You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Arun John (arujohn)" <ar...@cisco.com> on 2012/07/06 11:04:50 UTC
Possible issue with Tomcat 7.0.27 SSL keystore configuration
Hi Team,
I am currently facing an issue with SSL configuration in Tomcat 7.0.27. I have one keystore with three private keys to be used by different components . The password I am using for the keystore file is "changed". The requirement is such that I should be using three different password for the three private keys I store in my keystore. I have configured my server.xml to allow https connections, basically modified the connectors.
<Connector port="7443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keyAlias ="adminuicert" keystoreFile="bin/.keystore" keystorePass="changed"/>
I am running into an issue here. When I configure different key passwords for my private keys different from my keystore password I am running into an exception saying it cannot recover the key. I have attached the catalina log. I am not finding a way to provide the private key password in the server.xml
When I googled, I found that in Tomcat 5.5 it was not possible and found the below bug. Not sure whether the bug is fixed in latest release
https://issues.apache.org/bugzilla/show_bug.cgi?id=38217
It says that if any of the passphrase is different, it cannot recover the key. Also it says that tomcat treats the keypass and keystorePass as the same. I also tried setting the adminuicert keyAlias with the same password as the keystore. Even then it is not working.
Right now I am clueless on how to fix the issue. It would be of great help, if someone can help me with a solution/workaround
Regards,
Arun
RE: Possible issue with Tomcat 7.0.27 SSL keystore configuration
Posted by "Arun John (arujohn)" <ar...@cisco.com>.
Found some issue in attaching a log file. So copying the stack trace I am getting
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-7443"]
java.io.IOException: Cannot recover key
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:475)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:380)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:566)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:417)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:956)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:624)
at org.apache.catalina.startup.Catalina.load(Catalina.java:649)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
at java.security.KeyStore.getKey(KeyStore.java:763)
at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:576)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)
... 19 more
Jul 6, 2012 2:28:11 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-7443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-7443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:624)
at org.apache.catalina.startup.Catalina.load(Catalina.java:649)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:958)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 12 more
Caused by: java.io.IOException: Cannot recover key
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:475)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:380)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:566)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:417)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:956)
... 13 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
at java.security.KeyStore.getKey(KeyStore.java:763)
at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:576)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)
Regards,
Arun
From: Arun John (arujohn) [mailto:arujohn@cisco.com]
Sent: Friday, July 06, 2012 2:35 PM
To: users@tomcat.apache.org
Subject: Possible issue with Tomcat 7.0.27 SSL keystore configuration
Hi Team,
I am currently facing an issue with SSL configuration in Tomcat 7.0.27. I have one keystore with three private keys to be used by different components . The password I am using for the keystore file is "changed". The requirement is such that I should be using three different password for the three private keys I store in my keystore. I have configured my server.xml to allow https connections, basically modified the connectors.
<Connector port="7443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keyAlias ="adminuicert" keystoreFile="bin/.keystore" keystorePass="changed"/>
I am running into an issue here. When I configure different key passwords for my private keys different from my keystore password I am running into an exception saying it cannot recover the key. I have attached the catalina log. I am not finding a way to provide the private key password in the server.xml
When I googled, I found that in Tomcat 5.5 it was not possible and found the below bug. Not sure whether the bug is fixed in latest release
https://issues.apache.org/bugzilla/show_bug.cgi?id=38217
It says that if any of the passphrase is different, it cannot recover the key. Also it says that tomcat treats the keypass and keystorePass as the same. I also tried setting the adminuicert keyAlias with the same password as the keystore. Even then it is not working.
Right now I am clueless on how to fix the issue. It would be of great help, if someone can help me with a solution/workaround
Regards,
Arun
RE: Possible issue with Tomcat 7.0.27 SSL keystore configuration
Posted by "Arun John (arujohn)" <ar...@cisco.com>.
Thanks Kolinko!!
Does anyone knows of such a smarter keystore implementation or a better way to accomplish this.
