You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Timothy Resh <mr...@gmail.com> on 2024/03/19 18:18:14 UTC
PKCS#8 encryption algorithm unrecognized
<Conneector ........
SSLProtocol="TLSv1.2"
SSLCipherSuite="-ALL
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
SSLPassword="${KSENC(6qkaMErQ==; C:\Certificate\Keystore\Vessel.p12)}"
SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3.......cer"
SSLCertificateFile="C:\Certificate\Public Key\WSD-2DNX4M3.......cer"
SSLCertificateKeyFile="C:\Certificate\Private Key\WSD-2DNX4M3......key"
SSLVerifyClient="optional"
SSLCACertificateFile="C:\Certificates\CA\intermediate.ca"
SSLCACertificatePath="C:\Certificates\CA\"
>
where the ..... is the fqdn
This works fine *until* Tomcat 9.0.83 and now we get the following listed
below. I have read some of the
https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=67675 bugs and ask for
help.
The certificates are being created using openssl 3.013. Please note the
encrypted password to the p12 keystore. There was a message saying this
was going to be fixed in a January release.
I just tested 9.0.87 and the error is the same. The ASN.1 is OBJECT
IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11)
Does anyone have some suggestions for a fix?
Thanks Mark Resh
15-Mar-2024 18:27:37.621 WARNING [main]
org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the
[ciphers] attribute in a manner consistent with the latest OpenSSL
development branch. Some of the specified [ciphers] are not supported by
the configured SSL engine for this connector (which may use JSSE or an
older OpenSSL version) and have been skipped:
[[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]]
15-Mar-2024 18:27:37.636 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component [Connector["https-openssl-apr-192.168.56.1-8443"]]
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1011)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:554)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1039)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
Caused by: java.lang.IllegalArgumentException: The PKCS#8 encryption
algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised
at
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:467)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1332)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1345)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1009)
... 13 more
Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised
at
org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:379)
at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:213)
at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:141)
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:355)
at
org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:108)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268)
at
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:465)
... 19 more
15-Mar-2024 18:27:37.636 INFO [main]
org.apache.catalina.startup.Catalina.load Server initialization in [1655]
milliseconds
Re: PKCS#8 encryption algorithm unrecognized
Posted by Timothy Resh <mr...@gmail.com>.
Java is 1.8.0_391
On Thu, Apr 4, 2024 at 1:35 PM Timothy Resh <mr...@gmail.com> wrote:
> I got the Object ID and version straight out of the Certificate using
> Keystore Explorer. I'm not sure why there is a difference.
>
> The "\" is because I manually deleted the beginning part of the path.
> It's correct in the actual file.
>
> Java is 1.8.
>
> On Wed, Apr 3, 2024 at 6:11 PM Konstantin Kolinko <kn...@gmail.com>
> wrote:
>
>> > Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
>> > algorithm with DER encoded OID of [2a864886f70d010c0103] was not
>> recognised
>>
>> If I google for the above hex number, it finds the following:
>>
>> '2A864886F70D010C0103' -- 1.2.840.113549.1.12.1.3
>> pbeWithSHAAnd3-KeyTripleDES-CBC (PKCS #12 PbeIds)
>>
>> (actually a comment in some random source file, but it explains what
>> the value is).
>>
>> If I manually decode that value, thanks to
>> https://stackoverflow.com/a/24720842
>> I get the same value:
>>
>> 2a = 42 = 1 * 40 + 2 -> "1.2"
>> 8648 = (0x06 * 128) + 0x48 = 6 * 128 + 72 = 840
>> 86f70d = ((0x06 * 128) + (0x77 * 128) + 0x0d = ((6 * 128) + 119) * 128
>> + 13 = 113549
>> 01 = 1
>> 0c = 12
>> 01 = 1
>> 03 = 3
>>
>> I saw that you mentioned
>> > The ASN.1 is OBJECT IDENTIFIER=Sha256WithRSAEncryption
>> (1.2.840.113549.1.1.11)
>>
>> but the value is different.
>> *.1.1.11 vs *.1.12.1.3
>>
>> Maybe it helps.
>>
>> What is your version of Java?
>>
>> Isn't the algorithm (mentioned in the error message) deprecated,
>> because it uses SHA-1 ?
>>
>> > SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3.......cer"
>>
>> A '\' is missing after ':'.
>>
>> Best regards,
>> Konstantin Kolinko
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
R: PKCS#8 encryption algorithm unrecognized
Posted by Roberto Benedetti <ro...@dedalus.eu>.
> I got the Object ID and version straight out of the Certificate using
> Keystore Explorer. I'm not sure why there is a difference.
Keystore Explorer uses Bouncy Castle (https://www.bouncycastle.org/) as provider for JCE.
If your JRE/JDK does not provide some algorithm you could use Bouncy Castle as well.
Regards,
Roberto
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: PKCS#8 encryption algorithm unrecognized
Posted by Timothy Resh <mr...@gmail.com>.
I got the Object ID and version straight out of the Certificate using
Keystore Explorer. I'm not sure why there is a difference.
The "\" is because I manually deleted the beginning part of the path. It's
correct in the actual file.
Java is 1.8.
On Wed, Apr 3, 2024 at 6:11 PM Konstantin Kolinko <kn...@gmail.com>
wrote:
> > Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
> > algorithm with DER encoded OID of [2a864886f70d010c0103] was not
> recognised
>
> If I google for the above hex number, it finds the following:
>
> '2A864886F70D010C0103' -- 1.2.840.113549.1.12.1.3
> pbeWithSHAAnd3-KeyTripleDES-CBC (PKCS #12 PbeIds)
>
> (actually a comment in some random source file, but it explains what
> the value is).
