Tomcat 9: Application in not starting with TrustStore attributes

Tue, 20 Apr 2021 06:36:55 -0700 

Hi,

We are in process of upgrading Tomcat 7 to Tomcat 9 and stuck with Trust store 
settings for Client certificate, following is the connector setting:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                   maxThreads="150" SSLEnabled="true" scheme="https" 
secure="true" compression="on" 
compressibleMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript,application/javascript"
                   address="0.0.0.0"
                   maxPostSize="10485760"
                   URIEncoding="UTF-8" server=" ">
            <SSLHostConfig truststoreFile="${tomcat.bind.truststore}" 
truststorePassword="${tomcat.bind.truststorepass}" truststoreType="jks"
                    ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
                    certificateVerification="optional" sslProtocol="TLS"
                    protocols="TLSv1.2">
                <Certificate certificateKeystoreFile="${tomcat.bind.keystore}" 
certificateKeystorePassword ="${tomcat.bind.keystorepass}"
                             type="RSA" />
            </SSLHostConfig>
</Connector>

Application is working properly when truststoreFile, truststorePassword and 
truststoreType attributes are not defined in SSLHostConfig, when these 
attributes are defined, we are getting following errors at Tomcat start:
The same configuration parameters are working fine with Tomcat 7. Store has 1 
valid certificate and rechecked that with keytool with password and able to 
list the certificate.
Parametrized values are replaced with actual value and that part is working 
fine.


INFO: Initializing ProtocolHandler ["http-nio-0.0.0.0-80"]
Apr 20, 2021 6:59:31 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["https-jsse-nio-0.0.0.0-443"]
Apr 20, 2021 6:59:31 PM org.apache.catalina.util.LifecycleBase 
handleSubClassException
SEVERE: Failed to initialize component [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
        at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1049)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:558)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
        at 
com.intruvert.common.utility.startup.StartupChecks.main(StartupChecks.java:140)
Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must 
be non-empty
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:246)
        at 
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1193)
        at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1206)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:597)
        at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
        at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1046)
        ... 14 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors 
parameter must be non-empty
        at 
java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
        at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
        at 
java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
        at 
org.apache.tomcat.util.net.SSLUtilBase.getParameters(SSLUtilBase.java:501)
        at 
org.apache.tomcat.util.net.SSLUtilBase.getTrustManagers(SSLUtilBase.java:432)
        at 
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
        ... 21 more

Apr 20, 2021 6:59:31 PM org.apache.catalina.startup.Catalina load
INFO: Server initialization in [2010] milliseconds


What is the error I am making with configuration in the connector part?

Thanks
Manish

Reply via email to