Hi All,
I am having trouble getting Tomcat to load a truststore and keystore. This
seems to be a basic configuration issue but I can't figure out what the
problem is. Any insights would be gratefully received.
The scenario is:
* A 3rd party web application is deployed in Tomcat
* The 3rrd party web application is making outbound HTTPS connections to a
3rd party web service
* Tomcat JVM parameters are configured with
-Djavax.net.ssl.trustStore=d:\Tomcat_ENV1\conf\tomcat_truststore.jks
-Djavax.net.ssl.trustStorePassword=<snip>
-Djavax.net.ssl.keyStore=d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks
-Djavax.net.ssl.keyStorePassword=<snip>
-Dhttps.protocols="TLSv1"
-Djavax.net.debug=ALL
* Both truststore and keystore are JKS
* Mutual authentication is used for the SSL handshake
* There are no errors in the Tomcat logs to indicate a problem with the
truststore and keystore
* The Tomcat logs show the server-side certificate being downloaded but not
reporting the expected lines
Found trusted certificate:
matching alias: <client cert alias>
Or for the keystore, I am expecting to see a log that it is loading the
keystore (example below), but there is no sign that the keystore is being
loaded. I got the log extract below from a standalone java client which
successfully connects using MA to the remote service.
keyStore is : c:\temp\DWCHASSMESA002.pfx
keyStore type is : PKCS12
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : dwchassmesa002
chain [0] = [
* The Tomcat logs show that the SSL handshake gets as far as the
ClientKeyExchange, but there is no client certificate sent and the
handshake terminates with "Software caused connection abort: recv failed".
On DataPower the error is that the client is not sending the certificate.
<sip>
http-bio-8080-exec-2, READ: TLSv1 Handshake, length = 13
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<Empty>
[read] MD5 and SHA1 hashes: len = 9
0000: 0D 00 00 05 02 01 02 00 00 .........
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
[write] MD5 and SHA1 hashes: len = 269
<snip>
http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 269
[Raw write]: length = 274
0000: 16 03 01 01 0D 0B 00 00 03 00 00 00 10 00 01 02 ................
<snip>
0110: 2E 32 .2
SESSION KEYGEN:
PreMaster Secret:
<snip>
http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 48
http-bio-8080-exec-2, waiting for close_notify or alert: state 1
http-bio-8080-exec-2, Exception while waiting for close
java.net.SocketException: Software caused connection abort: recv failed
http-bio-8080-exec-2, handling exception: java.net.SocketException:
Software caused connection abort: recv failed
%% Invalidated: [Session-163, TLS_RSA_WITH_AES_128_CBC_SHA]
http-bio-8080-exec-2, called close()
http-bio-8080-exec-2, called closeInternal(true)
http-bio-8080-exec-2, called closeSocket(
We are using the software below on the client environment:
* Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
* Java HotSpot(TM) 64-Bit Server VM (build 24.65-b04, mixed mode)
* JCE Unlimited Security: No
* Apache Tomcat/7.0.55
* Microsoft Windows Server 2008 R2 Enterprise 64-bit
Analysis Steps
==============
1) Openssl connects with MA parameters connects with no errors
openssl s_client -tls1 -connect server-dns-name:15305 -CAfile
server-cert-with-intermediate-and-root-in-one-file.cer -cert
client-public-key.cer -key client-private-key.key -pass
pass:client-private-key-password
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
893D24420CC89DED5E8E0E18C3D97270C3DD04B7A4B86602D5B34FC5E58DDE8F
Session-ID-ctx:
Master-Key:
89ABDA0ED080567E0CB8494AC236B107B7430A5487986BE7F3B468AF81B19BC27FD9C7D3EBC46280B9A608E5517D447C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1441125595
Timeout : 7200 (sec)
Verify return code: 0 (ok)
2) A standalone Java program with a couple of lines to open a HTTPS
connection to the 3rd party certificate works. This uses the same
truststore and keystore
3) SoapUI works using the same truststore and keystore
4) Our 3rd party vendor can connect
5) I have googled various phrases like "Tomcat JVM not loading
truststore". There are hundreds of examples involving HTTPS connectors
and/or configuration errors. However we are not using server-side
connectors and I can't see anything wrong with the configuration. The only
potential hit I found for a defect was in Tomcat 6
http://tomcat.10.x6.nabble.com/configured-truststore-ignored-by-tomcat-td4986884.html
6) I tried installing a HTTPS connector in our Tomcat client instance.
This then shows that the truststore is being loaded, but it is not used by
the outbound HTTPS client connections
7) Tried playing with the format of the file paths by adding double quotes,
changing the path separator to forward or backslash, moving the location of
the files. But this didn't make any difference.
"d:\Tomcat_ENV1\DWCHASSMESA002_keystore.jks"
d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks
d:/Tomcat_ENV1/DWCHASSMESA002_keystore.jks
Thanks,
Diarmuid