>
> If I manually decode that value, thanks to
> https://stackoverflow.com/a/24720842
> I get the same value:
>
> 2a = 42 = 1 * 40 + 2 -> "1.2"
> 8648 = (0x06 * 128) + 0x48 = 6 * 128 + 72 = 840
> 86f70d = ((0x06 * 128) + (0x77 * 128) + 0x0d = ((6 * 128) + 119) * 128
> + 13 = 113549
> 01 = 1
> 0c = 12
> 01 = 1
> 03 = 3
>
> I saw that you mentioned
> > The ASN.1 is OBJECT IDENTIFIER=Sha256WithRSAEncryption
> (1.2.840.113549.1.1.11)
>
> but the value is different.
> *.1.1.11 vs *.1.12.1.3
>
> Maybe it helps.
>
> What is your version of Java?
>
> Isn't the algorithm (mentioned in the error message) deprecated,
> because it uses SHA-1 ?
>
> > SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3.......cer"
>
> A '\' is missing after ':'.
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: PKCS#8 encryption algorithm unrecognized
Posted by Konstantin Kolinko <kn...@gmail.com>.
> Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
> algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised
If I google for the above hex number, it finds the following:
'2A864886F70D010C0103' -- 1.2.840.113549.1.12.1.3
pbeWithSHAAnd3-KeyTripleDES-CBC (PKCS #12 PbeIds)
(actually a comment in some random source file, but it explains what
the value is).
If I manually decode that value, thanks to
https://stackoverflow.com/a/24720842
I get the same value:
2a = 42 = 1 * 40 + 2 -> "1.2"
8648 = (0x06 * 128) + 0x48 = 6 * 128 + 72 = 840
86f70d = ((0x06 * 128) + (0x77 * 128) + 0x0d = ((6 * 128) + 119) * 128
+ 13 = 113549
01 = 1
0c = 12
01 = 1
03 = 3
I saw that you mentioned
> The ASN.1 is OBJECT IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11)
but the value is different.
*.1.1.11 vs *.1.12.1.3
Maybe it helps.
What is your version of Java?
Isn't the algorithm (mentioned in the error message) deprecated,
because it uses SHA-1 ?
> SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3.......cer"
A '\' is missing after ':'.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: PKCS#8 encryption algorithm unrecognized
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Timothy,
On 3/19/24 14:18, Timothy Resh wrote:
> <Conneector ........
> SSLProtocol="TLSv1.2"
> SSLCipherSuite="-ALL
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
>
> SSLPassword="${KSENC(6qkaMErQ==; C:\Certificate\Keystore\Vessel.p12)}"
> SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3.......cer"
> SSLCertificateFile="C:\Certificate\Public Key\WSD-2DNX4M3.......cer"
> SSLCertificateKeyFile="C:\Certificate\Private Key\WSD-2DNX4M3......key"
> SSLVerifyClient="optional"
> SSLCACertificateFile="C:\Certificates\CA\intermediate.ca"
> SSLCACertificatePath="C:\Certificates\CA\"
>>
>
> where the ..... is the fqdn
>
> This works fine *until* Tomcat 9.0.83 and now we get the following listed
> below.
Is it possible for you to re-test with Tomcat 9.0.85 or later?
-chris
I have read some of the
> https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=67675 bugs and ask for
> help.
> The certificates are being created using openssl 3.013. Please note the
> encrypted password to the p12 keystore. There was a message saying this
> was going to be fixed in a January release.
> I just tested 9.0.87 and the error is the same. The ASN.1 is OBJECT
> IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11)
>
> Does anyone have some suggestions for a fix?
>
> Thanks Mark Resh
>
>
> 15-Mar-2024 18:27:37.621 WARNING [main]
> org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the
> [ciphers] attribute in a manner consistent with the latest OpenSSL
> development branch. Some of the specified [ciphers] are not supported by
> the configured SSL engine for this connector (which may use JSSE or an
> older OpenSSL version) and have been skipped:
> [[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]]
> 15-Mar-2024 18:27:37.636 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> initialize component [Connector["https-openssl-apr-192.168.56.1-8443"]]
> org.apache.catalina.LifecycleException: Protocol handler initialization
> failed
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:1011)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:554)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1039)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> Caused by: java.lang.IllegalArgumentException: The PKCS#8 encryption
> algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised
> at
> org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:467)
> at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1332)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1345)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:1009)
> ... 13 more
> Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
> algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised
> at
> org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:379)
> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:213)
> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:141)
> at
> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:355)
> at
> org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:108)
> at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268)
> at
> org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:465)
> ... 19 more
> 15-Mar-2024 18:27:37.636 INFO [main]
> org.apache.catalina.startup.Catalina.load Server initialization in [1655]
> milliseconds
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: PKCS#8 encryption algorithm unrecognized
Posted by Timothy Resh <mr...@gmail.com>.
Sure, I can provide the entire setup for you. I'll work on that tonight .
On Sun, Mar 31, 2024 at 2:05 PM Mark Thomas <ma...@apache.org> wrote:
> On 25/03/2024 16:56, Timothy Resh wrote:
> > Sorry for the delay. Our certificate creation process was automated
> > several years ago and I had to go through the code to figure out the
> > commands being used for the certificates
> >
> > First, we use the createcert.exe from the Sybase 17 installation to
>
> I don't have access to that application so I am unable to follow the
> provided instructions.
>
> Given you do have access to the application, it will likely be simpler
> if you provide a test key and certificate that don't work that we can
> use for investigation.
>
> If you want to provide those offline, feel free to email the pem files
> to me directly.
>
> Mark
>
>
> > generate a DB cert for ODBC connectivity. Please see the following link
> > for more information.
> >
> https://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.sqlanywhere.12.0.1/dbadmin/gencert-ml-ref1.html
> > -t encryption type
> > -b length
> > -ca "1" Create Certificate Authority
> > -u 3,4,5,6
> >
> > - 3. Key Encipherment
> > - 4. Data Encipherment
> > - 5. Key Agreement
> > - 6. Certificate Signing
> >
> > -v 6 years
> > -co Public Certificate
> > -x Generates a self-signed certificate
> >
> > *C:\tmp12>ECHO. | "C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe"
> > -t "rsa" -b "2048" -ca "1" -io "C:\tmp12\DB\Application Certificate
> > Files\Private Keys\ASA12 SAMM Vessel.pem" -ko "C:\tmp12\DB\Application
> > Certificate Files\Private Keys\ASA12 SAMM Vessel.key" -kp "changeit" -x
> -co
> > "C:\tmp12\DB\Application Certificate Files\Public Keys\ASA12 SAMM
> > Vessel.pub" -sc "US" -scn "WSD-2DNX4M3.mydomain.com
> > <http://WSD-2DNX4M3.mydomain.com>" -sl "Norfolk" -so "Vessel Ships" -sou
> > "Engineering" -sst "VA" -u 3,4,5,6 -v "6"*
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *SQL Anywhere X.509 Certificate Generator Version 17.0.10.6160Warning:
> The
> > certificate will not be compatible with older versionsof the software
> > including version 12.0.1 prior to build 3994 and version 16.0prior to
> build
> > 1691. Use the -3des switch if you require compatibility.Generating key
> > pair...Certificate will be a self-signed rootSerial number [generate
> GUID]:
> > Generated serial number: 42455c10a27d441db3e3d09f39f35452*
> >
> >
> > This creates a ASA12 SAMM Vessel.pub that is then copied to the Tomcat
> > Application Server as "Client Configuration.pem"
> >
> > our next commands are all openssl or keytool
> >
> > openssl.exe genrsa -aes256 -passout pass:"changeit" -out
> > "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" 2048
> > 1>nul 2>&1
> > openssl.exe req -new -key "C:\tmp12\Certificate\Private
> > Key\WSD-2DNX4M3.mydomain.com.key" -subj "/CN=
> > WSD-2DNX4M3.mydomain.com/OU=USN/OU=PKI/OU=DoD/O=U.S.Government/C=US"
> -out
> > "C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -passin
> > pass:"changeit" 1>nul 2>&1
> >
> > echo basicConstraints = CA:FALSE 1>"C:\tmp12\openssl\v3.ext"
> > echo keyUsage = digitalSignature, keyEncipherment
> > 1>>"C:\tmp12\openssl\v3.ext"
> > ECHO [SAN] 1>>"C:\tmp12\openssl\v3.ext"
> > ECHO subjectAltName=DNS:WSD-2DNX4M3.mydomain.com
> > 1>>"C:\tmp12\openssl\v3.ext"
> >
> > openssl.exe x509 -req -extfile "C:\tmp12\openssl\v3.ext" -signkey
> > "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -in
> > "C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -out
> > "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -passin
> > pass:"changeit" -days "2190" -extensions SAN
> > Certificate request self-signature ok
> > subject=CN = WSD-2DNX4M3.mydomain.com, OU = USN, OU = PKI, OU = DoD, O =
> > U.S.Government, C = US
> >
> > COPY "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer"
> > "C:\tmp12\Certificates\CA\" 1>nul 2>&1
> >
> > openssl.exe pkcs12 -export -in "C:\tmp12\Certificate\Public
> > Key\WSD-2DNX4M3.mydomain.com.cer" -inkey "C:\tmp12\Certificate\Private
> > Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
> > Key\WSD-2DNX4M3.mydomain.com.p12" -name WSD-2DNX4M3.mydomain.com -CAfile
> > "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -caname
> > WSD-2DNX4M3.mydomain.com -passin pass:"changeit" -passout
> pass:"changeit"
> >
> > keytool.exe -importkeystore -deststorepass "changeit" -destkeypass
> > "changeit" -destkeystore "C:\tmp12\Certificate\Keystore\Vessel.jks"
> > -srckeystore "C:\tmp12\Certificate\Private
> > Key\WSD-2DNX4M3.mydomain.com.p12" -srcstoretype PKCS12 -srcstorepass
> > "changeit" -alias WSD-2DNX4M3.mydomain.com
> > Importing keystore C:\tmp12\Certificate\Private
> > Key\WSD-2DNX4M3.mydomain.com.p12 to
> > C:\tmp12\Certificate\Keystore\Vessel.jks...
> > DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.p12"
> >
> > openssl.exe rsa -in "C:\tmp12\Certificate\Private
> > Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
> > Key\WSD-2DNX4M3.mydomain.com.key.2" -passin pass:"changeit"
> > openssl.exe rsa -aes256 -in "C:\tmp12\Certificate\Private
> > Key\WSD-2DNX4M3.mydomain.com.key.2" -out "C:\tmp12\Certificate\Private
> > Key\WSD-2DNX4M3.mydomain.com.key.3" -passin pass:"changeit" -passout
> > pass:"changeit"
> > openssl.exe pkcs8 -topk8 -v1 PBE-SHA1-3DES -in
> > "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3" -out
> > "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -passin
> > pass:"changeit" -passout pass:"changeit"
> >
> > DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.2"
> > DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3"
> >
> > keytool.exe -importkeystore -srckeystore
> > "C:\tmp12\Certificate\Keystore\Vessel.jks" -destkeystore
> > "C:\tmp12\Certificate\Keystore\Vessel.p12" -srcstoretype JKS
> -deststoretype
> > PKCS12 -srcstorepass "changeit" -deststorepass "changeit" -noprompt
> > keytool.exe -delete -alias "ASA12 SAMM Vessel Temporary CA" -keystore
> > "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit"
> -noprompt
> > keytool.exe -delete -alias "ASA12 SAMM Vessel" -keystore
> > "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit"
> -noprompt
> > keytool.exe -delete -alias "WSD-2DNX4M3.mydomain.com" -keystore
> > "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit"
> -noprompt
> > keytool.exe -import -alias "ASA12 SAMM Vessel" -file "C:\tmp12\Client
> > Configuration.pem" -keystore "C:\tmp12\Certificate\Keystore\Vessel.p12"
> > -storepass "changeit" -noprompt
> > keytool.exe -import -trustcacerts -alias "ASA12 SAMM Vessel Temporary CA"
> > -file "C:\tmp12\Client Configuration.pem" -keystore
> > "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit"
> -noprompt
> >
> >
> > if you need anything else please get in touch with me.
