You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Kenneth Taylor <ke...@dataexpress.com> on 2018/01/22 19:23:27 UTC
Can't Get SSL to Work in 8.5
We are trying to get SSL to work in 8.5 and have been unsuccessful. We followed all the instructions in the Tomcat documentation and what help is available on the net but have been unable to get TC to startup with an SSL Connector configured.
Here is our Connector configuration:
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" scheme="http" redirectPort="8443" secure="false"/>
<Connector
SSLEnabled="true"
clientAuth="false"
maxThreads="20"
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation"
scheme="https"
secure="true"
sslProtocol="TLS">
<SSLHostConfig
hostName="localhost"
protocols="TLSv1.2"
sessionCacheSize="15"
sessionTimeout="960">
<Certificate
certificateKeyAlias="localhost"
certificateKeystoreFile="conf/localhost-rsa.jks"
certificateKeystorePassword="=NR5^vtuW_/?"
certificateVerification="optionalNoCA"
type="RSA"/>
</SSLHostConfig>
</Connector>
Here is the error we get:
Jan 19, 2018 2:24:07 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:999)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
... 12 more
Caused by: java.lang.IllegalArgumentException: java.lang.NullPointerException
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:970)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:613)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
... 13 more
Caused by: java.lang.NullPointerException
at java.io.FileInputStream.<init>(FileInputStream.java:130)
at java.io.FileInputStream.<init>(FileInputStream.java:93)
at java.io.FileReader.<init>(FileReader.java:58)
at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:74)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:193)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
... 20 more
We tried all kinds of variations of the configuration. We've run out of things to try.
We are using a JKS keystore created in Java code using the Bouncy Castle API. The config files are all in the correct location.
The keystore has a private key and certificate (self-signed using BC). Aliases & passwords are correct. Everything about the keystore looks correct.
We tried "tomcat" as the alias (matching the entry in the keystore). We also tried the real hostname for hostName and matched the keysore alias to it.
Our keys ares RSA 2048.
We tried adding all the typical extensions to the CERT.
The error above indicates that TC is looking for PEM files. Why? We weren't using PEM files.
So, we tried switching to using PEM files but that throws another weird error from the SecretKeyGenerator about an invalid KeyGen algorithm.
We are specifiying SHA256withRSA for KeyGen but TC is trying to use pbeWithSHAAnd2-KeyTripleDES-CBC. This looks like a bug.
Also, we have configured many security settings. For example, all of the security related Filters are confgured in web.xml.
TC version: 8.5.15
OS: Windows 8.1
Thanks for any help you can provide.
Ken
Disclaimer: This email from DMBGroup LLC, DMB Consulting Services LLC, or the personnel associated with either entity (collectively "DMB") and attachments, contain CONFIDENTIAL, PRIVILEGED AND PROPRIETARY information for exclusive use of the addressee individual(s) or entity. Unauthorized viewing, copying, disclosure, distribution or use of this e-mail or attachments may be subject to legal restriction or sanction. If received in error, notify sender immediately by return e-mail and delete original message and attachments. Nothing contained in this e-mail or attachments shall satisfy the requirements for a writing unless specifically stated. Nothing contained herein shall constitute a contract or electronic signature under the Electronic Signatures in Global and National Commerce Act, any version of the Uniform Electronic Transactions Act or any other statute governing electronic transactions. Opinions and statements expressed in this e-mail and any attachments are those of the individual sender and not necessarily of DMB. DMB does not guarantee this e-mail transmission is secured, error or virus-free. Neither DMB nor the sender of this e-mail accepts liability for errors or omissions in the contents of this e-mail, which arise as a result of e-mail transmission. .
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Can't Get SSL to Work in 8.5
Posted by Coty Sutherland <cs...@apache.org>.
On Tue, Jan 23, 2018 at 2:16 PM, Kenneth Taylor
<ke...@dataexpress.com> wrote:
> Coty,
>
> Thank you very much. That worked. The only thing is its not redirecting to SSL if you hit the regular URL. Are we missing something?
