We are trying to get SSL to work in 8.5 and have been unsuccessful. We
followed all the instructions in the Tomcat documentation and what help is
available on the net but have been unable to get TC to startup with an SSL
Connector configured.
Here is our Connector configuration:
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1"
scheme="http" redirectPort="8443" secure="false"/>
<Connector
SSLEnabled="true"
clientAuth="false"
maxThreads="20"
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation"
scheme="https"
secure="true"
sslProtocol="TLS">
<SSLHostConfig
hostName="localhost"
protocols="TLSv1.2"
sessionCacheSize="15"
sessionTimeout="960">
<Certificate
certificateKeyAlias="localhost"
certificateKeystoreFile="conf/localhost-rsa.jks"
certificateKeystorePassword="=NR5^vtuW_/?"
certificateVerification="optionalNoCA"
type="RSA"/>
</SSLHostConfig>
</Connector>
Here is the error we get:
Jan 19, 2018 2:24:07 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:999)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
... 12 more
Caused by: java.lang.IllegalArgumentException: java.lang.NullPointerException
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:970)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:613)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
... 13 more
Caused by: java.lang.NullPointerException
at java.io.FileInputStream.<init>(FileInputStream.java:130)
at java.io.FileInputStream.<init>(FileInputStream.java:93)
at java.io.FileReader.<init>(FileReader.java:58)
at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:74)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:193)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
... 20 more
We tried all kinds of variations of the configuration. We've run out of things
to try.
We are using a JKS keystore created in Java code using the Bouncy Castle API.
The config files are all in the correct location.
The keystore has a private key and certificate (self-signed using BC). Aliases
& passwords are correct. Everything about the keystore looks correct.
We tried "tomcat" as the alias (matching the entry in the keystore). We also
tried the real hostname for hostName and matched the keysore alias to it.
Our keys ares RSA 2048.
We tried adding all the typical extensions to the CERT.
The error above indicates that TC is looking for PEM files. Why? We weren't
using PEM files.
So, we tried switching to using PEM files but that throws another weird error
from the SecretKeyGenerator about an invalid KeyGen algorithm.
We are specifiying SHA256withRSA for KeyGen but TC is trying to use
pbeWithSHAAnd2-KeyTripleDES-CBC. This looks like a bug.
Also, we have configured many security settings. For example, all of the
security related Filters are confgured in web.xml.
TC version: 8.5.15
OS: Windows 8.1
Thanks for any help you can provide.
Ken
Disclaimer: This email from DMBGroup LLC, DMB Consulting Services LLC, or the
personnel associated with either entity (collectively "DMB") and attachments,
contain CONFIDENTIAL, PRIVILEGED AND PROPRIETARY information for exclusive use
of the addressee individual(s) or entity. Unauthorized viewing, copying,
disclosure, distribution or use of this e-mail or attachments may be subject to
legal restriction or sanction. If received in error, notify sender immediately
by return e-mail and delete original message and attachments. Nothing contained
in this e-mail or attachments shall satisfy the requirements for a writing
unless specifically stated. Nothing contained herein shall constitute a
contract or electronic signature under the Electronic Signatures in Global and
National Commerce Act, any version of the Uniform Electronic Transactions Act
or any other statute governing electronic transactions. Opinions and statements
expressed in this e-mail and any attachments are those of the individual sender
and not necessarily of DMB. DMB does not guarantee this e-mail transmission is
secured, error or virus-free. Neither DMB nor the sender of this e-mail accepts
liability for errors or omissions in the contents of this e-mail, which arise
as a result of e-mail transmission. .
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