> > I have tested this with the Tomcat 87 release and it still does not work.
> >
> > Thanks
> >
> > Mark Resh
> >
> >
> >
> >
> > On Tue, Mar 19, 2024 at 4:15 PM Mark Thomas <ma...@apache.org> wrote:
> >
> >> On 19/03/2024 18:18, Timothy Resh wrote:
> >>> <Conneector ........
> >>> SSLProtocol="TLSv1.2"
> >>> SSLCipherSuite="-ALL
> >>>
> >>
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
> >>>
> >>> SSLPassword="${KSENC(6qkaMErQ==;
> >> C:\Certificate\Keystore\Vessel.p12)}"
> >>> SSLCertificateChainFile="C:Certificate\Public
> Key\WSD-2DNX4M3.......cer"
> >>> SSLCertificateFile="C:\Certificate\Public Key\WSD-2DNX4M3.......cer"
> >>> SSLCertificateKeyFile="C:\Certificate\Private Key\WSD-2DNX4M3......key"
> >>> SSLVerifyClient="optional"
> >>> SSLCACertificateFile="C:\Certificates\CA\intermediate.ca"
> >>> SSLCACertificatePath="C:\Certificates\CA\"
> >>>>
> >>>
> >>> where the ..... is the fqdn
> >>>
> >>> This works fine *until* Tomcat 9.0.83 and now we get the following
> listed
> >>> below. I have read some of the
> >>> https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=67675 bugs and
> ask
> >> for
> >>> help.
> >>> The certificates are being created using openssl 3.013. Please note
> the
> >>> encrypted password to the p12 keystore. There was a message saying
> this
> >>> was going to be fixed in a January release.
> >>> I just tested 9.0.87 and the error is the same. The ASN.1 is OBJECT
> >>> IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11)
> >>>
> >>> Does anyone have some suggestions for a fix?
> >>
> >> Please provide a set of OpenSSL commands that create a problematic,
> >> self-signed certificate for localhost. This will save us a *lot* of
> time.
> >>
> >> Mark
> >>
> >>
> >>>
> >>> Thanks Mark Resh
> >>>
> >>>
> >>> 15-Mar-2024 18:27:37.621 WARNING [main]
> >>> org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets
> the
> >>> [ciphers] attribute in a manner consistent with the latest OpenSSL
> >>> development branch. Some of the specified [ciphers] are not supported
> by
> >>> the configured SSL engine for this connector (which may use JSSE or an
> >>> older OpenSSL version) and have been skipped:
> >>> [[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> >>> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]]
> >>> 15-Mar-2024 18:27:37.636 SEVERE [main]
> >>> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed
> to
> >>> initialize component [Connector["https-openssl-apr-192.168.56.1-8443"]]
> >>> org.apache.catalina.LifecycleException: Protocol handler initialization
> >>> failed
> >>> at
> >>
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1011)
> >>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> >>> at
> >>>
> >>
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:554)
> >>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> >>> at
> >>>
> >>
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1039)
> >>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> >>> at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> >>> at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >>> at
> >>>
> >>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> >>> at
> >>>
> >>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >>> at java.lang.reflect.Method.invoke(Method.java:498)
> >>> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> >>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> >>> Caused by: java.lang.IllegalArgumentException: The PKCS#8 encryption
> >>> algorithm with DER encoded OID of [2a864886f70d010c0103] was not
> >> recognised
> >>> at
> >>> org.apache.tomcat.util.net
> >> .AprEndpoint.createSSLContext(AprEndpoint.java:467)
> >>> at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433)
> >>> at
> >>> org.apache.tomcat.util.net
> >> .AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1332)
> >>> at
> >>> org.apache.tomcat.util.net
> >> .AbstractEndpoint.init(AbstractEndpoint.java:1345)
> >>> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654)
> >>> at
> >>>
> >>
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)
> >>> at
> >>
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1009)
> >>> ... 13 more
> >>> Caused by: java.security.NoSuchAlgorithmException: The PKCS#8
> encryption
> >>> algorithm with DER encoded OID of [2a864886f70d010c0103] was not
> >> recognised
> >>> at
> >>> org.apache.tomcat.util.net
> >> .jsse.PEMFile$Part.toPrivateKey(PEMFile.java:379)
> >>> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:213)
> >>> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:141)
> >>> at
> >>> org.apache.tomcat.util.net
> >> .SSLUtilBase.getKeyManagers(SSLUtilBase.java:355)
> >>> at
> >>> org.apache.tomcat.util.net
> >> .openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:108)
> >>> at
> >>> org.apache.tomcat.util.net
> >> .SSLUtilBase.createSSLContext(SSLUtilBase.java:268)
> >>> at
> >>> org.apache.tomcat.util.net
> >> .AprEndpoint.createSSLContext(AprEndpoint.java:465)
> >>> ... 19 more
> >>> 15-Mar-2024 18:27:37.636 INFO [main]
> >>> org.apache.catalina.startup.Catalina.load Server initialization in
> [1655]
> >>> milliseconds
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: PKCS#8 encryption algorithm unrecognized
Posted by Mark Thomas <ma...@apache.org>.