It would be of great help if someone could help me here
Regards,
Arun
-----Original Message-----
From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
Sent: Friday, July 06, 2012 11:13 PM
To: Tomcat Users List
Subject: Re: Possible issue with Tomcat 7.0.27 SSL keystore configuration
2012/7/6 Arun John (arujohn) <ar...@cisco.com>:
> Hi Mark,
>
> Thanks for your quick response.
>
> I should have been a little more clear. That snip was copied when I had only one key entry in my keystore and both the passwords were the same.
>
> Now coming to the actual issue. As long as there is only one key in
> the keystore, it works perfectly fine and I can provide different
> passwords for keystore and private key using keystorePass and keyPass
> options and it works flawlessly. But the issue seems to be happening
> when I have multiple key entries and that I store those key entries
> using different passwords. Then it throws the error
>
> For eg :
>
> I have a keystore named servercerts. The keystore password is "changed"
> In the keystore, I have 3 private keys (tomcatcert, adminuicert,
> wscert) The password for tomcatcert is "fortomcat"
> The password for adminuicert is "foradminui"
> The password for wscert is "forwebserver"
>
> Now I configured my server.xml to be
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true" clientAuth="false"
> sslProtocol="TLS" keyAlias ="adminuicert" keyPass="foradminui"
> keystoreFile="bin/servercerts" keystorePass="changed"/>
>
> Then when I start my tomcat, I run into this error. To be specific, with single key entry in the keystore everything works fine. With multiple key entries and different passwords, it throws the error.
>
> Am I missing something here. Can you confirm whether it works fine in the above scenario. I use jdk1.6.0_32 to generate the keystore.
>
> Regards,
> Arun
>
>
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: Friday, July 06, 2012 3:55 PM
> To: Tomcat Users List
> Subject: Re: Possible issue with Tomcat 7.0.27 SSL keystore
> configuration
>
> On 06/07/2012 10:04, Arun John (arujohn) wrote:
>> Hi Team,
>>
>> I am currently facing an issue with SSL configuration in Tomcat
>> 7.0.27. I have one keystore with three private keys to be used by
>> different components . The password I am using for the keystore file
>> is "changed". The requirement is such that I should be using three
>> different password for the three private keys I store in my keystore.
>> I have configured my server.xml to allow https connections, basically
>> modified the connectors.
>>
>> <Connector port="7443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true" clientAuth="false"
>> sslProtocol="TLS" keyAlias ="adminuicert"
>> keystoreFile="bin/.keystore" keystorePass="changed"/>
>
> You have not specified the password for the key. Why would you expect this to work?
>
>> I am running into an issue here. When I configure different key
>> passwords for my private keys different from my keystore password I
>> am running into an exception saying it cannot recover the key. I have
>> attached the catalina log. I am not finding a way to provide the
>> private key password in the server.xml
Looking at the code where exception comes from, in JSSESocketFactory#getKeyManagers(...)
[[[
KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
String keyPass = endpoint.getKeyPass();
if (keyPass == null) {
keyPass = keystorePass;
}
kmf.init(ks, keyPass.toCharArray());
kms = kmf.getKeyManagers();
]]]
The "kmf.init(..)" call to Java API fails. At this point the key alias has not come into play yet.
Looking at implementation of the Java APIs mentioned in your stacktrace, I should say that this is limitation of those. This Sun implementation of KeyManagerFactory iterates over all keys of keystore, creating a Key for each and initializing some internal hashtable. As you encountered, it fails fatally if any of the keys is not readable with the provided password.
The call to kmf.init(..) cannot be avoided, as the key manager factory is unusable without it.
Maybe it is possible to find more clever implementation of KeyManagerFactory somewhere that does not read the keys that it does not need. Or a different implementation of KeyStore, that serves as a proxy and hides unneeded keys in KeyStore#aliases() enumeration.
Anyway, the easiest workaround at this point is to use 3 different keystores each containing a single key. The path to keystore is configurable, as you may note.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Possible issue with Tomcat 7.0.27 SSL keystore configuration
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/7/6 Arun John (arujohn) <ar...@cisco.com>:
> Hi Mark,
>
> Thanks for your quick response.
>
> I should have been a little more clear. That snip was copied when I had only one key entry in my keystore and both the passwords were the same.
