tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Estanislao Gonzalez <estanislao.gonza...@zmaw.de>
Subject truststoreFile problem 6.0.26
Date Wed, 11 Aug 2010 13:27:08 GMT
Hi *,
I'm having a problem with the connector parameter truststoreFile as it 
is being read but not used when accessing through SSL.

While running normally I get:

FINE: Creating name for connector Catalina:type=Connector,port=443
Aug 11, 2010 1:20:48 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-443
...
found key for : tomcat
chain [0] = [
...
]
***
...
adding as trusted cert:
  Subject: CN=albedo2.dkrz.de, OU=WDCC, O=DKRZ, L=Hamburg, C=DE
  Issuer:  CN=albedo2.dkrz.de, OU=WDCC, O=DKRZ, L=Hamburg, C=DE
  Algorithm: RSA; Serial number: 0x4c627346
  Valid from Wed Aug 11 11:54:14 CEST 2010 until Tue Nov 09 10:54:14 CET 
2010
...

Ok, everything's fine (that's my cert). But while trying to access to a SSL:

...
init keystore
init keymanager of type SunX509
trustStore is: No File Available, using empty keystore.
trustStore type is : jks
trustStore provider is :
...
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=albedo2.dkrz.de, OU=WDCC, O=DKRZ, L=Hamburg, C=DE
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
....
***
http-80-1, handling exception: java.lang.RuntimeException: Unexpected 
error: java.security.InvalidAlgorithmParameterException: the 
trustAnchors parameter must be non-empty
http-80-1, SEND TLSv1 ALERT:  fatal, description = internal_error
http-80-1, WRITE: TLSv1 Alert, length = 2
http-80-1, called closeSocket()
http-80-1, called close()
http-80-1, called closeInternal(true)

Note: I've moved the default java jssecacaertas and cacerts files to be 
sure they are not loaded. If not this step was previously accessing 
those certs.

Launching tomcat with 
-Djavax.net.ssl.trustStore=/usr/local/tomcat/conf/jssecacerts I have no 
problem:
...
init keystore
init keymanager of type SunX509
trustStore is: /usr/local/tomcat/conf/jssecacerts
trustStore type is : jks
trustStore provider is :
init truststore
...


If I use a non existing file for the truststoreFile parameter I get:

FINE: Creating name for connector Catalina:type=Connector,port=443
Aug 11, 2010 2:45:53 PM 
org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SEVERE: Failed to load keystore type JKS with path 
/usr/local/tomcat/conf/jssecacerts2 due to 
/usr/local/tomcat/conf/jssecacerts2 (No such file or directory)
java.io.FileNotFoundException: /usr/local/tomcat/conf/jssecacerts2 (No 
such file or directory)
        at java.io.FileInputStream.open(Native Method)
        at java.io.FileInputStream.<init>(FileInputStream.java:106)
        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:347)
        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:320)
        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:513)
        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:419)
        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
        at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
        at 
org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
        at 
org.apache.catalina.connector.Connector.initialize(Connector.java:1014)
        at 
org.apache.catalina.core.StandardService.initialize(StandardService.java:680)
        at 
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
        at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:276)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at 
org.apache.commons.daemon.support.DaemonLoader.load(DaemonLoader.java:160)
Aug 11, 2010 2:45:53 PM org.apache.coyote.http11.Http11Protocol init


So I'm pretty sure that the file is valid and can be found. The problem 
might be triggered while  redirecting the connector from port 80 to the 
secure one. Any Idea?

I know you might need a lot more information (if this is indeed a bug). 
Just tell me and I'll provide :-)

Some info though:
apache-tomcat-6.0.26
jdk1.6.0_20

LSB Version:    
:core-3.1-amd64:core-3.1-ia32:core-3.1-noarch:graphics-3.1-amd64:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: RedHatEnterpriseServer
Description:    Red Hat Enterprise Linux Server release 5.5 (Tikanga)
Release:        5.5
Codename:       Tikanga

Thanks,
Estani


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message