tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 37530] New: - IOException on startup when a "keyAlias" attribute is specified
Date Wed, 16 Nov 2005 18:16:42 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37530>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=37530

           Summary: IOException on startup when a "keyAlias" attribute is
                    specified
           Product: Tomcat 5
           Version: 5.5.9
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: ErrorMessage
          Severity: normal
          Priority: P3
         Component: Connector:HTTP
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: jbusser@tribune.com


Using this connector definition

    <!-- Define a SSL HTTP/1.1 Connector on port 7403 -->
    <Connector port="7403" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS" keystoreFile="conf/keystore" 
               keystorePass="XXXXXX" truststoreFile="conf/keystore" 
               keyAlias="certificate.qa" />

Tomcat throws this exception upon startup.

Nov 16, 2005 9:07:18 AM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start: 
LifecycleException:  Protocol handler start failed: java.io.IOException: Alias n
ame certificate.qa does not identify a key entry
        at org.apache.catalina.connector.Connector.start(Connector.java:1003)
        at org.apache.catalina.core.StandardService.start(StandardService.java:4
59)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:683
)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:537)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)
        
Yet a keytool -list shows that the alias specified is, indeed, valid

Keystore type: jks
Keystore provider: SUN

Your keystore contains 6 entries

   certificate, Nov 1, 2005, keyEntry,
   Certificate fingerprint (MD5): 65:5B:79:54:E5:83:D0:81:9D:AD:F9:C1:5C:65:BF:3D
   ipgrootca, Nov 1, 2005, trustedCertEntry,
   Certificate fingerprint (MD5): 49:5A:FC:06:6B:04:7C:F7:96:6F:90:1C:E1:91:79:77
   certificate.prod, Nov 11, 2005, keyEntry,
   Certificate fingerprint (MD5): 3C:9E:3D:30:B0:7E:65:B1:A2:0E:8C:0A:22:E4:FA:69
   certificate.dev, Nov 1, 2005, keyEntry,
   Certificate fingerprint (MD5): 84:31:D2:DF:1C:28:D6:81:43:1A:D9:57:47:6E:67:AB
   zap2itlabsca, Nov 1, 2005, trustedCertEntry,
   Certificate fingerprint (MD5): C3:E3:EE:9D:6C:5C:DF:E3:F9:94:8B:9B:5E:C5:58:16
>> certificate.qa, Nov 11, 2005, keyEntry,
>> Certificate fingerprint (MD5): 8A:EF:CF:2C:B6:D8:B5:4D:AB:40:0A:C6:9B:9F:E6:FC


The problem is at line 142 of the file JSSE14SocketFactory.java:

        if (keyAlias != null && !ks.isKeyEntry(keyAlias)) {
            throw new IOException(sm.getString("jsse.alias_no_key_entry", keyAlias));
        }

I don't believe that isKeyEntry() is correct test in this case. I changed line 142 to read

        if (keyAlias != null && !ks.containsAlias(keyAlias)) {
            throw new IOException(sm.getString("jsse.alias_no_key_entry", keyAlias));
        }

And compiled a new tomcat-util.jar. My tomcat instance started and selected the proper
certificate.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message