You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rob Tanner <rt...@linfield.edu> on 2007/09/14 01:25:25 UTC

Having security (SSL) issues moving tomcat from one host computer to another

Hi,

I'm wondering if any has ever seen this and how did they fix it.  I have 
a production tomcat server (v5.5.23) that I need to move to another host 
system.  I copied over the full installation and made sure I was using 
the same version of the runtime (jdk1.5.0_03).  But when I try to access 
a secured page on the new host I get the following it fails and I get 
the following StackTrace in tomcat.log:


DEBUG http-10.171.255.17-443-Processor25 
org.apache.tomcat.util.net.PoolTcpEndpoint - Handshake failed
javax.net.ssl.SSLException: Error generating DH server key exchange
        at 
com.sun.net.ssl.internal.ssl.Handshaker.throwSSLException(Handshaker.java:907)
        at 
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:556)
        at 
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
        at 
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
        at 
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:120)
        at 
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:521)
        at 
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
        at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
        at java.lang.Thread.run(Thread.java:595)
Caused by: java.security.InvalidKeyException: No installed provider 
supports this key: sun.security.rsa.RSAPrivateCrtKeyImpl
        at 
java.security.Signature$Delegate.chooseProvider(Signature.java:1059)
        at 
java.security.Signature$Delegate.engineInitSign(Signature.java:1109)
        at java.security.Signature.initSign(Signature.java:503)
        at 
com.sun.net.ssl.internal.ssl.HandshakeMessage$DH_ServerKeyExchange.<init>(HandshakeMessage.java:671)
        at 
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:550)
        ... 11 more
Caused by: java.security.NoSuchAlgorithmException: NONEwithRSA Signature 
not available
        at java.security.Signature.getInstance(Signature.java:208)
        at 
com.sun.net.ssl.internal.ssl.JsseJce.getSignature(JsseJce.java:104)
        at 
com.sun.net.ssl.internal.ssl.RSASignature.<init>(RSASignature.java:45)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native 
Method)
        at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
        at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
        at java.lang.Class.newInstance0(Class.java:350)
        at java.lang.Class.newInstance(Class.java:303)
        at java.security.Provider$Service.newInstance(Provider.java:1075)
        at java.security.Signature$Delegate.newInstance(Signature.java:941)
        at 
java.security.Signature$Delegate.chooseProvider(Signature.java:1035)
        ... 15 more

The JDKs on both the current production host system (which works) and 
the host I'm moving to are identical (I double checked 
security.providers in jre/lib/security/java.security) and just in case I 
screwed up the certificate and went to Thawte and reissued it.  The 
reference above to NONEwithRSA makes no sense to me. The certificate is 
a PKCS#7 chain and the signature algorithms are SHA1withRSA and 
MD5withRSA.  Where does the NONEwithRSA come from?

The only difference between the two hosts machine is the OS.  The 
current production machine is RedHat v9 (just a bit out of date) and the 
new box is running Fedora Core 7.  I don't know whether that's a 
difference that makes a difference or not, but I thought I would mention 
it anyway.

I've been hitting my head against a wall for two days now, and I need 
SSL working before I can switch over to the new box.  As you can weell 
imagine, this is driving me crazy.  Any ideas?

Thanks,
Rob


-- 
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR