You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Armando Singer <ar...@gmail.com> on 2010/08/20 09:22:05 UTC
Tomcat 7.0.2 fails to load keystore w/ same keystore and keypass config as 6.0.2X
Hello,
I tried 7.0.2 from 6.0.2X with an identical config (I looked at the migration guide--no changes needed for my config).
With 7.0.2, my SSL connector failed to start because "password verification failed." The logged password and jks file on the in the WARNING an SEVERE log statements are correct. Also, I can reliably revert to tomcat 6.0.X with the same password and keystore with no error.
Below is error log output as well as my server.xml config. I also narrowed down the server.xml config to the minimal changes from the stock server.xml (I have elided the real keystore and password).
This may be irrelevant, but my keypass had a '$' character in it, but that has always worked in the past.
Any changes to keystore/password handling that would make 7.0.2 not backward compatible?
Thank you!
Armando
Aug 18, 2010 6:35:47 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'keypass' to 'XXXXXX' did not find a matching property.
Aug 18, 2010 6:35:47 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-80
Aug 18, 2010 6:35:47 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SEVERE: Failed to load keystore type JKS with path /path/to/conf/XXXXXXXX.jks due to Keystore was tampered with, or password was incorrect
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:380)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:289)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:524)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:455)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:137)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:357)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:125)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:873)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:546)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:702)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:537)
at org.apache.catalina.startup.Catalina.load(Catalina.java:560)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
... 23 more
Aug 18, 2010 6:35:47 PM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:380)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:289)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:524)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:455)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:137)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:357)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:125)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:873)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:546)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:702)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:537)
at org.apache.catalina.startup.Catalina.load(Catalina.java:560)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccesso
rImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
... 23 more
Aug 18, 2010 6:35:47 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-443]]
LifecycleException: Protocol handler initialization failed: java.io.IOException: Keystore was tampered with, or password was incorrect
at org.apache.catalina.connector.Connector.initInternal(Connector.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:546)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:702)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:537)
at org.apache.catalina.startup.Catalina.load(Catalina.java:560)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
Here is a diff of minimal server.xml changes against the stock 7.0.2 server.xml that reproduce the problem.
--- old 2010-08-18 17:19:36.000000000 -0700
+++ new 2010-08-18 17:18:30.000000000 -0700
@@ -22,7 +22,7 @@
<Server port="8005" shutdown="SHUTDOWN">
<!--APR library loader. Documentation at /docs/apr.html -->
- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+ <!-- DISABLE: apr not used <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> -->
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
@@ -51,10 +51,13 @@
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
- <!--
- <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
- maxThreads="150" minSpareThreads="4"/>
+ <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+ maxThreads="500" minSpareThreads="50"/>
+
<!-- A "Connector" represents an endpoint by which requests are received
@@ -62,11 +65,27 @@
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
- Define a non-SSL HTTP/1.1 Connector on port 8080
+ Define a non-SSL HTTP/1.1 Connector on port 80
-->
- <Connector port="8080" protocol="HTTP/1.1"
- connectionTimeout="20000"
- redirectPort="8443" />
+ <Connector executor="tomcatThreadPool" URIEncoding="UTF-8" server="PC"
+ port="80" protocol="HTTP/1.1" enableLookups="false" acceptCount="100"
+ redirectPort="443"
+ disableUploadTimeout="true" connectionTimeout="20000"
+ compression="on" compressionMinSize="2048"
+ compressableMimeType="text/html,text/css,text/xml,text/javascript,application/x-javascript,application/javascript" />
+
+ <Connector executor="tomcatThreadPool" URIEncoding="UTF-8" server="PC"
+ port="443" protocol="HTTP/1.1" enableLookups="false" acceptCount="100"
+ disableUploadTimeout="true" connectionTimeout="20000"
+ SSLEnabled="true" secure="true" keyAlias="server" keystoreFile="conf/XXXXXXXX.jks" keypass="XXXXXXX" clientAuth="false" sslProtocol="TLS"
+ compression="on" compressionMinSize="2048"
+ compressableMimeType="text/html,text/css,text/xml,text/javascript,application/x-javascript,application/javascript" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
@@ -84,9 +103,9 @@
clientAuth="false" sslProtocol="TLS" />
-->
- <!-- Define an AJP 1.3 Connector on port 8009 -->
+ <!-- Define an AJP 1.3 Connector on port 8009
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
-
+ -->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 7.0.2 fails to load keystore w/ same keystore and
keypass config as 6.0.2X
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
> Subject: RE: Tomcat 7.0.2 fails to load keystore w/ same keystore and
> keypass config as 6.0.2X
>
> Read the doc; the attribute is keystorePass, not keypass.
>
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
Tomcat 6.0.x implemented a set of alternative names for some <Connector> attributes; these deprecated alternatives were removed in 7.0.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 7.0.2 fails to load keystore w/ same keystore and
keypass config as 6.0.2X
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Armando Singer [mailto:armando.singer@gmail.com]
> Subject: Tomcat 7.0.2 fails to load keystore w/ same keystore and
> keypass config as 6.0.2X
>
> Any changes to keystore/password handling that would make 7.0.2 not
> backward compatible?
Read the doc; the attribute is keystorePass, not keypass.
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org