On 25/03/2024 16:56, Timothy Resh wrote:
> Sorry for the delay. Our certificate creation process was automated
> several years ago and I had to go through the code to figure out the
> commands being used for the certificates
>
> First, we use the createcert.exe from the Sybase 17 installation to
I don't have access to that application so I am unable to follow the
provided instructions.
Given you do have access to the application, it will likely be simpler
if you provide a test key and certificate that don't work that we can
use for investigation.
If you want to provide those offline, feel free to email the pem files
to me directly.
Mark
> generate a DB cert for ODBC connectivity. Please see the following link
> for more information.
> https://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.sqlanywhere.12.0.1/dbadmin/gencert-ml-ref1.html
> -t encryption type
> -b length
> -ca "1" Create Certificate Authority
> -u 3,4,5,6
>
> - 3. Key Encipherment
> - 4. Data Encipherment
> - 5. Key Agreement
> - 6. Certificate Signing
>
> -v 6 years
> -co Public Certificate
> -x Generates a self-signed certificate
>
> *C:\tmp12>ECHO. | "C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe"
> -t "rsa" -b "2048" -ca "1" -io "C:\tmp12\DB\Application Certificate
> Files\Private Keys\ASA12 SAMM Vessel.pem" -ko "C:\tmp12\DB\Application
> Certificate Files\Private Keys\ASA12 SAMM Vessel.key" -kp "changeit" -x -co
> "C:\tmp12\DB\Application Certificate Files\Public Keys\ASA12 SAMM
> Vessel.pub" -sc "US" -scn "WSD-2DNX4M3.mydomain.com
> <http://WSD-2DNX4M3.mydomain.com>" -sl "Norfolk" -so "Vessel Ships" -sou
> "Engineering" -sst "VA" -u 3,4,5,6 -v "6"*
>
>
>
>
>
>
>
>
>
> *SQL Anywhere X.509 Certificate Generator Version 17.0.10.6160Warning: The
> certificate will not be compatible with older versionsof the software
> including version 12.0.1 prior to build 3994 and version 16.0prior to build
> 1691. Use the -3des switch if you require compatibility.Generating key
> pair...Certificate will be a self-signed rootSerial number [generate GUID]:
> Generated serial number: 42455c10a27d441db3e3d09f39f35452*
>
>
> This creates a ASA12 SAMM Vessel.pub that is then copied to the Tomcat
> Application Server as "Client Configuration.pem"
>
> our next commands are all openssl or keytool
>
> openssl.exe genrsa -aes256 -passout pass:"changeit" -out
> "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" 2048
> 1>nul 2>&1
> openssl.exe req -new -key "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.key" -subj "/CN=
> WSD-2DNX4M3.mydomain.com/OU=USN/OU=PKI/OU=DoD/O=U.S.Government/C=US" -out
> "C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -passin
> pass:"changeit" 1>nul 2>&1
>
> echo basicConstraints = CA:FALSE 1>"C:\tmp12\openssl\v3.ext"
> echo keyUsage = digitalSignature, keyEncipherment
> 1>>"C:\tmp12\openssl\v3.ext"
> ECHO [SAN] 1>>"C:\tmp12\openssl\v3.ext"
> ECHO subjectAltName=DNS:WSD-2DNX4M3.mydomain.com
> 1>>"C:\tmp12\openssl\v3.ext"
>
> openssl.exe x509 -req -extfile "C:\tmp12\openssl\v3.ext" -signkey
> "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -in
> "C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -out
> "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -passin
> pass:"changeit" -days "2190" -extensions SAN
> Certificate request self-signature ok
> subject=CN = WSD-2DNX4M3.mydomain.com, OU = USN, OU = PKI, OU = DoD, O =
> U.S.Government, C = US
>
> COPY "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer"
> "C:\tmp12\Certificates\CA\" 1>nul 2>&1
>
> openssl.exe pkcs12 -export -in "C:\tmp12\Certificate\Public
> Key\WSD-2DNX4M3.mydomain.com.cer" -inkey "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.p12" -name WSD-2DNX4M3.mydomain.com -CAfile
> "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -caname
> WSD-2DNX4M3.mydomain.com -passin pass:"changeit" -passout pass:"changeit"
>
> keytool.exe -importkeystore -deststorepass "changeit" -destkeypass
> "changeit" -destkeystore "C:\tmp12\Certificate\Keystore\Vessel.jks"
> -srckeystore "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.p12" -srcstoretype PKCS12 -srcstorepass
> "changeit" -alias WSD-2DNX4M3.mydomain.com
> Importing keystore C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.p12 to
> C:\tmp12\Certificate\Keystore\Vessel.jks...
> DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.p12"
>
> openssl.exe rsa -in "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.key.2" -passin pass:"changeit"
> openssl.exe rsa -aes256 -in "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.key.2" -out "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.key.3" -passin pass:"changeit" -passout
> pass:"changeit"
> openssl.exe pkcs8 -topk8 -v1 PBE-SHA1-3DES -in
> "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3" -out
> "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -passin
> pass:"changeit" -passout pass:"changeit"
>
> DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.2"
> DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3"
>
> keytool.exe -importkeystore -srckeystore
> "C:\tmp12\Certificate\Keystore\Vessel.jks" -destkeystore
> "C:\tmp12\Certificate\Keystore\Vessel.p12" -srcstoretype JKS -deststoretype
> PKCS12 -srcstorepass "changeit" -deststorepass "changeit" -noprompt
> keytool.exe -delete -alias "ASA12 SAMM Vessel Temporary CA" -keystore
> "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
> keytool.exe -delete -alias "ASA12 SAMM Vessel" -keystore
> "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
> keytool.exe -delete -alias "WSD-2DNX4M3.mydomain.com" -keystore
> "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
> keytool.exe -import -alias "ASA12 SAMM Vessel" -file "C:\tmp12\Client
> Configuration.pem" -keystore "C:\tmp12\Certificate\Keystore\Vessel.p12"
> -storepass "changeit" -noprompt
> keytool.exe -import -trustcacerts -alias "ASA12 SAMM Vessel Temporary CA"
> -file "C:\tmp12\Client Configuration.pem" -keystore
> "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
>
>
> if you need anything else please get in touch with me.
