I try to configure SSL into my new project. I do it for the first time and i got some problems.
Some items to the projects:
A part of my server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/PATHTO/src/main/resources/keystore.p12"
keystorePass="STOREPASS" clientAuth="false" sslProtocol="TLS" />
A part of my application.properties:
spring.profiles.active=https
server.port=8443
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-password=STOREPASS
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat
The command that i use to generate the keystore:
keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650
And the keystore.p12 is in the same folder like the application.properties.
The error of the console:
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:437)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:336)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:594)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:534)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:363)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:732)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
Has someone any ideas?
Thanks.
Cheers.
To elaborate on EJP's answer and detail to Mick Mnemonic that this is not entirely correct.
OP did not set that in the server.xml rather the application.properties
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/PATHTO/src/main/resources/keystore.p12"
keystorePass="STOREPASS" clientAuth="false" sslProtocol="TLS"
keystoreType="PKCS12" />
You will note that on the last line of the "Connector" element I have added keystoreType="PKCS12" to allow the connector to correctly load the file.
Your stack trace is a dead give away on this one.
You need to specify keyStoreType, as the format is PKCS12, not JKS.
Related
I have tomcat 10.0.18 on macOS (via homebrew)
In my server.xml I have
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="20" SSLEnabled="true" scheme="https" secure="true" clientAuth="true" defaultSSLHostConfigName="test">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<hostName>test</hostName>
<protocols>TLSv1.2</protocols>
<certificateVerification>required</certificateVerification>
<Certificate>
<caCertificateFile>/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaRootCA.p12</caCertificateFile>
<certificateFile>/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaServerChassis.p12</certificateFile>
<certificateKeyPassword>egeria</certificateKeyPassword>
</Certificate>
</SSLHostConfig>
</Connector>
However when I start & connect I see an error:
30-Mar-2022 09:51:08.547 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-jsse-nio2-8443"] connector has been configured to
support negotiation to [h2] via ALPN
30-Mar-2022 09:51:08.547 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio2-8443"]
30-Mar-2022 09:51:21.162 WARNING [main] org.apache.tomcat.util.net.Nio2Endpoint.shutdownExecutor The executor associated with thread pool [https-jsse-nio2-8443] has not ful
ly shutdown. Some application threads may still be running.
30-Mar-2022 09:51:21.163 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Htt
p11Nio2Protocol-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1055)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:747)
at org.apache.catalina.startup.Catalina.load(Catalina.java:769)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
at java.base/java.lang.reflect.Method.invoke(Method.java:577)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:132)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1192)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1205)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:580)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:82)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1052)
... 11 more
Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:310)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 18 more
30-Mar-2022 09:51:21.164 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [13255] milliseconds
Yes as best I can see, I do have the value assigned.
Background -- just testing some mutual SSL config for our open-source project with some self-signed certs I generated. We use springboot server-side, a variety of java, python, go, node etc client-side -- but for debugging/understanding I'm just trying base tomcat, with curl/httpie clients
The .p12 files above should contain the right combination of certs/keys, but this is the area I'm exploring. I can adapt, use individual PEMs, try a chain via a directory.. but this first issue seems more about the basics of defining a config and is what I'm trying to understand - being fairly new to tomcat.
I figured it out - so will answer my own question for the benefit of future readers.
The parsing issue was down to format. I'm so used to editing other XML files such as maven, where the above format I tried is typical. tomcat was new to me, so I realised it needs to be:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="20" SSLEnabled="true" scheme="https" secure="true" clientAuth="true" defaultSSLHostConfigName="test">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig hostName="test" protocols="TLSv1.2" certificateVerification="required">
<Certificate
caCertificateFile="/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaRootCA.p12"
certificateFile="/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaServerChassis.p12"
certificateKeyPassword="egeria"
/>
</SSLHostConfig>
</Connector>
I now get other exceptions - but that is specific to the certs, something I'm debugging. I share this to answer the question specifically on why the properties could not be found.
