You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Kebret, Michael" <Mi...@wellsfargo.com.INVALID> on 2024/02/09 02:54:46 UTC
Tomcat Instance unable to connect to DB with TCPS
Tomcat version 9.0.83 running on Linux redhat 7 java 11.0.20.
When changing the protocol from TCP to TCPS in Catalina.properties and in server.xml we have attribute truststorePassword= (tested with both cleartext and encrypted) password connection is refused to the DB and get the below exceptions. However, when we add -Djavax.net.ssl.trustStorePassword=cleartext to setenv.sh the connection is made successfully. Wanted to see if anyone has faced something similar or have any suggestions on how I can get TCPS working without having to use -D option in setenv.sh
java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource: java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish
the connection
at oracle.ucp.util.UCPErrorHandler.newSQLException(UCPErrorHandler.java:456)
at oracle.ucp.util.UCPErrorHandler.throwSQLException(UCPErrorHandler.java:133)
at oracle.ucp.jdbc.PoolDataSourceImpl.startPool(PoolDataSourceImpl.java:928)
at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:1961)
at oracle.ucp.jdbc.PoolDataSourceImpl.access$400(PoolDataSourceImpl.java:201)
at oracle.ucp.jdbc.PoolDataSourceImpl$31.build(PoolDataSourceImpl.java:4279)
at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:1917)
at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:1880)
at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:1865)
at com.wellsfargo.trust.SampleTrust.SampleTrust.doGet(SampleTrust.java:49)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:529)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:129)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.apache.catalina.valves.StuckThreadDetectionValve.invoke(StuckThreadDetectionValve.java:185)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:765)
at org.apache.catalina.valves.RequestFilterValve.process(RequestFilterValve.java:355)
at org.apache.catalina.valves.RemoteAddrValve.invoke(RemoteAddrValve.java:54)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource: java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection
at oracle.ucp.util.UCPErrorHandler.newUniversalConnectionPoolException(UCPErrorHandler.java:336)
at oracle.ucp.util.UCPErrorHandler.throwUniversalConnectionPoolException(UCPErrorHandler.java:59)
at oracle.ucp.jdbc.oracle.OracleDataSourceConnectionFactoryAdapter.createConnection(OracleDataSourceConnectionFactoryAdapter.java:134)
at oracle.ucp.common.Database.createPooledConnection(Database.java:256)
at oracle.ucp.common.Topology.start(Topology.java:247)
at oracle.ucp.common.Core.start(Core.java:2313)
at oracle.ucp.common.UniversalConnectionPoolBase.start(UniversalConnectionPoolBase.java:685)
at oracle.ucp.jdbc.oracle.OracleJDBCConnectionPool.start(OracleJDBCConnectionPool.java:129)
at oracle.ucp.jdbc.PoolDataSourceImpl.startPool(PoolDataSourceImpl.java:924)
... 38 more
Caused by: java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:854)
at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:793)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:57)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:747)
at oracle.jdbc.pool.OracleDataSource.getPhysicalConnection(OracleDataSource.java:406)
at oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:291)
at oracle.jdbc.pool.OracleDataSource$1.build(OracleDataSource.java:1683)
at oracle.jdbc.pool.OracleDataSource$1.build(OracleDataSource.java:1669)
at oracle.ucp.jdbc.oracle.OracleDataSourceConnectionFactoryAdapter.createConnection(OracleDataSourceConnectionFactoryAdapter.java:103)
... 44 more
Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection
at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:571)
at oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:548)
at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:682)
at oracle.net.ns.NSProtocol.connect(NSProtocol.java:309)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1596)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:588)
... 52 more
Caused by: oracle.net.ns.NetException: Unable to initialize ssl context.
at oracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:346)
at oracle.net.nt.CustomSSLSocketFactory.getSSLContext(CustomSSLSocketFactory.java:307)
at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketEngine(CustomSSLSocketFactory.java:273)
at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:174)
at oracle.net.nt.ConnOption.connect(ConnOption.java:174)
at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:510)
... 57 more
Caused by: oracle.net.ns.NetException: Unable to initialize the trust store.
at oracle.net.nt.CustomSSLSocketFactory.getTrustManagerArray(CustomSSLSocketFactory.java:658)
at oracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:335)
... 62 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:795)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at oracle.net.nt.CustomSSLSocketFactory.loadFileBasedKeyStore(CustomSSLSocketFactory.java:924)
at oracle.net.nt.CustomSSLSocketFactory.loadKeyStore(CustomSSLSocketFactory.java:908)
at oracle.net.nt.CustomSSLSocketFactory.getTrustManagerArray(CustomSSLSocketFactory.java:648)
... 63 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:793)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Instance unable to connect to DB with TCPS
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Michael,
On 2/8/24 21:54, Kebret, Michael wrote:
> Tomcat version 9.0.83 running on Linux redhat 7 java 11.0.20.
