tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Israr Ahmed <israr.ahme...@gmail.com>
Subject Re: Problem in configuring tomcat for PKCS 11 for HSM
Date Thu, 15 Oct 2009 09:40:57 GMT

Hi,

I've successfully configured apache-tomcat-6.0.18 with JRE 1.6.0_13 for
PKCS11 with keystore on smart card token but failed to use keystore on HSM
which is in my case "Eracom PSO:PL50"

I've statically add a provider in java.security file 

security.provider.10=sun.security.pkcs11.SunPKCS11
${java.home}/lib/security/pkcs11.cfg

pkcs11.cfg contains the following entries:

name = tokenName e.g. Token1
library = mypkcs11.dll
slot = 0

and my connector settings are:

<Connector port="4445" 
               minSpareThreads="25" 
               maxThreads="150" 
               maxSpareThreads="75"
	       maxHttpHeaderSize="8192"
               enableLookups="false" 
               disableUploadTimeout="true"
               acceptCount="100" 
               connectionTimeout="60000" 	
	       SSLEnabled="true"		   
               scheme="https" 
               secure="true"
               clientAuth="true" 
	       sslProtocol="TLS"
	       keystoreType="PKCS11"
	       keystorePass="password"	
	       ciphers="SSL_RSA_WITH_RC4_128_SHA"/>

These settings work fine with PKCS11 smart card token but when i try to use
these settings for network HSM which is "Eracom PSO:PL50", i'm unable to
communicate with network HSM, I applied the changes against library and name
properties in pkcs11.cfg for HSM.

I've also configured my connector like:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
			   clientAuth="false" sslProtocol="TLS"
protocols="TLSv1" 
			   algorithm="SunX509" 			
    		   keystore="NONE" keystoreType="PKCS11"
keystoreProvider="SunPKCS11-HSMName" keystorePass="XXXXXXXXX"
    />

but still no progress.

I'm unable to find out the solution. I'll be thankful to you if you figure
out me the problematic area or suggest any solution to resolve this problem.

Thanks in advance.

Regards,

Israr Ahmed



Tk, Pramod (NSN - IN/Bangalore) wrote:
> 
> Hello,
> 
> I have configured apache-tomcat-6.0.20 for PKCS11 to use the keystore
> present on HSM(Hardware security Module) which is SCA6000 in my case. 
> 
> My Connector looks like this 
> 
>     <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>                maxThreads="150" scheme="https" secure="true"
> 			   clientAuth="false" sslProtocol="TLS"
> protocols="TLSv1" 
> 			   algorithm="SunX509" 			
>     		   keystore="NONE" keystoreType="PKCS11"
> keystoreProvider="SunPKCS11-SCA6000" keystorePass="XXXXXXXXX"
>     />
> 
> This works fine by taking the a random certificate from the keystore.
> 
> But,
> 
> If I specify the keyAlias = "SpecificCerificate" , in the Connector I am
> getting the folling Exception
> 
> java.security.KeyManagementException: FIPS mode: only SunJSSE
> KeyManagers may be used
> 	at
> com.sun.net.ssl.internal.ssl.SSLContextImpl.chooseKeyManager(Unknown
> Source)
> 	at
> com.sun.net.ssl.internal.ssl.SSLContextImpl.engineInit(Unknown Source)
> 	at javax.net.ssl.SSLContext.init(Unknown Source)
> 	at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory
> .java:416)
> 	at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocke
> tFactory.java:131)
> 	at
> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:503)
> 	at
> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
> 	at
> org.apache.catalina.connector.Connector.initialize(Connector.java:1058)
> 	at
> org.apache.catalina.core.StandardService.initialize(StandardService.java
> :677)
> 	at
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
> 95)
> 	at org.apache.catalina.startup.Catalina.load(Catalina.java:535)
> 	at org.apache.catalina.startup.Catalina.load(Catalina.java:555)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> Source)
> 	at java.lang.reflect.Method.invoke(Unknown Source)
> 	at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
> 	at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
> ------------------------------------------------------------------------
> ----------
> Aug 11, 2009 11:33:12 PM org.apache.coyote.http11.Http11Protocol init
> SEVERE: Error initializing endpoint
> java.io.IOException: FIPS mode: only SunJSSE KeyManagers may be used
> 	at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory
> .java:462)
> 	at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocke
> tFactory.java:131)
> 	at
> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:503)
> 	at
> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
> 	at
> org.apache.catalina.connector.Connector.initialize(Connector.java:1058)
> 	at
> org.apache.catalina.core.StandardService.initialize(StandardService.java
> :677)
> 	at
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
> 95)
> 	at org.apache.catalina.startup.Catalina.load(Catalina.java:535)
> 	at org.apache.catalina.startup.Catalina.load(Catalina.java:555)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> Source)
> 	at java.lang.reflect.Method.invoke(Unknown Source)
> 	at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
> 	at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
> Aug 11, 2009 11:33:12 PM org.apache.catalina.startup.Catalina load
> SEVERE: Catalina.start
> LifecycleException:  Protocol handler initialization failed:
> java.io.IOException: FIPS mode: only SunJSSE KeyManagers may be used
> 	at
> org.apache.catalina.connector.Connector.initialize(Connector.java:1060)
> 	at
> org.apache.catalina.core.StandardService.initialize(StandardService.java
> :677)
> 	at
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
> 95)
> 	at org.apache.catalina.startup.Catalina.load(Catalina.java:535)
> 	at org.apache.catalina.startup.Catalina.load(Catalina.java:555)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> Source)
> 	at java.lang.reflect.Method.invoke(Unknown Source)
> 	at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
> 	at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
> 
> 
> We have made JSSE FIPS compaliant.
> Any help would be appreciated. 
> 
> 
> With Best Regards,
> Pramod TK
> 
> 

-- 
View this message in context: http://www.nabble.com/Problem-in-configuring-tomcat-for-PKCS-11-for-HSM-tp24930607p25905678.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message