You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Herb Burnswell <he...@gmail.com> on 2019/09/09 22:28:52 UTC
SSLHostConfig configuration
All,
We have a Tomcat application (that ships/includes Tomcat with it) that
requires we use multiple domains and therefore set up SSLHostConfig
settings in our server.xml file to accommodate each domain. We have been
using this configuration and it works well:
Tomcat 8.5.32
<Connector port="8443"
maxHttpHeaderSize="8192"
maxPostSize="6291456"
maxThreads="200"
protocol="org.apache.coyote.http11.Http11NioProtocol"
executor="appExecutor"
enableLookups="false"
acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true"
URIEncoding="UTF-8"
SSLEnabled="true"
scheme="https"
secure="true"
defaultSSLHostConfigName="*.example.com">
<SSLHostConfig hostName="*.example.com">
<Certificate certificateKeystoreType="PKCS12"
certificateKeystoreFile="/app/config/keystore.p12"
certificateKeyAlias="example_wildcard"
certificateKeystorePassword="maskedpasswd"
type="RSA"/>
</SSLHostConfig>
<SSLHostConfig hostName="*.example.ca">
<Certificate certificateKeystoreType="PKCS12"
certificateKeystoreFile="/app/config/keystore.p12"
certificateKeyAlias="example_ca_wildcard"
certificateKeystorePassword="maskedpasswd"
type="RSA"/>
</SSLHostConfig>
<SSLHostConfig hostName="*.example1.com">
<Certificate certificateKeystoreType="PKCS12"
certificateKeystoreFile="/app/config/keystore.p12"
certificateKeyAlias="example1_wildcard"
certificateKeystorePassword="maskedpasswd"
type="RSA"/>
</SSLHostConfig>
</Connector>
This works fine in 8.5.32. However, we are rolling out an updated version
of the application and it ships with Tomcat 8.5.40. If we try to run with
the same configuration above in the 8.5.40 version of Tomcat, the
application fails to start with the following SEVERE error:
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.software.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:325)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
... 18 more
Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter
must be non-empty
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1105)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
... 19 more
Caused by: java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
at
java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
at
java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
at
org.apache.tomcat.util.net.SSLUtilBase.getParameters(SSLUtilBase.java:483)
at
org.apache.tomcat.util.net.SSLUtilBase.getTrustManagers(SSLUtilBase.java:414)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98)
... 26 more
As you can see it complains about "trustAnchors parameter must be
non-empty". However if I try to add trust entry lines into the connector
config:
<snip>
<Certificate certificateKeystoreType="PKCS12"
certificateKeystoreFile="/app/config/keystore.p12"
certificateKeyAlias="example_wildcard"
certificateKeystorePassword="maskedpasswd"
truststoreFile="/app/config/truststore.p12"
truststorePassword="maskedpasswd"
type="RSA"/>
<snip>
I still receive the same SEVERE error.
Questions:
1. What has changed in between Tomcat 8.5.32 --> 8.5.40 that seemingly now
requires truststore information in this connector configuration?
2. What needs to be done to allow this to work in the 8.5.40 Tomcat version?
Thanks in advance, any guidance is greatly appreciated.
HB
Re: SSLHostConfig configuration
Posted by Herb Burnswell <he...@gmail.com>.
On Tue, Sep 10, 2019 at 5:38 AM Mark Thomas <ma...@apache.org> wrote:
> On 10/09/2019 13:14, Herb Burnswell wrote:
>
> <snip/>
>
> > My apologies for my ignorance here, when you say 'configured on the
> > SSLHostConfig' are you saying it should NOT be in this block:
> >
> > <snip>
> >
> > <SSLHostConfig hostName="*.example1.com">
> >
> > <Certificate certificateKeystoreType="PKCS12"
> >
> certificateKeystoreFile="/app/config/keystore.p12"
> > certificateKeyAlias="example_wildcard"
> > certificateKeystorePassword="maskedpasswd"
> > truststoreFile="/app/config/truststore.p12"
> > truststorePassword="maskedpasswd"
> > type="RSA"/>
> >
> > </SSLHostConfig>
> >
> > <snip>
> >
> > This is how I tried to configure it and we still receive the
> "trustAnchors
> > parameter must be non-empty" error. Can you clarify where you mean the
> > truststore directives should be defined?
>
> > You need to move the trust store config from the Certificate to the
> > SSLHostConfig like this:
>
> > <SSLHostConfig
> > hostName="*.example1.com"
> > truststoreFile="/app/config/truststore.p12"
> > truststorePassword="maskedpasswd"
> > >
>
> > <Certificate
> > certificateKeystoreType="PKCS12"
> > certificateKeystoreFile="/app/config/keystore.p12"
> > certificateKeyAlias="example_wildcard"
> > certificateKeystorePassword="maskedpasswd"
> > type="RSA"
> > />
>
> > </SSLHostConfig>
>
> > Mark
>
Thank you Mark, that appears to have done the trick. Greatly appreciated..