> I have tested this with the Tomcat 87 release and it still does not work.
>
> Thanks
>
> Mark Resh
>
>
>
>
> On Tue, Mar 19, 2024 at 4:15 PM Mark Thomas <ma...@apache.org> wrote:
>
>> On 19/03/2024 18:18, Timothy Resh wrote:
>>> <Conneector ........
>>> SSLProtocol="TLSv1.2"
>>> SSLCipherSuite="-ALL
>>>
>> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
>>>
>>> SSLPassword="${KSENC(6qkaMErQ==;
>> C:\Certificate\Keystore\Vessel.p12)}"
>>> SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3.......cer"
>>> SSLCertificateFile="C:\Certificate\Public Key\WSD-2DNX4M3.......cer"
>>> SSLCertificateKeyFile="C:\Certificate\Private Key\WSD-2DNX4M3......key"
>>> SSLVerifyClient="optional"
>>> SSLCACertificateFile="C:\Certificates\CA\intermediate.ca"
>>> SSLCACertificatePath="C:\Certificates\CA\"
>>>>
>>>
>>> where the ..... is the fqdn
>>>
>>> This works fine *until* Tomcat 9.0.83 and now we get the following listed
>>> below. I have read some of the
>>> https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=67675 bugs and ask
>> for
>>> help.
>>> The certificates are being created using openssl 3.013. Please note the
>>> encrypted password to the p12 keystore. There was a message saying this
>>> was going to be fixed in a January release.
>>> I just tested 9.0.87 and the error is the same. The ASN.1 is OBJECT
>>> IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11)
>>>
>>> Does anyone have some suggestions for a fix?
>>
>> Please provide a set of OpenSSL commands that create a problematic,
>> self-signed certificate for localhost. This will save us a *lot* of time.
>>
>> Mark
>>
>>
>>>
>>> Thanks Mark Resh
>>>
>>>
>>> 15-Mar-2024 18:27:37.621 WARNING [main]
>>> org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the
>>> [ciphers] attribute in a manner consistent with the latest OpenSSL
>>> development branch. Some of the specified [ciphers] are not supported by
>>> the configured SSL engine for this connector (which may use JSSE or an
>>> older OpenSSL version) and have been skipped:
>>> [[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
>>> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]]
>>> 15-Mar-2024 18:27:37.636 SEVERE [main]
>>> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
>>> initialize component [Connector["https-openssl-apr-192.168.56.1-8443"]]
>>> org.apache.catalina.LifecycleException: Protocol handler initialization
>>> failed
>>> at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:1011)
>>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
>>> at
>>>
>> org.apache.catalina.core.StandardService.initInternal(StandardService.java:554)
>>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
>>> at
>>>
>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1039)
>>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
>>> at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
>>> at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at
>>>
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>> at
>>>
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
>>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
>>> Caused by: java.lang.IllegalArgumentException: The PKCS#8 encryption
>>> algorithm with DER encoded OID of [2a864886f70d010c0103] was not
>> recognised
>>> at
>>> org.apache.tomcat.util.net
>> .AprEndpoint.createSSLContext(AprEndpoint.java:467)
>>> at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433)
>>> at
>>> org.apache.tomcat.util.net
>> .AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1332)
>>> at
>>> org.apache.tomcat.util.net
>> .AbstractEndpoint.init(AbstractEndpoint.java:1345)
>>> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654)
>>> at
>>>
>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)
>>> at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:1009)
>>> ... 13 more
>>> Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
>>> algorithm with DER encoded OID of [2a864886f70d010c0103] was not
>> recognised
>>> at
>>> org.apache.tomcat.util.net
>> .jsse.PEMFile$Part.toPrivateKey(PEMFile.java:379)
>>> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:213)
>>> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:141)
>>> at
>>> org.apache.tomcat.util.net
>> .SSLUtilBase.getKeyManagers(SSLUtilBase.java:355)
>>> at
>>> org.apache.tomcat.util.net
>> .openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:108)
>>> at
>>> org.apache.tomcat.util.net
>> .SSLUtilBase.createSSLContext(SSLUtilBase.java:268)
>>> at
>>> org.apache.tomcat.util.net
>> .AprEndpoint.createSSLContext(AprEndpoint.java:465)
>>> ... 19 more
>>> 15-Mar-2024 18:27:37.636 INFO [main]
>>> org.apache.catalina.startup.Catalina.load Server initialization in [1655]
>>> milliseconds
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: PKCS#8 encryption algorithm unrecognized
Posted by Timothy Resh <mr...@gmail.com>.
