You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Newel, David" <Da...@Pearson.com> on 2012/03/15 23:16:14 UTC
How to specify not using a keystoreFile in server.xml when using a custom keystore?
Hi,
I'm experiencing a problem with creating an SSL Connector in Tomcat
7.0.26. We intend to use a database-based keystore, which means that we
are using a custom-made Provider which does not use the 'keystoreFile'
tag. To try to prevent Tomcat from trying to open a file we specify the
Connector in this way:
<Connector SSLEnabled="true" URIEncoding="UTF-8"
clientAuth="false"
keyAlias="TestCert" keystoreFile="" keystoreType="Custom"
port="443"
protocol="HTTP/1.1" scheme="https" secure="true"
sslProtocol="TLS"/>
This used to work in Tomcat 6.0.32, but when we upgraded to Tomcat 7.0,
this exception gets thrown in the error stream :
SEVERE: Failed to load keystore type Custom with path E:\Program
Files\Application\configuration\services\tomcat\ due to E:\Program
Files\Application\configuration\services\tomcat (Access is denied)
java.io.FileNotFoundException: E:\Program
Files\Application\configuration\services\tomcat (Access is denied)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(Unknown Source)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFac
tory.java:400)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocket
Factory.java:306)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESoc
ketFactory.java:565)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESoc
ketFactory.java:505)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory
.java:449)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocke
tFactory.java:158)
at
org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:378)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:5
54)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:409)
at
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11J
sseProtocol.java:119)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:956)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.ja
va:559)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java
:815)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.startup.Catalina.load(Catalina.java:594)
at
org.apache.catalina.startup.Catalina.load(Catalina.java:619)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown
Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
Is this a bug in Tomcat 7.0 or is there an alternative method we're
supposed to use in order to prevent it from loading a keystoreFile from
the file system?
I took a look at the source through a debugger and found the area in
JSSESocketFactory where it reads this file, and it seems as though
specifying "" doesn't work correctly anymore because it tries to map a
relative path to catalina.base
Re: How to specify not using a keystoreFile in server.xml when using
a custom keystore?
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/3/16 Newel, David <Da...@pearson.com>:
> Hi,
>
>
>
> I'm experiencing a problem with creating an SSL Connector in Tomcat
> 7.0.26. We intend to use a database-based keystore, which means that we
> are using a custom-made Provider which does not use the 'keystoreFile'
> tag. To try to prevent Tomcat from trying to open a file we specify the
> Connector in this way:
>
>
>
> <Connector SSLEnabled="true" URIEncoding="UTF-8"
> clientAuth="false"
>
> keyAlias="TestCert" keystoreFile="" keystoreType="Custom"
> port="443"
>
> protocol="HTTP/1.1" scheme="https" secure="true"
> sslProtocol="TLS"/>
>
>
>
> This used to work in Tomcat 6.0.32, but when we upgraded to Tomcat 7.0,
> this exception gets thrown in the error stream :
>
>
>
> SEVERE: Failed to load keystore type Custom with path E:\Program
> Files\Application\configuration\services\tomcat\ due to E:\Program
> Files\Application\configuration\services\tomcat (Access is denied)
>
> java.io.FileNotFoundException: E:\Program
> Files\Application\configuration\services\tomcat (Access is denied)
>
> at java.io.FileInputStream.open(Native Method)
>
> at java.io.FileInputStream.<init>(Unknown Source)
>
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFac
> tory.java:400)
>
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocket
> Factory.java:306)
>
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESoc
> ketFactory.java:565)
>
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESoc
> ketFactory.java:505)
>
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory
> .java:449)
>
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocke
> tFactory.java:158)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:378)
>
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:5
> 54)
>
> at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:409)
>
> at
> org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11J
> sseProtocol.java:119)
>
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:956)
>
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.ja
> va:559)
>
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java
> :815)
>
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:594)
>
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:619)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown
> Source)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
>
> at java.lang.reflect.Method.invoke(Unknown Source)
>
> at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
>
> at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
>
>
>
> Is this a bug in Tomcat 7.0 or is there an alternative method we're
> supposed to use in order to prevent it from loading a keystoreFile from
> the file system?
>
>
>
> I took a look at the source through a debugger and found the area in
> JSSESocketFactory where it reads this file, and it seems as though
> specifying "" doesn't work correctly anymore because it tries to map a
> relative path to catalina.base
I agree that this is an issue. Please file a bug in Bugzilla.
Looking at the code,
java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#getStore(...)
if(!("PKCS11".equalsIgnoreCase(type) ||
"".equalsIgnoreCase(path))) {
and that happens before appending it to CATALINA_BASE.
But in AbstractEndpoint#setKeystoreFile(String) the path is always
converted to absolute and thus the above check for "" value fails to
work.
BTW, I wonder what will happen if you specify "NUL" (the Windows
equivalent to /dev/null) as the value.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org