>
> Now coming to the actual issue. As long as there is only one key in the keystore, it works perfectly fine and I can provide different passwords for keystore and private key using keystorePass and keyPass options and it works flawlessly. But the issue seems to be happening when I have multiple key entries and that I store those key entries using different passwords. Then it throws the error
>
> For eg :
>
> I have a keystore named servercerts. The keystore password is "changed"
> In the keystore, I have 3 private keys (tomcatcert, adminuicert, wscert)
> The password for tomcatcert is "fortomcat"
> The password for adminuicert is "foradminui"
> The password for wscert is "forwebserver"
>
> Now I configured my server.xml to be
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true" clientAuth="false"
> sslProtocol="TLS" keyAlias ="adminuicert" keyPass="foradminui"
> keystoreFile="bin/servercerts" keystorePass="changed"/>
>
> Then when I start my tomcat, I run into this error. To be specific, with single key entry in the keystore everything works fine. With multiple key entries and different passwords, it throws the error.
>
> Am I missing something here. Can you confirm whether it works fine in the above scenario. I use jdk1.6.0_32 to generate the keystore.
>
> Regards,
> Arun
>
>
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: Friday, July 06, 2012 3:55 PM
> To: Tomcat Users List
> Subject: Re: Possible issue with Tomcat 7.0.27 SSL keystore configuration
>
> On 06/07/2012 10:04, Arun John (arujohn) wrote:
>> Hi Team,
>>
>> I am currently facing an issue with SSL configuration in Tomcat
>> 7.0.27. I have one keystore with three private keys to be used by
>> different components . The password I am using for the keystore file
>> is "changed". The requirement is such that I should be using three
>> different password for the three private keys I store in my keystore.
>> I have configured my server.xml to allow https connections, basically
>> modified the connectors.
>>
>> <Connector port="7443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true" clientAuth="false"
>> sslProtocol="TLS" keyAlias ="adminuicert"
>> keystoreFile="bin/.keystore" keystorePass="changed"/>
>
> You have not specified the password for the key. Why would you expect this to work?
>
>> I am running into an issue here. When I configure different key
>> passwords for my private keys different from my keystore password I am
>> running into an exception saying it cannot recover the key. I have
>> attached the catalina log. I am not finding a way to provide the
>> private key password in the server.xml
Looking at the code where exception comes from,
in JSSESocketFactory#getKeyManagers(...)
[[[
KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
String keyPass = endpoint.getKeyPass();
if (keyPass == null) {
keyPass = keystorePass;
}
kmf.init(ks, keyPass.toCharArray());
kms = kmf.getKeyManagers();
]]]
The "kmf.init(..)" call to Java API fails. At this point the key alias
has not come into play yet.
Looking at implementation of the Java APIs mentioned in your
stacktrace, I should say that this is limitation of those. This Sun
implementation of KeyManagerFactory iterates over all keys of
keystore, creating a Key for each and initializing some internal
hashtable. As you encountered, it fails fatally if any of the keys is
not readable with the provided password.
The call to kmf.init(..) cannot be avoided, as the key manager factory
is unusable without it.
Maybe it is possible to find more clever implementation of
KeyManagerFactory somewhere that does not read the keys that it does
not need. Or a different implementation of KeyStore, that serves as a
proxy and hides unneeded keys in KeyStore#aliases() enumeration.
Anyway, the easiest workaround at this point is to use 3 different
keystores each containing a single key. The path to keystore is
configurable, as you may note.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Possible issue with Tomcat 7.0.27 SSL keystore configuration
Posted by "Arun John (arujohn)" <ar...@cisco.com>.
Hi Mark,
Thanks for your quick response.
I should have been a little more clear. That snip was copied when I had only one key entry in my keystore and both the passwords were the same.