Do you have a CONFIDENTIAL transport guarantee defined for the
applications that you want to redirect? The redirectPort doesn't work
exactly like most people think it does (e.g. it doesn't redirect all
traffic to the port), it redirects traffic for applications with a
transport guarantee that requires SSL. From the http configuration doc
(https://tomcat.apache.org/tomcat-8.5-doc/config/http.html) for
redirectPort: "If this Connector is supporting non-SSL requests, and a
request is received for which a matching <security-constraint>
requires SSL transport, Catalina will automatically redirect the
request to the port number specified here."
You can place a confidential transport guarantee in your application's
web.xml such as:
<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I guess if you wanted to redirect EVERYTHING from 8080 to 8443 you
could add a constraint in the global web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
but...I'm not sure if that would play nicely with everything or cause
problems :)
HTH
> <Connector
> connectionTimeout="20000"
> port="8080"
> protocol="HTTP/1.1"
> redirectPort="8443"
> scheme="http"
> secure="false"/>
>
> <Connector
> SSLEnabled="true"
> maxThreads="20"
> port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation"
> scheme="https"
> secure="true">
> <SSLHostConfig
> name="_default_"
> clientAuth="false"
> sslProtocol="TLS"
> protocols="TLSv1.2"
> sessionCacheSize="5"
> sessionTimeout="960">
> <Certificate
> certificateKeyAlias="dmb-kenneth"
> certificateKeystoreFile="conf/localhost-rsa.jks"
> certificateKeystorePassword="=NR5^vtuW_/?"
> certificateVerification="optionalNoCA"
> type="RSA"/>
> </SSLHostConfig>
> </Connector>
>
> Thanks
> Ken
>
> -----Original Message-----
> From: Coty Sutherland [mailto:csutherl@apache.org]
> Sent: Monday, January 22, 2018 2:24 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Can't Get SSL to Work in 8.5
>
> On Mon, Jan 22, 2018 at 2:23 PM, Kenneth Taylor <ke...@dataexpress.com> wrote:
>> We are trying to get SSL to work in 8.5 and have been unsuccessful. We followed all the instructions in the Tomcat documentation and what help is available on the net but have been unable to get TC to startup with an SSL Connector configured.
>>
>> Here is our Connector configuration:
>>
>> <Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1"
>> scheme="http" redirectPort="8443" secure="false"/>
>>
>> <Connector
>> SSLEnabled="true"
>> clientAuth="false"
>> maxThreads="20"
>> port="8443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation"
>> scheme="https"
>> secure="true"
>> sslProtocol="TLS">
>
> Remove `clientAuth="false"` and `sslProtocol="TLS"` from the Connector element and place them inside the SSLHostConfig element below. These two attributes are now SSLHostConfig attributes (even though they are allowed in the Connector because tomcat translates them to a default SSLHostConfig object initialized with those values).
> It's also noteworthy that you're using the default values for clientAuth and sslProtocol, so they aren't necessary.
>
>> <SSLHostConfig
>> hostName="localhost"
>
> You need an SSLHostConfig that's named _default_ for this to work (which is the default name) so remove hostName="localhost" too and this should work :)
>
> I'm going to file a BZ and see if others are interested in catching this NPE and doing something more useful with it. I'm also going to file an enhancement to remove the requirement to have a _default_ SSLHostConfig, if possible.
>
>> protocols="TLSv1.2"
>> sessionCacheSize="15"
>> sessionTimeout="960">
>> <Certificate
>> certificateKeyAlias="localhost"
>> certificateKeystoreFile="conf/localhost-rsa.jks"
>> certificateKeystorePassword="=NR5^vtuW_/?"
>> certificateVerification="optionalNoCA"
>> type="RSA"/>
>> </SSLHostConfig>
>> </Connector>
>>
>> Here is the error we get:
>>
>> Jan 19, 2018 2:24:07 PM org.apache.catalina.core.StandardService
>> initInternal
>> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
>> org.apache.catalina.LifecycleException: Failed to initialize component
>> [Connector[HTTP/1.1-8443]] at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
>> at
>> org.apache.catalina.core.StandardService.initInternal(StandardService.
