tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Balakrishna Kudaravalli <bkuda...@cisco.com>
Subject Re: Solved !!! java.io.IOexception with pkcs12 keystore
Date Sun, 04 May 2003 17:04:07 GMT
Hi All,

Thank you for your advise and info. I was able to get past the 
java.io.IOException error while starting Tomcat 4.1.24 with pkcs12 keystore.

It turned out that in java_home 4.1 > jre > lib >security > java.security 
the default keystore.type was set to JKS. Since I was using pkcs12 keystore 
format,  I just had to change JKS to pkcs12 and it worked.

Regards,
-Bala


At 08:34 AM 4/29/2003 -0400, Mark W. Webb wrote:
>I have seen something close to this, and found that it was an error with 
>tomcat-jk2.jar.  There is a bug in the jar file.
>
>Balakrishna Kudaravalli wrote:
>
>>Hi Bill,
>>
>>Thanks for your reply. I followed your instructions on setting up pkcs12 
>>keystore (contains server & CA certs) attributes. After the changes, 
>>Tomcat 4.1.24 does not startup I get the following error in my logs: 
>>Would appreciate if anyone could let me know why I am getting the 
>>following error
>>
>>INFO: Initializing Coyote HTTP/1.1 on port 4040
>>Apr 28, 2003 8:28:40 AM org.apache.coyote.http11.Http11Protocol init
>>SEVERE: Error initializing endpoint
>>java.io.IOException: DerInputStream.getLength(): lengthTag=105, too big.
>>         at 
>> sun.security.util.DerInputStream.getLength(DerInputStream.java:502)
>>         at sun.security.util.DerValue.init(DerValue.java:333)
>>         at sun.security.util.DerValue.<init>(DerValue.java:289)
>>         at 
>> com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad(DashoA6275)
>>         at java.security.KeyStore.load(KeyStore.java:652)
>>         at 
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.initKeyStore(JSSESocketFactory.java:271)

>>
>>         at 
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.initProxy(JSSESocketFactory.java:193)

>>
>>         at 
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:127)

>>
>>         at 
>> org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:275)

>>
>>         at 
>> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:150)
>>         at 
>> org.apache.coyote.tomcat4.CoyoteConnector.initialize(CoyoteConnector.java:1117) 
>>
>>         at 
>> org.apache.catalina.core.StandardService.initialize(StandardService.java:579)
>>         at 
>> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:2246)
>>         at org.apache.catalina.startup.Catalina.start(Catalina.java:511)
>>         at org.apache.catalina.startup.Catalina.execute(Catalina.java:400)
>>         at org.apache.catalina.startup.Catalina.process(Catalina.java:180)
>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>         at 
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>         at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

>>
>>         at java.lang.reflect.Method.invoke(Method.java:324)
>>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:203)
>>Catalina.start: LifecycleException:  Protocol handler initialization 
>>failed: java.io.IOException: DerInputStream.getLength(): lengthTag=105, t
>>oo big.
>>LifecycleException:  Protocol handler initialization failed: 
>>java.io.IOException: DerInputStream.getLength(): lengthTag=105, too big.
>>         at 
>> org.apache.coyote.tomcat4.CoyoteConnector.initialize(CoyoteConnector.java:1119) 
>>
>>         at 
>> org.apache.catalina.core.StandardService.initialize(StandardService.java:579)
>>         at 
>> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:2246)
>>         at org.apache.catalina.startup.Catalina.start(Catalina.java:511)
>>         at org.apache.catalina.startup.Catalina.execute(Catalina.java:400)
>>         at org.apache.catalina.startup.Catalina.process(Catalina.java:180)
>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>         at 
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>         at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

>>
>>         at java.lang.reflect.Method.invoke(Method.java:324)
>>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:203)
>>Catalina.stop: LifecycleException:  This server has not yet been started
>>LifecycleException:  This server has not yet been started
>>         at 
>> org.apache.catalina.core.StandardServer.stop(StandardServer.java:2213)
>>         at org.apache.catalina.startup.Catalina.start(Catalina.java:543)
>>         at org.apache.catalina.startup.Catalina.execute(Catalina.java:400)
>>         at org.apache.catalina.startup.Catalina.process(Catalina.java:180)
>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>         at 
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>         at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

>>
>>         at java.lang.reflect.Method.invoke(Method.java:324)
>>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:203)
>>
>>Thank you,
>>-Bala
>>
>>
>>At 09:56 PM 4/24/2003 -0700, Bill Barker wrote:
>>
>>>The pkcs12 file *is* your keystore.  On the <Factory> tag in server.xml,
set
>>>the keystoreFile attribute to point to your pkcs12 file, and set the
>>>keystoreType="pkcs12" attribute as well.
>>>
>>>At least with Sun's implementation, the pkcs12 keystore support is limited.
>>>It works fine for me if I just have the server-cert in the pkcs12 file.  If
>>>I include the signers in an OpenSSL pkcs12 file, it has problems.  The
>>>obvious work-around is to import the signers into the cacerts, and strip
>>>them from the pkcs12 file.
>>>
>>>"Balakrishna Kudaravalli" <bkudarav@cisco.com> wrote in message
>>>news:4.3.2.7.2.20030424120548.02577b70@wells.cisco.com...
>>> > Hi All,
>>> >
>>> > I am re-posting this mail. Could any one plesae help me.
>>> >
>>> > Thanks,
>>> > -Bala
>>> >
>>> >
>>> > Hi Mark,
>>> >
>>> > Could you please let me know the command I need to use to import a pkcs12
>>> > server cert into a keystore (assuming I need to create a new 
>>> keystore). Do
>>> > I need to have only a server cert in the keystore or both server & CA
>>>certs
>>> > to enable SSL on Tomcat.
>>> >
>>> > Thanks for all your help.
>>> >
>>> > Regards,
>>> > -Bala
>>> >
>>> >
>>> > At 07:03 AM 4/24/2003 -0400, you wrote:
>>> > >you should be able to use PKCS12.  Just change the keystore type 
>>> from JKS
>>> > >(default) to PKCS12.
>>> > >
>>> > >Balakrishna Kudaravalli wrote:
>>> > >
>>> > >>Hi All,
>>> > >>
>>> > >>Issue: Enabling SSL for Tomcat 4.1.24
>>> > >>
>>> > >>1. I have created a cert using keytool -genkey -alias tomcat -keyalg
>>> > >>RSA  and have given a password "changeit" (default)
>>> > >>2. Uncommented SSL coyote HTTP/1.1 connector in server.xml. Since
the
>>> > >>Keystore is at a deafault loc, I have not given a keystoreFile 
>>> attribute
>>> > >>3. On starting up Tomcat, HTTPS works fine
>>> > >>
>>> > >>Issue:
>>> > >>4. Now, I need to replace the default cert with the certs provided
by
>>>our
>>> > >>internal folks. How do I do that ? the certs provided to me are
in pkcs
>>> > >>12 format:
>>> > >>
>>> > >>5. Should I convert the pkcs12 certs into x509 ?
>>> > >>
>>> > >>6. What certs should I import into the keystore (server, client,
ca) ?
>>> > >>
>>> > >>Your help would be greatly appreciated.
>>> > >>
>>> > >>Thank you,
>>> > >>-Bala
>>> > >>
>>> > >
>>> > >
>>> > >
>>> > >---------------------------------------------------------------------
>>> > >To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>> > >For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>> >
>>> >
>>> > ---------------------------------------------------------------------
>>> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message