar:3.11.4]
at org.apache.cassandra.service.StorageService.checkForEndpointCollision(StorageService.java:566) ~[apache-cassandra-3.11.4.jar:3.11.4]
at org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:823) ~[apache-cassandra-3.11.4.jar:3.11.4]
at org.apache.cassandra.service.StorageService.initServer(StorageService.java:683) ~[apache-cassandra-3.11.4.jar:3.11.4]
at org.apache.cassandra.service.StorageService.initServer(StorageService.java:632) ~[apache-cassandra-3.11.4.jar:3.11.4]
at org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:388) [apache-cassandra-3.11.4.jar:3.11.4]
at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:620) [apache-cassandra-3.11.4.jar:3.11.4]
at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:732) [apache-cassandra-3.11.4.jar:3.11.4]
INFO [main] 2019-08-15 18:47:07,384 YamlConfigurationLoader.java:89 - Configuration location: file:/etc/cassandra/cassandra.yaml
Something to note is that this error message occurs after a few minutes of the node being up. (i.e. there is a delay between start up before this exception is thrown).
Information about our cassandra setup
cassandra version: 3.11.4
JDK version: openjdk-8.
Linux: Ubuntu 18.04 (bionic).
cassandra.yaml
endpoint_snitch: Ec2MultiRegionSnitch
server_encryption_options:
internode_encryption: dc
keystore: <omitted>
keystore_password: <omitted>
truststore: <omitted>
truststore_password: <omitted>
client_encryption_options:
enabled: false
cassandra-rackdc.properties
prefer_local=true
No obvious errors with SSH output
When starting cassandra with JVM_OPTS="$JVM_OPTS -Djavax.net.debug=ssl" added to cassandra-env.sh we see SSL logs printed to stdout (Note: Subject and Issuer were omitted on purpose).
found key for : cassy-us-west-2
adding as trusted cert:
Subject: ...
Issuer: ...
Algorithm: RSA; Serial number: 0xdad28d843fc73325d4c1a75207d4e74
Valid from Fri May 27 00:00:00 UTC 2016 until Tue May 26 23:59:59 UTC 2026
...
trigger seeding of SecureRandom
done seeding SecureRandom
Looking at Java SE SSL/TLS connection debugging, this looks correct. But to note, we see this series of messages (along with the RSA key signature output) repeated several times in rapid fire. We never observe any messages about the trust store being added; however that might be something that occurs only on client initiation (?)
Additionally, we do see cassandra report that the Encrypted Messaging service has been started.
INFO [main] 2019-08-15 18:45:31,022 MessagingService.java:704 - Starting Encrypted Messaging Service on SSL port 7001
Doesn't appear to be a cassandra.yaml configuration problem
We can bring the node back online by simply configuring internode_encryption: none. This action seems to rule out a broadcast_address or rpc_address configuration problem.
How we built our keystore/truststores
We followed the basic template datastax docs for preparing SSL certificates. One minor difference was that our private key and CSRs were generated using openssl. One per each region (we plan to share key/signed certs across nodes in regions). This was created using a command template as:
openssl req -new -newkey rsa:2048 -out cassy-<region>.csr -keyout cassy-<region>.key -config cassy-<region>.conf -subj "..." -nodes -sha256
The generated CSR was then signed by an internal root CA. Because we generated our files using openssl, we had to build our jks files by importing our certs into them.
Commands to generate truststore
We distribute this one file to all nodes.
keytool -importcert
-keystore generic-server-truststore.jks
-alias rootCa
-file rootCa.crt
-noprompt
-keypass omitted
-storepass omitted
Commands to generate keystore
This was done one per region; but essentially we created a keystore with keytool, then deleted the key entry and then imported our key entry using keytool from a pkcs12 file.
keytool -genkeypair -keyalg RSA -alias cassy-${region} -keystore cassy-${region}.jks -storepass omitted -keypass omitted -validity 365 -keysize 2048 -dname "..."
keytool -delete -alias cassy-${region} -keystore cassy-${region}.jks -storepass omitted
openssl pkcs12 -export -in signed_certs/${region}.pem -inkey keys/cassandra.${region}.key -name cassy-${region} -out ${region}.p12
keytool -importkeystore -deststorepass omitted -destkeystore cassy-${region}.jks -srckeystore ${region}.p12 -srcstoretype PKCS12
keytool -importcert -keystore cassy-${region}.jks -alias rootCa -file ca.crt -noprompt -keypass omitted -storepass omitted
Looking back at this, I don't remember why we used keytool to generate a keypair/keystore, then deleted and imported. I think it was because the keytool importkeystore command refused to run if the keystore didn't already exist.
ca.crt and pem file
The ca.crt file contains the root certificate and the intermediate certificate that was used to sign the CSR. The pem file contains the signed CSR returned to us, the intermediate cert, and the root CA (in that order).
openssl verify ca.crt and pem
openssl verify -CAfile ca.crt us-west-2.pem
signed_certs/us-west-2.pem: OK
Command output after enabling encryption
nodetool status (output truncated)
Datacenter: us-east
===================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
-- Address Load Tokens Owns (effective) Host ID Rack
?N 52.44.11.221 ? 256 25.4% null 1c
...
?N 52.204.232.195 ? 256 23.2% null 1d
Datacenter: us-west-2
=====================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
-- Address Load Tokens Owns (effective) Host ID Rack
?N 34.209.2.144 ? 256 26.5% null 2c
UN 52.40.32.177 105.99 GiB 256 23.7% null 2c
?N 34.210.109.203 ? 256 24.7% null 2a
...
With the online node being the node with encryption set.
cqlsh to localhost
cassy-node6:~$ cqlsh
Connection error: ('Unable to connect to any servers', {'127.0.0.1': error(111, "Tried connecting to [('127.0.0.1', 9042)]. Last error: Connection refused")})
cqlsh to remote node
Remote node is a node with encryption enabled
cassy-node6:~$ cqlsh 10.0.2.7
Connection error: ('Unable to connect to any servers', {'10.0.2.7': error(111, "Tried connecting to [('10.0.2.7', 9042)]. Last error: Connection refused")})
Behavior we expected
We expected for the node to report that the other regions were all down, as they need to be handled over encryption. So that works as expected; however, cqlsh and intra datacenter peers being reported as unreachable is unexpected.
Specifically, we expected the node to still show peer nodes within the same datacenter as up and normal, regardless if there is a cert issue/error. We also expected cqlsh to continue to work.
Lastly, we are also trying to figure out if we have a jks certificate problem.

Queiuing Theme - Missing marketplace-portlet

I seem to be getting these specific errors when attempting to deploy a custom theme on my Liferay Portal
<Feb 7, 2014 9:01:01 AM CST> <Info> <Deployer> <BEA-149059> <Module Peaks-2.0 of
application Peaks-2.0 is transitioning from STATE_NEW to STATE_PREPARED on serv
er eportal-DEV01.>
<Feb 7, 2014 9:01:01 AM CST> <Info> <Deployer> <BEA-149060> <Module Peaks-2.0 of
application Peaks-2.0 successfully transitioned from STATE_NEW to STATE_PREPARE
D on server eportal-DEV01.>
<Feb 7, 2014 9:01:01 AM CST> <Info> <Deployer> <BEA-149059> <Module Peaks-2.0 of
application Peaks-2.0 is transitioning from STATE_PREPARED to STATE_ADMIN on se
rver eportal-DEV01.>
<Feb 7, 2014 9:01:01 AM CST> <Info> <Deployer> <BEA-149060> <Module Peaks-2.0 of
application Peaks-2.0 successfully transitioned from STATE_PREPARED to STATE_AD
MIN on server eportal-DEV01.>
<Feb 7, 2014 9:01:01 AM CST> <Notice> <Stdout> <BEA-000000> <09:01:01,854 INFO
[[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)']
[HotDeployEvent:130] Plugin Peaks-2.0 requires marketplace-portlet>
<Feb 7, 2014 9:01:01 AM CST> <Notice> <Stdout> <BEA-000000> <09:01:01,855 INFO
[[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)']
[HotDeployImpl:252] Queueing Peaks-2.0 for deploy because it is missing marketpl
ace-portlet>
<Feb 7, 2014 9:01:01 AM CST> <Info> <Deployer> <BEA-149059> <Module Peaks-2.0 of
application Peaks-2.0 is transitioning from STATE_ADMIN to STATE_ACTIVE on serv
er eportal-DEV01.>
<Feb 7, 2014 9:01:01 AM CST> <Info> <Deployer> <BEA-149060> <Module Peaks-2.0 of
application Peaks-2.0 successfully transitioned from STATE_ADMIN to STATE_ACTIV
E on server eportal-DEV01.>
I'm running Liferay EE 6.2 on a WebLogic app server, here are some contents of my portal-ext.properties:
auto.deploy.deploy.dir=/hosting/apps/eportal/autoDeploy
auto.deploy.weblogic.dest.dir=/hosting/apps/eportal/liferayDeployments
I see both marketplace-portlet and my theme in the /liferayDeployments folder, however, neither is not showing up in the portal.
Any ideas as to how to fix this issue?
Attached are some extra portal-ext.properties