>> java:549) at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>> at
>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja
>> va:875) at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
>> ava:62) at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
>> orImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
>> Caused by: org.apache.catalina.LifecycleException: Protocol handler
>> initialization failed at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:99
>> 9) at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>> ... 12 more
>> Caused by: java.lang.IllegalArgumentException:
>> java.lang.NullPointerException at
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
>> actJsseEndpoint.java:114) at
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract
>> JsseEndpoint.java:85) at
>> org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
>> at
>> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java
>> :970) at
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpo
>> int.java:244) at
>> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:613)
>> at
>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro
>> tocol.java:66) at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:99
>> 7)
>> ... 13 more
>> Caused by: java.lang.NullPointerException at
>> java.io.FileInputStream.<init>(FileInputStream.java:130)
>> at java.io.FileInputStream.<init>(FileInputStream.java:93)
>> at java.io.FileReader.<init>(FileReader.java:58)
>> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:74)
>> at
>> org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:
>> 193) at
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
>> actJsseEndpoint.java:112)
>> ... 20 more
>>
>> We tried all kinds of variations of the configuration. We've run out of things to try.
>> We are using a JKS keystore created in Java code using the Bouncy Castle API. The config files are all in the correct location.
>> The keystore has a private key and certificate (self-signed using BC). Aliases & passwords are correct. Everything about the keystore looks correct.
>> We tried "tomcat" as the alias (matching the entry in the keystore). We also tried the real hostname for hostName and matched the keysore alias to it.
>> Our keys ares RSA 2048.
>> We tried adding all the typical extensions to the CERT.
>> The error above indicates that TC is looking for PEM files. Why? We weren't using PEM files.
>> So, we tried switching to using PEM files but that throws another weird error from the SecretKeyGenerator about an invalid KeyGen algorithm.
>> We are specifiying SHA256withRSA for KeyGen but TC is trying to use pbeWithSHAAnd2-KeyTripleDES-CBC. This looks like a bug.
>>
>> Also, we have configured many security settings. For example, all of the security related Filters are confgured in web.xml.
>>
>> TC version: 8.5.15
>> OS: Windows 8.1
>>
>> Thanks for any help you can provide.
>>
>> Ken
>>
>>
>> Disclaimer: This email from DMBGroup LLC, DMB Consulting Services LLC, or the personnel associated with either entity (collectively "DMB") and attachments, contain CONFIDENTIAL, PRIVILEGED AND PROPRIETARY information for exclusive use of the addressee individual(s) or entity. Unauthorized viewing, copying, disclosure, distribution or use of this e-mail or attachments may be subject to legal restriction or sanction. If received in error, notify sender immediately by return e-mail and delete original message and attachments. Nothing contained in this e-mail or attachments shall satisfy the requirements for a writing unless specifically stated. Nothing contained herein shall constitute a contract or electronic signature under the Electronic Signatures in Global and National Commerce Act, any version of the Uniform Electronic Transactions Act or any other statute governing electronic transactions. Opinions and statements expressed in this e-mail and any attachments are those of the individual sender and not necessarily of DMB. DMB does not guarantee this e-mail transmission is secured, error or virus-free. Neither DMB nor the sender of this e-mail accepts liability for errors or omissions in the contents of this e-mail, which arise as a result of e-mail transmission. .
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> Disclaimer: This email from DMBGroup LLC, DMB Consulting Services LLC, or the personnel associated with either entity (collectively "DMB") and attachments, contain CONFIDENTIAL, PRIVILEGED AND PROPRIETARY information for exclusive use of the addressee individual(s) or entity. Unauthorized viewing, copying, disclosure, distribution or use of this e-mail or attachments may be subject to legal restriction or sanction. If received in error, notify sender immediately by return e-mail and delete original message and attachments. Nothing contained in this e-mail or attachments shall satisfy the requirements for a writing unless specifically stated. Nothing contained herein shall constitute a contract or electronic signature under the Electronic Signatures in Global and National Commerce Act, any version of the Uniform Electronic Transactions Act or any other statute governing electronic transactions. Opinions and statements expressed in this e-mail and any attachments are those of the individual sender and not necessarily of DMB. DMB does not guarantee this e-mail transmission is secured, error or virus-free. Neither DMB nor the sender of this e-mail accepts liability for errors or omissions in the contents of this e-mail, which arise as a result of e-mail transmission. .