Now coming to the actual issue. As long as there is only one key in the keystore, it works perfectly fine and I can provide different passwords for keystore and private key using keystorePass and keyPass options and it works flawlessly. But the issue seems to be happening when I have multiple key entries and that I store those key entries using different passwords. Then it throws the error
For eg :
I have a keystore named servercerts. The keystore password is "changed"
In the keystore, I have 3 private keys (tomcatcert, adminuicert, wscert)
The password for tomcatcert is "fortomcat"
The password for adminuicert is "foradminui"
The password for wscert is "forwebserver"
Now I configured my server.xml to be
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS" keyAlias ="adminuicert" keyPass="foradminui"
keystoreFile="bin/servercerts" keystorePass="changed"/>
Then when I start my tomcat, I run into this error. To be specific, with single key entry in the keystore everything works fine. With multiple key entries and different passwords, it throws the error.
Am I missing something here. Can you confirm whether it works fine in the above scenario. I use jdk1.6.0_32 to generate the keystore.
Regards,
Arun
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Friday, July 06, 2012 3:55 PM
To: Tomcat Users List
Subject: Re: Possible issue with Tomcat 7.0.27 SSL keystore configuration
On 06/07/2012 10:04, Arun John (arujohn) wrote:
> Hi Team,
>
> I am currently facing an issue with SSL configuration in Tomcat
> 7.0.27. I have one keystore with three private keys to be used by
> different components . The password I am using for the keystore file
> is "changed". The requirement is such that I should be using three
> different password for the three private keys I store in my keystore.
> I have configured my server.xml to allow https connections, basically
> modified the connectors.
>
> <Connector port="7443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true" clientAuth="false"
> sslProtocol="TLS" keyAlias ="adminuicert"
> keystoreFile="bin/.keystore" keystorePass="changed"/>
You have not specified the password for the key. Why would you expect this to work?
> I am running into an issue here. When I configure different key
> passwords for my private keys different from my keystore password I am
> running into an exception saying it cannot recover the key. I have
> attached the catalina log. I am not finding a way to provide the
> private key password in the server.xml
Then read the Tomcat 7 documentation.
> When I googled, I found that in Tomcat 5.5 it was not possible and
> found the below bug. Not sure whether the bug is fixed in latest
> release https://issues.apache.org/bugzilla/show_bug.cgi?id=38217
That is a 5+ year old bug against a version of the software 2 major versions earlier than the one you are using. What do you think the chances are of it being relevant here? Hint: If you had read the HTTP SSL configuration documentation for Tomcat 7 you would know the answer to that question.
<snip />
> Right now I am clueless
Clue may be found by reading the documentation for the version of the software you are trying to use.
> on how to fix the issue. It would be of great help, if someone can
> help me with a solution/workaround
Read the documentation.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Possible issue with Tomcat 7.0.27 SSL keystore configuration
Posted by Mark Thomas <ma...@apache.org>.
On 06/07/2012 10:04, Arun John (arujohn) wrote:
> Hi Team,
>
> I am currently facing an issue with SSL configuration in Tomcat
> 7.0.27. I have one keystore with three private keys to be used by
> different components . The password I am using for the keystore file
> is "changed". The requirement is such that I should be using three
> different password for the three private keys I store in my keystore.
> I have configured my server.xml to allow https connections, basically
> modified the connectors.
>
> <Connector port="7443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true" clientAuth="false"
> sslProtocol="TLS" keyAlias ="adminuicert"
> keystoreFile="bin/.keystore" keystorePass="changed"/>
You have not specified the password for the key. Why would you expect
this to work?
> I am running into an issue here. When I configure different key
> passwords for my private keys different from my keystore password I
> am running into an exception saying it cannot recover the key. I have
> attached the catalina log. I am not finding a way to provide the
> private key password in the server.xml
Then read the Tomcat 7 documentation.
> When I googled, I found that in Tomcat 5.5 it was not possible and
> found the below bug. Not sure whether the bug is fixed in latest
> release https://issues.apache.org/bugzilla/show_bug.cgi?id=38217
That is a 5+ year old bug against a version of the software 2 major
versions earlier than the one you are using. What do you think the
chances are of it being relevant here? Hint: If you had read the HTTP
SSL configuration documentation for Tomcat 7 you would know the answer
to that question.
<snip />
> Right now I am clueless
Clue may be found by reading the documentation for the version of the
software you are trying to use.
> on how to fix the issue. It would be of great help, if
> someone can help me with a solution/workaround
Read the documentation.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org