I am working with an SSL certificate in Apache tomcat. I have created CSR and got a JKS file. Then when I have given the CSR to certificate authority, then they have given me the certificate. When I have tested the JKS certificate using the following command,
keytool -list -keystore ava_bankasia-bd_com.jks
I have got the following output:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
tomcat, Jun 22, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 7F:F3:C5:60:D1:E6:E5:04:2A:E8:2E:D1:D7:1A:92:DE:39:47:75:BD:06:25:0D:D0:CB:C0:55:BA:D6:2B:28:E9
Then I have configured the tomcat with the following code:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="/u01/csr_certificate/ava_bankasia-bd_com.jks"
keystorePass="-------"
keyAlias="tomcat" />
I have imported them all into the Keystore ok (but obviously not!) but the error I'm getting from Tomcat is: 'java.io.IOException Alias name does not identify a key entry. The full error is as follows:
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1076)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:846)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
Caused by: java.lang.IllegalArgumentException: Alias name [tomcat] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:247)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1143)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:222)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:599)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1074)
... 13 more
Caused by: java.io.IOException: Alias name [tomcat] does not identify a key entry
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:336)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98)
... 20 more
Any ideas? This is the first time I've done this so maybe I've messed up something blindingly obvious?
The site works fine on port 80.
Would LOVE to hear some suggestions :)
Am facing following issue while working with openSSL.
Below are the server details:
Tomcat : 8.5.43
Ubuntu: 18.
JVM: 1.8.0_221-b11
Apache Tomcat Native library: 1.2.23
APR Version: 1.7.0
Open SSL : 1.1.1
Below is our Connector configuration:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
scheme="https"
secure="true"
SSLEnabled="true"
acceptCount="100"
connectionTimeout="20000"
SSLCertificateFile="certificate/server.crt"
SSLCertificateKeyFile="certificate/servercertkey.pem"
SSLVerifyClient="optional"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
SSLCipherSuite="RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5">
</Connector>
Am getting following error:
29-Jul-2019 12:56:48.856 WARNING [main] org.apache.tomcat.util.net.openssl.OpenSSLEngine.<clinit> Failed getting cipher list
java.lang.Exception: Not implemented
at org.apache.tomcat.jni.SSL.newSSL(Native Method)
at org.apache.tomcat.util.net.openssl.OpenSSLEngine.<clinit>(OpenSSLEngine.java:77)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplementedProtocols(OpenSSLUtil.java:54)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:92)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:82)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.<init>(OpenSSLUtil.java:42)
at org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:397)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:368)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1118)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
29-Jul-2019 12:56:48.941 INFO [main] org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers The certificate [certificate/server.crt] or its private key [certificate/servercertkey.pem] could not be processed using a JSSE key manager and will be given directly to OpenSSL
29-Jul-2019 12:56:48.963 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 1037 ms
What am doing wrong? Any pointers would help.
Thank you in advance.
I have an application running in Eclipse, works fine, connect and get a response from webservice that needs a certificate.
But when I deploy and run in Tomcat, I got a error of valid certification:
java.lang.Exception
Message
; nested exception is: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
In my tomcat:
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="8443" keystoreFile="webapps/.keystore" keystorePass="123456"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS" />
and in my application, I have another keystore to webservice:
System.setProperty("javax.net.ssl.keyStore", SIC.jks);
System.setProperty("javax.net.ssl.keyStore", keyStore);
System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
System.setProperty("javax.net.ssl.trustStore", trustStore);
System.setProperty("javax.net.ssl.trustStorePassword", trustStorePassword);
I tried import certificate to cacerts from keytool and nothing...
I don't have any one idea and my time is over in my job...What can I do to resolve that?
I tried everything I guess...works at Eclipse but on deploy tomcat, I got that error above.
Two suggestions
1. Specify the entire path for the keystoreFile. Eg /opt/webapps/.keystore
2. Do not use special characters "#" in the password.
I have created a certificate in my system using this command:
keytool -export -file test.cert -keystore test -storepass 123456 -alias sriram
Ans: Certificate stored in file <test.cert>.
I have imported this certificate in cacerts of new system using the command :
keytool -importcert -trustcacerts -file "path-to-public-cert" -keystore JAVA_HOME/jre/lib/security/cacerts".
The output is something like this:Trust this certificate? [no]: yes Certificate was added to keystore.
But still I am getting the link error when I run my jar file in new system...Where I went wrong??
Try to read the Apache Tomcat SSL Configuration How-To.
In Edit the Tomcat Configuration File paragraph it explain that you can had the keystoreFile attribute to the connector configuration.
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>