Is /hosting/apps/eportal/liferayDeployments configured to be monitored by Weblogic, e.g. automatically deployed to the appserver? If not, you might need to deploy them manually, e.g. after Liferay is done with the automatic deployment (injecting dependencies etc.) plugins end up in that directory. If Weblogic doesn't deploy these files on its own, you might need to zip them up as WAR files and deploy them manually.
Tomcat typically does this automatically, but "big iron" Appservers typically don't. The keyword here is "typically" - it all depends on your installation/configuration.
You'll find more about Weblogic installation in the User's Guide, but - granted - it's quite shallow on the plugins story. I'm mainly linking it here for others that might find this question later.

Puppet clients don't update

We are running puppet 2.7.11-1ubuntu2.4 (Ubuntu 12.04) on our clients and master. The clients don't seem to update automatically, but when I run:
sudo puppet agent --test
Everything works fine.
Current running processes on the client:
root 1764 1 0 Sep10 ? 00:00:05 /usr/bin/ruby1.8 /usr/bin/puppet agent
/etc/puppet/puppet.conf
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
pluginsync=true
[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
[agent]
server=<URL_REMOVED>
configtimeout=300
/var/log/syslog.log
Sep 11 16:12:48 <HOSTNAME_REMOVED> puppet-agent[1764]: Did not receive certificate
Sep 11 16:14:48 <HOSTNAME_REMOVED> puppet-agent[1764]: Did not receive certificate
Sep 11 16:16:49 <HOSTNAME_REMOVED> puppet-agent[1764]: Did not receive certificate
Sep 11 16:18:49 <HOSTNAME_REMOVED> puppet-agent[1764]: Did not receive certificate
Sep 11 16:20:49 <HOSTNAME_REMOVED> puppet-agent[1764]: Did not receive certificate
/etc/default/puppet
# Defaults for puppet - sourced by /etc/init.d/puppet
# Start puppet on boot?
START=yes
# Startup options
DAEMON_OPTS=""
Does someone have an idea what could be wrong?

We actually recently found the cause of this problem.
Some nodes had a hostname in their puppet.conf that didn't match the hostname in the certificate of the server.
Also some nodes didn't use their FQDN when they contacted the server, which caused mismatches with the client certificates. We fixed that by adding the FQDN to /etc/hosts:
127.0.1.1 hostename.domain.edu hostename

Take a look at this Troubleshooting page. Not sure about your problem exactly, but I saw similar errors in my log: "Did not receive certificate". In my case these steps have helped me:
on master run
puppet cert clean <NODE NAME>
on agent:
rm -rf $(puppet agent --configprint ssldir)
puppet agent --test

generate key and certificate using keytool

I want to generate a self signed trusted certificate and a csr and sign the csr with trusted certificate created. I am trying it with keytool. In the first step of creating a trusted certificate using the below command
keytool -genkey -alias mytrustCA -keyalg RSA -keystore keystore.jks -keysize 1024
where it puts the certificate into keystore. How can I store it to a file ? and when I list the contents using
keytool -list -v -keystore cert/test.keystore
Certificate created with above "genkey" command creates with entry type as "PrivateKeyEntry", how can create a trusted Cert Entry ?

