You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Emil John <ek...@gmail.com> on 2018/02/15 07:52:04 UTC

Switch to in-memory key store in tomcat 8.5.23 fails application to load

Context
-----------

Exact tomcat version, Operating Systems, other configurations-

Current Tomcat version - 8.5.15
Operating Systems - Windows/ Linux
Upgrading to tomcat version - 8.5.23
Application - Java Application.

I have an application with tomcat, say fooapp. I also have a custom
keystore type, say DKS (Java by default has the JKS keystore). During start
of my application, it loads the DKS keystore to get the certificate for the
application. This is done using the following changes in server.xml

<Connector SSLEnabled="true"
sslImplementationName="com.vmware.identity.tomcat.GKSAwareImpl"
store="CERT_STORE"
port="${bio-ssl-localhost.https.port}"
protocol="com.vmware.identity.tomcat. GKSAwareHttp11NioProtocol"
redirectPort="${bio-ssl-localhost.https.port}"
scheme="https"
secure="true"
maxHttpHeaderSize="16384">
<Certificate certificateKeystoreType="GKS"


Problem
-----------

The new version of tomcat has a changed code that is causing my application
from not able to load the GKS keystore.

In Tomcat 8.5.15,
getKeyManagers() method - if ks is not null, it simply proceeds further
doing the ks.isKeyEntry() etc..

In Tomcat 8.5.23,
getKeyManagers() method - if ks is initialized as before and create a new
reference -
KeyStore ks = certificate.getCertificateKeystore();
KeyStore ksUsed = ks;

After the below code, the ksUsed is getting back to JKS and fails to load
my custom keystore type "GKS"

// Switch to in-memory key store String provider =
certificate.getCertificateKeystoreProvider(); if (provider == null) {
ksUsed = KeyStore.getInstance(certificate.getCertificateKeystoreType()); }
else { ksUsed =
KeyStore.getInstance(certificate.getCertificateKeystoreType(), provider); }
ksUsed.load(null, null); --> throws unimplmented method

I am setting the provider type properly in java.security which is also used
while loading the application.

Has anybody faced similar problem?

Thanks,
Emil

Re: Switch to in-memory key store in tomcat 8.5.23 fails application to load

Posted by "Nitkalya Wiriyanuparb (Ing)" <de...@gmail.com>.

Emil,

On 15 Feb 2018, 8:52 PM +1300, Emil John <ek...@gmail.com>, wrote:
> Context
> -----------
>
> Exact tomcat version, Operating Systems, other configurations-
>
> Current Tomcat version - 8.5.15
> Operating Systems - Windows/ Linux
> Upgrading to tomcat version - 8.5.23
> Application - Java Application.
>
> I have an application with tomcat, say fooapp. I also have a custom
> keystore type, say DKS (Java by default has the JKS keystore). During start
> of my application, it loads the DKS keystore to get the certificate for the
> application. This is done using the following changes in server.xml
>
> <Connector SSLEnabled="true"
> sslImplementationName="com.vmware.identity.tomcat.GKSAwareImpl"
> store="CERT_STORE"
> port="${bio-ssl-localhost.https.port}"
> protocol="com.vmware.identity.tomcat. GKSAwareHttp11NioProtocol"
> redirectPort="${bio-ssl-localhost.https.port}"
> scheme="https"
> secure="true"
> maxHttpHeaderSize="16384"
> <Certificate certificateKeystoreType="GKS"
>
>
> Problem
> -----------
>
> The new version of tomcat has a changed code that is causing my application
> from not able to load the GKS keystore.
>
> In Tomcat 8.5.15,
> getKeyManagers() method - if ks is not null, it simply proceeds further
> doing the ks.isKeyEntry() etc..
>
> In Tomcat 8.5.23,
> getKeyManagers() method - if ks is initialized as before and create a new
> reference -
> KeyStore ks = certificate.getCertificateKeystore();
> KeyStore ksUsed = ks;
>
> After the below code, the ksUsed is getting back to JKS and fails to load
> my custom keystore type "GKS"
>
> // Switch to in-memory key store String provider =
> certificate.getCertificateKeystoreProvider(); if (provider == null) {
> ksUsed = KeyStore.getInstance(certificate.getCertificateKeystoreType()); }
> else { ksUsed =
> KeyStore.getInstance(certificate.getCertificateKeystoreType(), provider); }
> ksUsed.load(null, null); --> throws unimplmented method
>
> I am setting the provider type properly in java.security which is also used
> while loading the application.
>
> Has anybody faced similar problem?

I had a similar problem – not quite the same but close enough. I ended up creating another key store type that wraps around my existing types. See my threads here http://markmail.org/message/5vus3jpsp5secm44

Cheers,
Ing
>
> Thanks,
> Emil

Re: Switch to in-memory key store in tomcat 8.5.23 fails application to load

Posted by Mark Thomas <ma...@apache.org>.

On 15/02/18 07:52, Emil John wrote:
> Context
> -----------
> 
> Exact tomcat version, Operating Systems, other configurations-
> 
> Current Tomcat version - 8.5.15
> Operating Systems - Windows/ Linux
> Upgrading to tomcat version - 8.5.23
> Application - Java Application.
> 
> I have an application with tomcat, say fooapp. I also have a custom
> keystore type, say DKS (Java by default has the JKS keystore). During start
> of my application, it loads the DKS keystore to get the certificate for the
> application. This is done using the following changes in server.xml
> 
> <Connector SSLEnabled="true"
> sslImplementationName="com.vmware.identity.tomcat.GKSAwareImpl"
> store="CERT_STORE"
> port="${bio-ssl-localhost.https.port}"
> protocol="com.vmware.identity.tomcat. GKSAwareHttp11NioProtocol"
> redirectPort="${bio-ssl-localhost.https.port}"
> scheme="https"
> secure="true"
> maxHttpHeaderSize="16384">
> <Certificate certificateKeystoreType="GKS"
> 
> 
> Problem
> -----------
> 
> The new version of tomcat has a changed code that is causing my application
> from not able to load the GKS keystore.
> 
> In Tomcat 8.5.15,
> getKeyManagers() method - if ks is not null, it simply proceeds further
> doing the ks.isKeyEntry() etc..
> 
> In Tomcat 8.5.23,
> getKeyManagers() method - if ks is initialized as before and create a new
> reference -
> KeyStore ks = certificate.getCertificateKeystore();
> KeyStore ksUsed = ks;
> 
> After the below code, the ksUsed is getting back to JKS and fails to load
> my custom keystore type "GKS"
> 
> // Switch to in-memory key store String provider =
> certificate.getCertificateKeystoreProvider(); if (provider == null) {
> ksUsed = KeyStore.getInstance(certificate.getCertificateKeystoreType()); }
> else { ksUsed =
> KeyStore.getInstance(certificate.getCertificateKeystoreType(), provider); }
> ksUsed.load(null, null); --> throws unimplmented method
> 
> I am setting the provider type properly in java.security which is also used
> while loading the application.
> 
> Has anybody faced similar problem?

You should try 8.5.24 or later since there was a further change in
8.5.24 in this area.

You might want to talk to VMware support about the unimplemented method
as I'd expect any custom KeyStore to support that usage.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org