>
> When changing the protocol from TCP to TCPS in Catalina.properties
> and in server.xml we have attribute truststorePassword= (tested with
> both cleartext and encrypted) password connection is refused to the
> DB and get the below exceptions. However, when we add
> -Djavax.net.ssl.trustStorePassword=cleartext to setenv.sh the
> connection is made successfully. Wanted to see if anyone has faced
> something similar or have any suggestions on how I can get TCPS
> working without having to use -D option in setenv.sh >
> java.sql.SQLException: Unable to start the Universal Connection Pool:
> oracle.ucp.UniversalConnectionPoolException: Cannot get Connection
> from Datasource: java.sql.SQLRecoverableException: IO Error: The
> Network Adapter could not establish the connection
You probably do not want to set a JVM-wide default trust store password.
Instead, you probably want to use your JDBC connection URL to pass the
trust store location and password directly to the driver.
Something like
jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE?truststore=/etc/myapp/db.p12&trustStorePassword=changeit
Have a look at
https://docs.oracle.com/cd/E13222_01/wls/docs81/jdbc_drivers/oracle.html#1066413
for inspiration. I'm not sure if this is the driver you are using or not.
I don't see anything in there that applies. :(
Perhaps Oracle's driver really does require that you use JVM-wide trust
store and password? Super-yuck.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
R: Tomcat Instance unable to connect to DB with TCPS
Posted by Roberto Benedetti <ro...@dedalus.eu>.
Hello,
it seems you have changed the default Java trust store, so you also need to provide its password.
You should provide more info about your requirements:
- server authentication only or client authentication too (mTLS in Oracle documentation)?
- which version of ucp/ojdbc are you using (Oracle adds features over time)?
In my experience if you only need server authentication and you are using driver version 11.2 or later, the only configuration required is:
- change protocol and port in the URL or tnsnames.ora file
- add the certificate of root (issuer) CA to Java trust store
If you are using a Java version provided by RedHat then adding the certificate is simply as copying the certificate file to /usr/share/pki/ca-trust-source/anchors/ and run update-ca-trust [1].
If client authentication (mTLS) is required then you must prepare a wallet and add extra jars to your deployment [2].
Roberto
[1] https://access.redhat.com/documentation/it-it/red_hat_enterprise_linux/7/html/security_guide/sec-shared-system-certificates
[2] https://docs.oracle.com/en/database/oracle/oracle-database/19/jjdbc/client-side-security.html#GUID-2BD2F189-A58C-4A85-8524-CFD9BB9AC575
-----Messaggio originale-----
Da: Mark Thomas <ma...@apache.org>
Inviato: venerdì 9 febbraio 2024 10:09
A: users@tomcat.apache.org
Oggetto: Re: Tomcat Instance unable to connect to DB with TCPS
CAUTION - This e-mail originates outside of Dedalus. Be vigilant with content, links and attachments!
On 09/02/2024 02:54, Kebret, Michael wrote:
> Tomcat version 9.0.83 running on Linux redhat 7 java 11.0.20.
>
> When changing the protocol from TCP to TCPS in Catalina.properties and in server.xml we have attribute truststorePassword= (tested with both cleartext and encrypted) password connection is refused to the DB and get the below exceptions.
It isn't clear what configuration you are using. Please provide both the non-TLS and TLS configurations.
> However, when we add -Djavax.net.ssl.trustStorePassword=cleartext to
> setenv.sh the connection is made successfully. Wanted to see if anyone
> has faced something similar or have any suggestions on how I can get
> TCPS working without having to use -D option in setenv.sh
My reading of [1] is that the property name is "javax.net.ssl.trustStorePassword" whether it is set as a connection property or as a system property. You seem to be using a connection property of "truststorePassword" which is a Tomcat property for HTTPS connections.
Mark
[1] https://www.oracle.com/docs/tech/wp-oracle-jdbc-thin-ssl.pdf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Instance unable to connect to DB with TCPS
Posted by Mark Thomas <ma...@apache.org>.
On 09/02/2024 02:54, Kebret, Michael wrote:
> Tomcat version 9.0.83 running on Linux redhat 7 java 11.0.20.
>
> When changing the protocol from TCP to TCPS in Catalina.properties and in server.xml we have attribute truststorePassword= (tested with both cleartext and encrypted) password connection is refused to the DB and get the below exceptions.
It isn't clear what configuration you are using. Please provide both the
non-TLS and TLS configurations.
> However, when we add -Djavax.net.ssl.trustStorePassword=cleartext to setenv.sh the connection is made successfully. Wanted to see if anyone has faced something similar or have any suggestions on how I can get TCPS working without having to use -D option in setenv.sh
My reading of [1] is that the property name is
"javax.net.ssl.trustStorePassword" whether it is set as a connection
property or as a system property. You seem to be using a connection
property of "truststorePassword" which is a Tomcat property for HTTPS
connections.
Mark
[1] https://www.oracle.com/docs/tech/wp-oracle-jdbc-thin-ssl.pdf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org