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Can't Get SSL to Work in 8.5
Posted by Kenneth Taylor <ke...@dataexpress.com>.
Coty,
Thank you very much. That worked. The only thing is its not redirecting to SSL if you hit the regular URL. Are we missing something?
<Connector
connectionTimeout="20000"
port="8080"
protocol="HTTP/1.1"
redirectPort="8443"
scheme="http"
secure="false"/>
<Connector
SSLEnabled="true"
maxThreads="20"
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation"
scheme="https"
secure="true">
<SSLHostConfig
name="_default_"
clientAuth="false"
sslProtocol="TLS"
protocols="TLSv1.2"
sessionCacheSize="5"
sessionTimeout="960">
<Certificate
certificateKeyAlias="dmb-kenneth"
certificateKeystoreFile="conf/localhost-rsa.jks"
certificateKeystorePassword="=NR5^vtuW_/?"
certificateVerification="optionalNoCA"
type="RSA"/>
</SSLHostConfig>
</Connector>
Thanks
Ken
-----Original Message-----
From: Coty Sutherland [mailto:csutherl@apache.org]
Sent: Monday, January 22, 2018 2:24 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Can't Get SSL to Work in 8.5
On Mon, Jan 22, 2018 at 2:23 PM, Kenneth Taylor <ke...@dataexpress.com> wrote:
> We are trying to get SSL to work in 8.5 and have been unsuccessful. We followed all the instructions in the Tomcat documentation and what help is available on the net but have been unable to get TC to startup with an SSL Connector configured.
>
> Here is our Connector configuration:
>
> <Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1"
> scheme="http" redirectPort="8443" secure="false"/>
>
> <Connector
> SSLEnabled="true"
> clientAuth="false"
> maxThreads="20"
> port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation"
> scheme="https"
> secure="true"
> sslProtocol="TLS">
Remove `clientAuth="false"` and `sslProtocol="TLS"` from the Connector element and place them inside the SSLHostConfig element below. These two attributes are now SSLHostConfig attributes (even though they are allowed in the Connector because tomcat translates them to a default SSLHostConfig object initialized with those values).
It's also noteworthy that you're using the default values for clientAuth and sslProtocol, so they aren't necessary.
> <SSLHostConfig
> hostName="localhost"
You need an SSLHostConfig that's named _default_ for this to work (which is the default name) so remove hostName="localhost" too and this should work :)
I'm going to file a BZ and see if others are interested in catching this NPE and doing something more useful with it. I'm also going to file an enhancement to remove the requirement to have a _default_ SSLHostConfig, if possible.
> protocols="TLSv1.2"
> sessionCacheSize="15"
> sessionTimeout="960">
> <Certificate
> certificateKeyAlias="localhost"
> certificateKeystoreFile="conf/localhost-rsa.jks"
> certificateKeystorePassword="=NR5^vtuW_/?"
> certificateVerification="optionalNoCA"
> type="RSA"/>
> </SSLHostConfig>
> </Connector>
>
> Here is the error we get:
>
> Jan 19, 2018 2:24:07 PM org.apache.catalina.core.StandardService
> initInternal
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
> org.apache.catalina.LifecycleException: Failed to initialize component
> [Connector[HTTP/1.1-8443]] at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.
> java:549) at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja
> va:875) at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:62) at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
> orImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> Caused by: org.apache.catalina.LifecycleException: Protocol handler
> initialization failed at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:99
> 9) at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> ... 12 more
> Caused by: java.lang.IllegalArgumentException:
> java.lang.NullPointerException at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
> actJsseEndpoint.java:114) at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract
> JsseEndpoint.java:85) at
> org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java
> :970) at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpo
> int.java:244) at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:613)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro
> tocol.java:66) at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:99
> 7)
> ... 13 more
> Caused by: java.lang.NullPointerException at
> java.io.FileInputStream.<init>(FileInputStream.java:130)
> at java.io.FileInputStream.<init>(FileInputStream.java:93)
> at java.io.FileReader.<init>(FileReader.java:58)
> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:74)
> at
> org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:
> 193) at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
> actJsseEndpoint.java:112)
> ... 20 more
>
> We tried all kinds of variations of the configuration. We've run out of things to try.
