tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arun John (arujohn)" <aruj...@cisco.com>
Subject RE: Possible issue with Tomcat 7.0.27 SSL keystore configuration
Date Fri, 06 Jul 2012 09:06:56 GMT
Found some issue in attaching a log file. So copying the stack trace I am getting


SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-7443"]
java.io.IOException: Cannot recover key
                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:475)
                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
                at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:380)
                at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:566)
                at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:417)
                at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
                at org.apache.catalina.connector.Connector.initInternal(Connector.java:956)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
                at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
                at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:624)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:649)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                at java.lang.reflect.Method.invoke(Method.java:597)
                at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
                at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
                at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
                at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
                at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
                at java.security.KeyStore.getKey(KeyStore.java:763)
                at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
                at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48)
                at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:576)
                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)
                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)
                ... 19 more
Jul 6, 2012 2:28:11 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-7443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-7443]]
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
                at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
                at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:624)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:649)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                at java.lang.reflect.Method.invoke(Method.java:597)
                at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
                at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
                at org.apache.catalina.connector.Connector.initInternal(Connector.java:958)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
                ... 12 more
Caused by: java.io.IOException: Cannot recover key
                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:475)
                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
                at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:380)
                at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:566)
                at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:417)
                at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
                at org.apache.catalina.connector.Connector.initInternal(Connector.java:956)
                ... 13 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
                at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
                at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
                at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
                at java.security.KeyStore.getKey(KeyStore.java:763)
                at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
                at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48)
                at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:576)
                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)
                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)

Regards,
Arun

From: Arun John (arujohn) [mailto:arujohn@cisco.com]
Sent: Friday, July 06, 2012 2:35 PM
To: users@tomcat.apache.org
Subject: Possible issue with Tomcat 7.0.27 SSL keystore configuration

Hi Team,

I am currently facing an issue with SSL configuration in Tomcat 7.0.27. I have one keystore
with three private keys to be used by different components . The password I am using for the
keystore file is "changed". The requirement is such that I should be using three different
password for the three private keys I store in my keystore. I have configured my server.xml
to allow https connections, basically modified the connectors.

<Connector port="7443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"  keyAlias ="adminuicert" keystoreFile="bin/.keystore"
keystorePass="changed"/>

I am running into an issue here. When I configure different key passwords for my private keys
different from my keystore password I am running into an exception saying it cannot recover
the key. I have attached the catalina log.  I am not finding a way to provide the private
key password in the server.xml

When I googled, I found that in Tomcat 5.5 it was not possible and found the below bug. Not
sure whether the bug is fixed in latest release
https://issues.apache.org/bugzilla/show_bug.cgi?id=38217

It says that if any of the passphrase is different, it cannot recover the key. Also it says
that tomcat treats the keypass and keystorePass as the same. I also tried setting the adminuicert
keyAlias with the same password as the keystore. Even then it is not working.

Right now I am clueless on how to fix the issue. It would be of great help, if someone can
help me with a solution/workaround

Regards,
Arun

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message