tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Stanchev <Gstanc...@serena.com>
Subject RE: Tomcat 7.0.55 Not loading truststore or keystore
Date Tue, 01 Sep 2015 18:02:34 GMT
Hi Diarmuid,

We have run similar issue with client cert SSL. Is your 3rd party web service hosted on Windows/IIS?


George

-----Original Message-----
From: dmccrthy [mailto:dmccrthy@gmail.com] 
Sent: Tuesday, September 01, 2015 11:07 AM
To: Tomcat Users List
Subject: Tomcat 7.0.55 Not loading truststore or keystore

Hi All,

I am having trouble getting Tomcat to load a truststore and keystore.  This seems to be a
basic configuration issue but I can't figure out what the problem is. Any insights would be
gratefully received.

The scenario is:

* A 3rd party web application is deployed in Tomcat
* The 3rrd party web application is making outbound HTTPS connections to a 3rd party web service
* Tomcat JVM parameters are configured with

   -Djavax.net.ssl.trustStore=d:\Tomcat_ENV1\conf\tomcat_truststore.jks
   -Djavax.net.ssl.trustStorePassword=<snip>
   -Djavax.net.ssl.keyStore=d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks
   -Djavax.net.ssl.keyStorePassword=<snip>
   -Dhttps.protocols="TLSv1"
   -Djavax.net.debug=ALL

* Both truststore and keystore are JKS
* Mutual authentication is used for the SSL handshake
* There are no errors in the Tomcat logs to indicate a problem with the truststore and keystore
* The Tomcat logs show the server-side certificate being downloaded but not reporting the
expected lines

  Found trusted certificate:
  matching alias: <client cert alias>

  Or for the keystore, I am expecting to see a log that it is loading the keystore (example
below), but there is no sign that the keystore is being loaded. I got the log extract below
from a standalone java client which successfully connects using MA to the remote service.

  keyStore is : c:\temp\DWCHASSMESA002.pfx
  keyStore type is : PKCS12
  keyStore provider is :
  init keystore
  init keymanager of type SunX509

  ***
  found key for : dwchassmesa002
  chain [0] = [

* The Tomcat logs show that the SSL handshake gets as far as the ClientKeyExchange, but there
is no client certificate sent and the handshake terminates with "Software caused connection
abort: recv failed".
On DataPower the error is that the client is not sending the certificate.

<sip>
http-bio-8080-exec-2, READ: TLSv1 Handshake, length = 13
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<Empty>

[read] MD5 and SHA1 hashes:  len = 9
0000: 0D 00 00 05 02 01 02 00   00                       .........
*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
0000: 0E 00 00 00                                        ....
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1 [write] MD5 and SHA1 hashes:  len = 269

<snip>
http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 269 [Raw write]: length = 274
0000: 16 03 01 01 0D 0B 00 00   03 00 00 00 10 00 01 02  ................
<snip>

0110: 2E 32                                              .2
SESSION KEYGEN:
PreMaster Secret:
<snip>

http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 48 http-bio-8080-exec-2, waiting for
close_notify or alert: state 1 http-bio-8080-exec-2, Exception while waiting for close
java.net.SocketException: Software caused connection abort: recv failed http-bio-8080-exec-2,
handling exception: java.net.SocketException:
Software caused connection abort: recv failed %% Invalidated:  [Session-163, TLS_RSA_WITH_AES_128_CBC_SHA]
http-bio-8080-exec-2, called close() http-bio-8080-exec-2, called closeInternal(true) http-bio-8080-exec-2,
called closeSocket(

We are using the software below on the client environment:

* Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
* Java HotSpot(TM) 64-Bit Server VM (build 24.65-b04, mixed mode)
* JCE Unlimited Security: No
* Apache Tomcat/7.0.55
* Microsoft Windows Server 2008 R2 Enterprise 64-bit

Analysis Steps
==============

1) Openssl connects with MA parameters connects with no errors

openssl s_client -tls1 -connect server-dns-name:15305 -CAfile server-cert-with-intermediate-and-root-in-one-file.cer
-cert client-public-key.cer -key client-private-key.key -pass pass:client-private-key-password

New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID:
893D24420CC89DED5E8E0E18C3D97270C3DD04B7A4B86602D5B34FC5E58DDE8F
    Session-ID-ctx:
    Master-Key:
89ABDA0ED080567E0CB8494AC236B107B7430A5487986BE7F3B468AF81B19BC27FD9C7D3EBC46280B9A608E5517D447C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1441125595
   Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

2) A standalone Java program with a couple of lines to open a HTTPS connection to the 3rd
party certificate works.  This uses the same truststore and keystore
3) SoapUI works using the same truststore and keystore
4) Our 3rd party vendor can connect
5) I have googled various phrases like "Tomcat JVM not loading truststore".  There are hundreds
of examples involving HTTPS connectors and/or configuration errors.  However we are not using
server-side connectors and I can't see anything wrong with the configuration.  The only potential
hit I found for a defect was in Tomcat 6 http://tomcat.10.x6.nabble.com/configured-truststore-ignored-by-tomcat-td4986884.html

6) I tried installing a HTTPS connector in our Tomcat client instance.
This then shows that the truststore is being loaded, but it is not used by the outbound HTTPS
client connections

7) Tried playing with the format of the file paths by adding double quotes, changing the path
separator to forward or backslash, moving the location of the files. But this didn't make
any difference.

  "d:\Tomcat_ENV1\DWCHASSMESA002_keystore.jks"
  d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks
  d:/Tomcat_ENV1/DWCHASSMESA002_keystore.jks

Thanks,
Diarmuid

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message