> We are using a JKS keystore created in Java code using the Bouncy Castle API. The config files are all in the correct location.
> The keystore has a private key and certificate (self-signed using BC). Aliases & passwords are correct. Everything about the keystore looks correct.
> We tried "tomcat" as the alias (matching the entry in the keystore). We also tried the real hostname for hostName and matched the keysore alias to it.
> Our keys ares RSA 2048.
> We tried adding all the typical extensions to the CERT.
> The error above indicates that TC is looking for PEM files. Why? We weren't using PEM files.
> So, we tried switching to using PEM files but that throws another weird error from the SecretKeyGenerator about an invalid KeyGen algorithm.
> We are specifiying SHA256withRSA for KeyGen but TC is trying to use pbeWithSHAAnd2-KeyTripleDES-CBC. This looks like a bug.
>
> Also, we have configured many security settings. For example, all of the security related Filters are confgured in web.xml.
>
> TC version: 8.5.15
> OS: Windows 8.1
>
> Thanks for any help you can provide.
>
> Ken
>
>
> Disclaimer: This email from DMBGroup LLC, DMB Consulting Services LLC, or the personnel associated with either entity (collectively "DMB") and attachments, contain CONFIDENTIAL, PRIVILEGED AND PROPRIETARY information for exclusive use of the addressee individual(s) or entity. Unauthorized viewing, copying, disclosure, distribution or use of this e-mail or attachments may be subject to legal restriction or sanction. If received in error, notify sender immediately by return e-mail and delete original message and attachments. Nothing contained in this e-mail or attachments shall satisfy the requirements for a writing unless specifically stated. Nothing contained herein shall constitute a contract or electronic signature under the Electronic Signatures in Global and National Commerce Act, any version of the Uniform Electronic Transactions Act or any other statute governing electronic transactions. Opinions and statements expressed in this e-mail and any attachments are those of the individual sender and not necessarily of DMB. DMB does not guarantee this e-mail transmission is secured, error or virus-free. Neither DMB nor the sender of this e-mail accepts liability for errors or omissions in the contents of this e-mail, which arise as a result of e-mail transmission. .
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Disclaimer: This email from DMBGroup LLC, DMB Consulting Services LLC, or the personnel associated with either entity (collectively "DMB") and attachments, contain CONFIDENTIAL, PRIVILEGED AND PROPRIETARY information for exclusive use of the addressee individual(s) or entity. Unauthorized viewing, copying, disclosure, distribution or use of this e-mail or attachments may be subject to legal restriction or sanction. If received in error, notify sender immediately by return e-mail and delete original message and attachments. Nothing contained in this e-mail or attachments shall satisfy the requirements for a writing unless specifically stated. Nothing contained herein shall constitute a contract or electronic signature under the Electronic Signatures in Global and National Commerce Act, any version of the Uniform Electronic Transactions Act or any other statute governing electronic transactions. Opinions and statements expressed in this e-mail and any attachments are those of the individual sender and not necessarily of DMB. DMB does not guarantee this e-mail transmission is secured, error or virus-free. Neither DMB nor the sender of this e-mail accepts liability for errors or omissions in the contents of this e-mail, which arise as a result of e-mail transmission. .
Re: Can't Get SSL to Work in 8.5
Posted by Coty Sutherland <cs...@apache.org>.
On Mon, Jan 22, 2018 at 2:23 PM, Kenneth Taylor
<ke...@dataexpress.com> wrote:
> We are trying to get SSL to work in 8.5 and have been unsuccessful. We followed all the instructions in the Tomcat documentation and what help is available on the net but have been unable to get TC to startup with an SSL Connector configured.