Sorry for the delay. Our certificate creation process was automated
several years ago and I had to go through the code to figure out the
commands being used for the certificates
First, we use the createcert.exe from the Sybase 17 installation to
generate a DB cert for ODBC connectivity. Please see the following link
for more information.
https://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.sqlanywhere.12.0.1/dbadmin/gencert-ml-ref1.html
-t encryption type
-b length
-ca "1" Create Certificate Authority
-u 3,4,5,6
- 3. Key Encipherment
- 4. Data Encipherment
- 5. Key Agreement
- 6. Certificate Signing
-v 6 years
-co Public Certificate
-x Generates a self-signed certificate
*C:\tmp12>ECHO. | "C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe"
-t "rsa" -b "2048" -ca "1" -io "C:\tmp12\DB\Application Certificate
Files\Private Keys\ASA12 SAMM Vessel.pem" -ko "C:\tmp12\DB\Application
Certificate Files\Private Keys\ASA12 SAMM Vessel.key" -kp "changeit" -x -co
"C:\tmp12\DB\Application Certificate Files\Public Keys\ASA12 SAMM
Vessel.pub" -sc "US" -scn "WSD-2DNX4M3.mydomain.com
<http://WSD-2DNX4M3.mydomain.com>" -sl "Norfolk" -so "Vessel Ships" -sou
"Engineering" -sst "VA" -u 3,4,5,6 -v "6"*
*SQL Anywhere X.509 Certificate Generator Version 17.0.10.6160Warning: The
certificate will not be compatible with older versionsof the software
including version 12.0.1 prior to build 3994 and version 16.0prior to build
1691. Use the -3des switch if you require compatibility.Generating key
pair...Certificate will be a self-signed rootSerial number [generate GUID]:
Generated serial number: 42455c10a27d441db3e3d09f39f35452*
This creates a ASA12 SAMM Vessel.pub that is then copied to the Tomcat
Application Server as "Client Configuration.pem"
our next commands are all openssl or keytool
openssl.exe genrsa -aes256 -passout pass:"changeit" -out
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" 2048
1>nul 2>&1
openssl.exe req -new -key "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key" -subj "/CN=
WSD-2DNX4M3.mydomain.com/OU=USN/OU=PKI/OU=DoD/O=U.S.Government/C=US" -out
"C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -passin
pass:"changeit" 1>nul 2>&1
echo basicConstraints = CA:FALSE 1>"C:\tmp12\openssl\v3.ext"
echo keyUsage = digitalSignature, keyEncipherment
1>>"C:\tmp12\openssl\v3.ext"
ECHO [SAN] 1>>"C:\tmp12\openssl\v3.ext"
ECHO subjectAltName=DNS:WSD-2DNX4M3.mydomain.com
1>>"C:\tmp12\openssl\v3.ext"
openssl.exe x509 -req -extfile "C:\tmp12\openssl\v3.ext" -signkey
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -in
"C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -out
"C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -passin
pass:"changeit" -days "2190" -extensions SAN
Certificate request self-signature ok
subject=CN = WSD-2DNX4M3.mydomain.com, OU = USN, OU = PKI, OU = DoD, O =
U.S.Government, C = US
COPY "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer"
"C:\tmp12\Certificates\CA\" 1>nul 2>&1
openssl.exe pkcs12 -export -in "C:\tmp12\Certificate\Public
Key\WSD-2DNX4M3.mydomain.com.cer" -inkey "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.p12" -name WSD-2DNX4M3.mydomain.com -CAfile
"C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -caname
WSD-2DNX4M3.mydomain.com -passin pass:"changeit" -passout pass:"changeit"
keytool.exe -importkeystore -deststorepass "changeit" -destkeypass
"changeit" -destkeystore "C:\tmp12\Certificate\Keystore\Vessel.jks"
-srckeystore "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.p12" -srcstoretype PKCS12 -srcstorepass
"changeit" -alias WSD-2DNX4M3.mydomain.com
Importing keystore C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.p12 to
C:\tmp12\Certificate\Keystore\Vessel.jks...
DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.p12"
openssl.exe rsa -in "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key.2" -passin pass:"changeit"
openssl.exe rsa -aes256 -in "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key.2" -out "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key.3" -passin pass:"changeit" -passout
pass:"changeit"
openssl.exe pkcs8 -topk8 -v1 PBE-SHA1-3DES -in
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3" -out
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -passin
pass:"changeit" -passout pass:"changeit"
DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.2"
DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3"
keytool.exe -importkeystore -srckeystore
"C:\tmp12\Certificate\Keystore\Vessel.jks" -destkeystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -srcstoretype JKS -deststoretype
PKCS12 -srcstorepass "changeit" -deststorepass "changeit" -noprompt
keytool.exe -delete -alias "ASA12 SAMM Vessel Temporary CA" -keystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
keytool.exe -delete -alias "ASA12 SAMM Vessel" -keystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
keytool.exe -delete -alias "WSD-2DNX4M3.mydomain.com" -keystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
keytool.exe -import -alias "ASA12 SAMM Vessel" -file "C:\tmp12\Client
Configuration.pem" -keystore "C:\tmp12\Certificate\Keystore\Vessel.p12"
-storepass "changeit" -noprompt
keytool.exe -import -trustcacerts -alias "ASA12 SAMM Vessel Temporary CA"
-file "C:\tmp12\Client Configuration.pem" -keystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
if you need anything else please get in touch with me.
I have tested this with the Tomcat 87 release and it still does not work.
Thanks
Mark Resh
On Tue, Mar 19, 2024 at 4:15 PM Mark Thomas <ma...@apache.org> wrote:
> On 19/03/2024 18:18, Timothy Resh wrote:
> > <Conneector ........
> > SSLProtocol="TLSv1.2"
> > SSLCipherSuite="-ALL
> >
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
> >
> > SSLPassword="${KSENC(6qkaMErQ==;
> C:\Certificate\Keystore\Vessel.p12)}"
> > SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3.......cer"
> > SSLCertificateFile="C:\Certificate\Public Key\WSD-2DNX4M3.......cer"
> > SSLCertificateKeyFile="C:\Certificate\Private Key\WSD-2DNX4M3......key"
> > SSLVerifyClient="optional"
> > SSLCACertificateFile="C:\Certificates\CA\intermediate.ca"
> > SSLCACertificatePath="C:\Certificates\CA\"
> >>
> >
> > where the ..... is the fqdn
> >
> > This works fine *until* Tomcat 9.0.83 and now we get the following listed
> > below. I have read some of the
> > https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=67675 bugs and ask
> for
> > help.