In your first command, you have used the -genkey option to generate the keystore named keystore.jks.
To export the certificate in .CER format file, you will need to use the -export option of the keytool.
An example is:
keytool -v -export -file mytrustCA.cer -keystore keystore.jks -alias mytrustCA
This will generate a file named mytrustCA.cer
To generate a certificate request to send to a CA for obtaining a signed certificate, you will need to use the -certreq option of keytool.
An example is:
keytool -v -certreq -keystore keystore.jks -alias mytrustCA
This will ask for the keystore password and on successful authentication, it will show the certificate request as given below (a sample).
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBtDCCAR0CAQAwdDELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJhMQ8wDQYDVQQH
EwZNdW1iYWkxEjAQBgNVBAoTCU1pbmRzdG9ybTEUMBIGA1UECxMLRW5naW5lZXJpbmcxFDASBgNV
BAMTC1JvbWluIElyYW5pMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqOLEumwLHlzIUAPD6
Ab1pVp84mhSNCCcUKInZbSdiDYnKSr46EjEw0PtZOVPJbM4ZG3bZsOboYr0YfViJi41o4yJICFAZ
8wCQQxPK/4N8MPV7C5WDH28kRKGH/Pc2e7CxV+as573I34QmkINk7fEyERMDwP/WgmrcKZgL0sfy
ewIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAlcpjOUZFP9ixskXSA7HNlioWwjbL9f9rQskJ9rK8
kGLJ1td+mqqm20yo/JrKCzZjOMqr/aL6Zw2dkoyU34T9HnR2Bs3SgKn6wlYsYEVvVBk71Ec6PeTi
e+fhfNQEHsj4wuB4qixO3s1jtsLDy+DpTzYguszczwxXGFVNuk+y2VY=
-----END NEW CERTIFICATE REQUEST-----
You will need to send this Certificate REquest or paste it into the Digital Certificate signer webpage. Alternately, you can even redirect this output to a file instead of the console as follows:
keytool -v -certreq -keystore keystore.jks -alias mytrustCA > mycertreq.txt

This is a command line example without any interactive prompts, may be easier to use this way and document all commands in a text file.
Create JavaKeyStore file and a self-signed certificate key
keytool -genkey -alias server -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -storetype JKS \
-keystore my.server.com.jks -storepass mypwd -keypass mypwd \
-dname "CN=my.server.com, OU=EastCoast, O=MyComp Ltd, L=New York, ST=, C=US" \
-ext "SAN=dns:my.server.com,dns:www.my.server.com,ip:11.22.33.44" \
-validity 7200
keytool -keystore my.server.com.jks -storepass mypwd -list -v
You can use this keystore(.jks) file already in Tomcat but browsers give a self-signed certificate warning. Give SubjectAlternativeName extension argument with one or more dns names and optional ip address.
Create CertificateSigningRequest file
keytool -certreq -alias server -file my.server.com.csr \
-keystore my.server.com.jks -storepass mypwd \
-ext "SAN=dns:my.server.com,dns:www.my.server.com,ip:11.22.33.44" \
keytool -printcertreq -file my.server.com.csr
Send .csr file to CertificateAuthority(CA) operator for signing, you should later receive a certificate(cer) file. You must give here SubjectAlternativeName extension argument second time.
Import Certificate file to a keystore
keytool -import -trustcacerts -keystore my.server.com.jks -storepass mypwd \
-alias server -file my.server.com.cer
This command pairs your private key and a public certificate with a trusted valid CA authority. Browsers should not give a certificate warning anymore.
Import intermediate CA certs
keytool.exe -importcert -trustcacerts -file SomeCA.cer -alias someca -keystore my.server.com.jks -storepass mypwd
keytool.exe -importcert -trustcacerts -file SomeCAIssuing.cer -alias somecaissuing -keystore my.server.com.jks -storepass mypwd
This imports CA issuing certificates, you may need to do this before importing your certificate file(.cer).
Your hostname certificate may have an expiration date, so once about to expire soon create a new signing request(.csr) file from the keystore, send new csr file to CA authority, import new certificate(.cer) file.
You most likely are using jks keystore in Tomcat web server so here is tomcat/conf/server.xml https connector examples.
Tomcat 9+
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="20000" maxThreads="150"
URIEncoding="UTF-8" useBodyEncodingForURI="true" maxHttpHeaderSize="65536"
compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"
SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig protocols="all">
<Certificate certificateKeystoreFile="my.server.com.jks" certificateKeystoreType="JKS"
certificateKeystorePassword="mypwd" certificateKeyAlias="server" />
</SSLHostConfig>
</Connector>
Tomcat8.5, if older than 8.0 you may need to drop ciphers arguments
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
disableUploadTimeout="true" useBodyEncodingForURI="true"
acceptCount="300" acceptorThreadCount="2" maxThreads="400"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"
compression="off" compressionMinSize="2048"
keystoreFile="my.server.com.jks" keystorePass="mypwd" keyAlias="server"
SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
sslEnabledProtocols="+TLSv1,+TLSv1.1,+TLSv1.2"
ciphers="
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSVF
"
/>