>
> Here is our Connector configuration:
>
> <Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" scheme="http" redirectPort="8443" secure="false"/>
>
> <Connector
> SSLEnabled="true"
> clientAuth="false"
> maxThreads="20"
> port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation"
> scheme="https"
> secure="true"
> sslProtocol="TLS">
Remove `clientAuth="false"` and `sslProtocol="TLS"` from the
Connector element and place them inside the SSLHostConfig element
below. These two attributes are now SSLHostConfig attributes (even
though they are allowed in the Connector because tomcat translates
them to a default SSLHostConfig object initialized with those values).
It's also noteworthy that you're using the default values for
clientAuth and sslProtocol, so they aren't necessary.
> <SSLHostConfig
> hostName="localhost"
You need an SSLHostConfig that's named _default_ for this to work
(which is the default name) so remove hostName="localhost" too and
this should work :)
I'm going to file a BZ and see if others are interested in catching
this NPE and doing something more useful with it. I'm also going to
file an enhancement to remove the requirement to have a _default_
SSLHostConfig, if possible.
> protocols="TLSv1.2"
> sessionCacheSize="15"
> sessionTimeout="960">
> <Certificate
> certificateKeyAlias="localhost"
> certificateKeystoreFile="conf/localhost-rsa.jks"
> certificateKeystorePassword="=NR5^vtuW_/?"
> certificateVerification="optionalNoCA"
> type="RSA"/>
> </SSLHostConfig>
> </Connector>
>
> Here is the error we get:
>
> Jan 19, 2018 2:24:07 PM org.apache.catalina.core.StandardService initInternal
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
> org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
> at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:999)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> ... 12 more
> Caused by: java.lang.IllegalArgumentException: java.lang.NullPointerException
> at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
> at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
> at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:970)
> at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:613)
> at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
> ... 13 more
> Caused by: java.lang.NullPointerException
> at java.io.FileInputStream.<init>(FileInputStream.java:130)
> at java.io.FileInputStream.<init>(FileInputStream.java:93)
> at java.io.FileReader.<init>(FileReader.java:58)
> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:74)
> at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:193)
> at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
> ... 20 more
>
> We tried all kinds of variations of the configuration. We've run out of things to try.
> We are using a JKS keystore created in Java code using the Bouncy Castle API. The config files are all in the correct location.
> The keystore has a private key and certificate (self-signed using BC). Aliases & passwords are correct. Everything about the keystore looks correct.
> We tried "tomcat" as the alias (matching the entry in the keystore). We also tried the real hostname for hostName and matched the keysore alias to it.
> Our keys ares RSA 2048.
> We tried adding all the typical extensions to the CERT.
> The error above indicates that TC is looking for PEM files. Why? We weren't using PEM files.
> So, we tried switching to using PEM files but that throws another weird error from the SecretKeyGenerator about an invalid KeyGen algorithm.
> We are specifiying SHA256withRSA for KeyGen but TC is trying to use pbeWithSHAAnd2-KeyTripleDES-CBC. This looks like a bug.
>
> Also, we have configured many security settings. For example, all of the security related Filters are confgured in web.xml.
>
> TC version: 8.5.15
> OS: Windows 8.1
>
> Thanks for any help you can provide.
>
> Ken
>
>
> Disclaimer: This email from DMBGroup LLC, DMB Consulting Services LLC, or the personnel associated with either entity (collectively "DMB") and attachments, contain CONFIDENTIAL, PRIVILEGED AND PROPRIETARY information for exclusive use of the addressee individual(s) or entity. Unauthorized viewing, copying, disclosure, distribution or use of this e-mail or attachments may be subject to legal restriction or sanction. If received in error, notify sender immediately by return e-mail and delete original message and attachments. Nothing contained in this e-mail or attachments shall satisfy the requirements for a writing unless specifically stated. Nothing contained herein shall constitute a contract or electronic signature under the Electronic Signatures in Global and National Commerce Act, any version of the Uniform Electronic Transactions Act or any other statute governing electronic transactions. Opinions and statements expressed in this e-mail and any attachments are those of the individual sender and not necessarily of DMB. DMB does not guarantee this e-mail transmission is secured, error or virus-free. Neither DMB nor the sender of this e-mail accepts liability for errors or omissions in the contents of this e-mail, which arise as a result of e-mail transmission. .
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org