> > The certificates are being created using openssl 3.013. Please note the
> > encrypted password to the p12 keystore. There was a message saying this
> > was going to be fixed in a January release.
> > I just tested 9.0.87 and the error is the same. The ASN.1 is OBJECT
> > IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11)
> >
> > Does anyone have some suggestions for a fix?
>
> Please provide a set of OpenSSL commands that create a problematic,
> self-signed certificate for localhost. This will save us a *lot* of time.
>
> Mark
>
>
> >
> > Thanks Mark Resh
> >
> >
> > 15-Mar-2024 18:27:37.621 WARNING [main]
> > org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the
> > [ciphers] attribute in a manner consistent with the latest OpenSSL
> > development branch. Some of the specified [ciphers] are not supported by
> > the configured SSL engine for this connector (which may use JSSE or an
> > older OpenSSL version) and have been skipped:
> > [[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]]
> > 15-Mar-2024 18:27:37.636 SEVERE [main]
> > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> > initialize component [Connector["https-openssl-apr-192.168.56.1-8443"]]
> > org.apache.catalina.LifecycleException: Protocol handler initialization
> > failed
> > at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1011)
> > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> > at
> >
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:554)
> > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> > at
> >
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1039)
> > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:498)
> > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> > Caused by: java.lang.IllegalArgumentException: The PKCS#8 encryption
> > algorithm with DER encoded OID of [2a864886f70d010c0103] was not
> recognised
> > at
> > org.apache.tomcat.util.net
> .AprEndpoint.createSSLContext(AprEndpoint.java:467)
> > at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433)
> > at
> > org.apache.tomcat.util.net
> .AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1332)
> > at
> > org.apache.tomcat.util.net
> .AbstractEndpoint.init(AbstractEndpoint.java:1345)
> > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654)
> > at
> >
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)
> > at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1009)
> > ... 13 more
> > Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
> > algorithm with DER encoded OID of [2a864886f70d010c0103] was not
> recognised
> > at
> > org.apache.tomcat.util.net
> .jsse.PEMFile$Part.toPrivateKey(PEMFile.java:379)
> > at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:213)
> > at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:141)
> > at
> > org.apache.tomcat.util.net
> .SSLUtilBase.getKeyManagers(SSLUtilBase.java:355)
> > at
> > org.apache.tomcat.util.net
> .openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:108)
> > at
> > org.apache.tomcat.util.net
> .SSLUtilBase.createSSLContext(SSLUtilBase.java:268)
> > at
> > org.apache.tomcat.util.net
> .AprEndpoint.createSSLContext(AprEndpoint.java:465)
> > ... 19 more
> > 15-Mar-2024 18:27:37.636 INFO [main]
> > org.apache.catalina.startup.Catalina.load Server initialization in [1655]
> > milliseconds
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: PKCS#8 encryption algorithm unrecognized
Posted by Mark Thomas <ma...@apache.org>.
On 19/03/2024 18:18, Timothy Resh wrote:
> <Conneector ........
> SSLProtocol="TLSv1.2"
> SSLCipherSuite="-ALL
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
>
> SSLPassword="${KSENC(6qkaMErQ==; C:\Certificate\Keystore\Vessel.p12)}"
> SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3.......cer"
> SSLCertificateFile="C:\Certificate\Public Key\WSD-2DNX4M3.......cer"
> SSLCertificateKeyFile="C:\Certificate\Private Key\WSD-2DNX4M3......key"
> SSLVerifyClient="optional"
> SSLCACertificateFile="C:\Certificates\CA\intermediate.ca"
> SSLCACertificatePath="C:\Certificates\CA\"
>>
>
> where the ..... is the fqdn
>
> This works fine *until* Tomcat 9.0.83 and now we get the following listed
> below. I have read some of the
> https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=67675 bugs and ask for
> help.
> The certificates are being created using openssl 3.013. Please note the
> encrypted password to the p12 keystore. There was a message saying this
> was going to be fixed in a January release.
> I just tested 9.0.87 and the error is the same. The ASN.1 is OBJECT
> IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11)
>
> Does anyone have some suggestions for a fix?
Please provide a set of OpenSSL commands that create a problematic,
self-signed certificate for localhost. This will save us a *lot* of time.
Mark
>
> Thanks Mark Resh
>
>
> 15-Mar-2024 18:27:37.621 WARNING [main]
> org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the
> [ciphers] attribute in a manner consistent with the latest OpenSSL
> development branch. Some of the specified [ciphers] are not supported by
> the configured SSL engine for this connector (which may use JSSE or an
> older OpenSSL version) and have been skipped:
> [[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]]
> 15-Mar-2024 18:27:37.636 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> initialize component [Connector["https-openssl-apr-192.168.56.1-8443"]]
> org.apache.catalina.LifecycleException: Protocol handler initialization
> failed
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:1011)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:554)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1039)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> Caused by: java.lang.IllegalArgumentException: The PKCS#8 encryption
> algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised
> at
> org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:467)
> at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1332)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1345)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:1009)
> ... 13 more
> Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
> algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised
> at
> org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:379)
> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:213)
> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:141)
> at
> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:355)
> at
> org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:108)
> at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268)
> at
> org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:465)
> ... 19 more
> 15-Mar-2024 18:27:37.636 INFO [main]
> org.apache.catalina.startup.Catalina.load Server initialization in [1655]
> milliseconds
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org