HB
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: SSLHostConfig configuration
Posted by Mark Thomas <ma...@apache.org>.
On 10/09/2019 13:14, Herb Burnswell wrote:
<snip/>
> My apologies for my ignorance here, when you say 'configured on the
> SSLHostConfig' are you saying it should NOT be in this block:
>
> <snip>
>
> <SSLHostConfig hostName="*.example1.com">
>
> <Certificate certificateKeystoreType="PKCS12"
> certificateKeystoreFile="/app/config/keystore.p12"
> certificateKeyAlias="example_wildcard"
> certificateKeystorePassword="maskedpasswd"
> truststoreFile="/app/config/truststore.p12"
> truststorePassword="maskedpasswd"
> type="RSA"/>
>
> </SSLHostConfig>
>
> <snip>
>
> This is how I tried to configure it and we still receive the "trustAnchors
> parameter must be non-empty" error. Can you clarify where you mean the
> truststore directives should be defined?
You need to move the trust store config from the Certificate to the
SSLHostConfig like this:
<SSLHostConfig
hostName="*.example1.com"
truststoreFile="/app/config/truststore.p12"
truststorePassword="maskedpasswd"
>
<Certificate
certificateKeystoreType="PKCS12"
certificateKeystoreFile="/app/config/keystore.p12"
certificateKeyAlias="example_wildcard"
certificateKeystorePassword="maskedpasswd"
type="RSA"
/>
</SSLHostConfig>
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSLHostConfig configuration
Posted by Herb Burnswell <he...@gmail.com>.
On Tue, Sep 10, 2019 at 3:46 AM Mark Thomas <ma...@apache.org> wrote
>
> <snip/>
>
> >> Questions:
> >>
> >> 1. What has changed in between Tomcat 8.5.32 --> 8.5.40 that seemingly
> now
> >> requires truststore information in this connector configuration?
>
> > There have have been several changes aimed at making it easier to switch
> > between JSSE and OpenSSL based TLS implementations. Tomcat tries to
> > store all provided keys and certs in an in-memory Java keystore and then
> > provides the connectors with the keys and certs in the format they
> > require. With the wide range of keystores and key formats there have
> > been a few edge cases where the translation process broke. This looks
> > like one of them.
>
> > There are additional fixes in later 8.5.x releases so you may wish to
> > try one of those.
>
> Thank you for the information. As far as using a newer version of Tomcat
with fixes, we want to go with the 8.5.40 version that is packaged with the
application for support reasons.
> >> 2. What needs to be done to allow this to work in the 8.5.40 Tomcat
> version?
>
> > truststoreFile and truststorePassword should be configured on the
> > SSLHostConfig not on the Certificate element.
>
My apologies for my ignorance here, when you say 'configured on the
SSLHostConfig' are you saying it should NOT be in this block:
<snip>
<SSLHostConfig hostName="*.example1.com">
<Certificate certificateKeystoreType="PKCS12"
certificateKeystoreFile="/app/config/keystore.p12"
certificateKeyAlias="example_wildcard"
certificateKeystorePassword="maskedpasswd"
truststoreFile="/app/config/truststore.p12"
truststorePassword="maskedpasswd"
type="RSA"/>
</SSLHostConfig>
<snip>
This is how I tried to configure it and we still receive the "trustAnchors
parameter must be non-empty" error. Can you clarify where you mean the
truststore directives should be defined?
Thanks again,
HB
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: SSLHostConfig configuration
Posted by Mark Thomas <ma...@apache.org>.
On 09/09/2019 23:28, Herb Burnswell wrote:
<snip/>
> Questions:
>
> 1. What has changed in between Tomcat 8.5.32 --> 8.5.40 that seemingly now
> requires truststore information in this connector configuration?
There have have been several changes aimed at making it easier to switch
between JSSE and OpenSSL based TLS implementations. Tomcat tries to
store all provided keys and certs in an in-memory Java keystore and then
provides the connectors with the keys and certs in the format they
require. With the wide range of keystores and key formats there have
been a few edge cases where the translation process broke. This looks
like one of them.
There are additional fixes in later 8.5.x releases so you may wish to
try one of those.
> 2. What needs to be done to allow this to work in the 8.5.40 Tomcat version?
truststoreFile and truststorePassword should be configured on the
SSLHostConfig not on the Certificate element.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org