You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rob Tanner <rt...@linfield.edu> on 2007/09/14 01:25:25 UTC
Having security (SSL) issues moving tomcat from one host computer
to another
Hi,
I'm wondering if any has ever seen this and how did they fix it. I have
a production tomcat server (v5.5.23) that I need to move to another host
system. I copied over the full installation and made sure I was using
the same version of the runtime (jdk1.5.0_03). But when I try to access
a secured page on the new host I get the following it fails and I get
the following StackTrace in tomcat.log:
DEBUG http-10.171.255.17-443-Processor25
org.apache.tomcat.util.net.PoolTcpEndpoint - Handshake failed
javax.net.ssl.SSLException: Error generating DH server key exchange
at
com.sun.net.ssl.internal.ssl.Handshaker.throwSSLException(Handshaker.java:907)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:556)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:120)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:521)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.security.InvalidKeyException: No installed provider
supports this key: sun.security.rsa.RSAPrivateCrtKeyImpl
at
java.security.Signature$Delegate.chooseProvider(Signature.java:1059)
at
java.security.Signature$Delegate.engineInitSign(Signature.java:1109)
at java.security.Signature.initSign(Signature.java:503)
at
com.sun.net.ssl.internal.ssl.HandshakeMessage$DH_ServerKeyExchange.<init>(HandshakeMessage.java:671)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:550)
... 11 more
Caused by: java.security.NoSuchAlgorithmException: NONEwithRSA Signature
not available
at java.security.Signature.getInstance(Signature.java:208)
at
com.sun.net.ssl.internal.ssl.JsseJce.getSignature(JsseJce.java:104)
at
com.sun.net.ssl.internal.ssl.RSASignature.<init>(RSASignature.java:45)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
at java.lang.Class.newInstance0(Class.java:350)
at java.lang.Class.newInstance(Class.java:303)
at java.security.Provider$Service.newInstance(Provider.java:1075)
at java.security.Signature$Delegate.newInstance(Signature.java:941)
at
java.security.Signature$Delegate.chooseProvider(Signature.java:1035)
... 15 more
The JDKs on both the current production host system (which works) and
the host I'm moving to are identical (I double checked
security.providers in jre/lib/security/java.security) and just in case I
screwed up the certificate and went to Thawte and reissued it. The
reference above to NONEwithRSA makes no sense to me. The certificate is
a PKCS#7 chain and the signature algorithms are SHA1withRSA and
MD5withRSA. Where does the NONEwithRSA come from?
The only difference between the two hosts machine is the OS. The
current production machine is RedHat v9 (just a bit out of date) and the
new box is running Fedora Core 7. I don't know whether that's a
difference that makes a difference or not, but I thought I would mention
it anyway.
I've been hitting my head against a wall for two days now, and I need
SSL working before I can switch over to the new box. As you can weell
imagine, this is driving me crazy. Any ideas?
Thanks,
Rob
--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR