Return-Path: 
 <users-return-200281-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 79116 invoked from network); 12 Aug 2009 06:10:23 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 12 Aug 2009 06:10:23 -0000
Received: (qmail 93423 invoked by uid 500); 12 Aug 2009 06:10:26 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 93334 invoked by uid 500); 12 Aug 2009 06:10:26 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 93323 invoked by uid 99); 12 Aug 2009 06:10:26 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Aug 2009 06:10:26 +0000
X-ASF-Spam-Status: No, hits=2.2 required=10.0
	tests=HTML_MESSAGE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy)
Received: from [217.115.75.234] (HELO demumfd002.nsn-inter.net)
 (217.115.75.234)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Aug 2009 06:10:16 +0000
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55])
	by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id
 n7C69trV009727
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL)
	for <users@tomcat.apache.org>; Wed, 12 Aug 2009 08:09:55 +0200
Received: from demuexc023.nsn-intra.net (demuexc023.nsn-intra.net
 [10.150.128.36])
	by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id
 n7C69sHU019777
	for <users@tomcat.apache.org>; Wed, 12 Aug 2009 08:09:54 +0200
Received: from SGSIEXC009.nsn-intra.net ([10.159.224.93]) by
 demuexc023.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.3959);
	 Wed, 12 Aug 2009 08:09:53 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01CA1B13.06AC2762"
Subject: Problem in configuring tomcat for PKCS 11 for HSM
Date: Wed, 12 Aug 2009 14:06:28 +0800
Message-ID: <81F0D26FAAF7C24F8D4E7C015316E5277F9A5D@SGSIEXC009.nsn-intra.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Problem in configuring tomcat for PKCS 11 for HSM
Thread-Index: AcobEwghuSY3jva1TrOOcgGaVkcezg==
From: "Tk, Pramod (NSN - IN/Bangalore)" <pramod.tk@nsn.com>
To: <users@tomcat.apache.org>
X-OriginalArrivalTime: 12 Aug 2009 06:09:53.0450 (UTC)
 FILETIME=[821938A0:01CA1B13]
X-Virus-Checked: Checked by ClamAV on apache.org

------_=_NextPart_001_01CA1B13.06AC2762
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hello,

I have configured apache-tomcat-6.0.20 for PKCS11 to use the keystore
present on HSM(Hardware security Module) which is SCA6000 in my case.=20

My Connector looks like this=20

    <Connector port=3D"443" protocol=3D"HTTP/1.1" SSLEnabled=3D"true"
               maxThreads=3D"150" scheme=3D"https" secure=3D"true"
			   clientAuth=3D"false" sslProtocol=3D"TLS"
protocols=3D"TLSv1"=20
			   algorithm=3D"SunX509" 		=09
    		   keystore=3D"NONE" keystoreType=3D"PKCS11"
keystoreProvider=3D"SunPKCS11-SCA6000" keystorePass=3D"XXXXXXXXX"
    />

This works fine by taking the a random certificate from the keystore.

But,

If I specify the keyAlias =3D "SpecificCerificate" , in the Connector I =
am
getting the folling Exception

java.security.KeyManagementException: FIPS mode: only SunJSSE
KeyManagers may be used
	at
com.sun.net.ssl.internal.ssl.SSLContextImpl.chooseKeyManager(Unknown
Source)
	at
com.sun.net.ssl.internal.ssl.SSLContextImpl.engineInit(Unknown Source)
	at javax.net.ssl.SSLContext.init(Unknown Source)
	at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory
.java:416)
	at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocke
tFactory.java:131)
	at
org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:503)
	at
org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
	at
org.apache.catalina.connector.Connector.initialize(Connector.java:1058)
	at
org.apache.catalina.core.StandardService.initialize(StandardService.java
:677)
	at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
95)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:535)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:555)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
	at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
------------------------------------------------------------------------
----------
Aug 11, 2009 11:33:12 PM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
java.io.IOException: FIPS mode: only SunJSSE KeyManagers may be used
	at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory
.java:462)
	at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocke
tFactory.java:131)
	at
org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:503)
	at
org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
	at
org.apache.catalina.connector.Connector.initialize(Connector.java:1058)
	at
org.apache.catalina.core.StandardService.initialize(StandardService.java
:677)
	at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
95)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:535)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:555)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
	at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
Aug 11, 2009 11:33:12 PM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException:  Protocol handler initialization failed:
java.io.IOException: FIPS mode: only SunJSSE KeyManagers may be used
	at
org.apache.catalina.connector.Connector.initialize(Connector.java:1060)
	at
org.apache.catalina.core.StandardService.initialize(StandardService.java
:677)
	at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
95)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:535)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:555)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
	at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)


We have made JSSE FIPS compaliant.
Any help would be appreciated.=20


With Best Regards,
Pramod TK

------_=_NextPart_001_01CA1B13.06AC2762--