RE: Tomcat 9: Application in not starting with TrustStore attributes

[John.E.Gregg]

Manish,

> -----Original Message-----
> From: Palod, Manish <manish_pa...@mcafee.com>
> Sent: Tuesday, April 20, 2021 8:37 AM
> To: users@tomcat.apache.org
> Subject: Tomcat 9: Application in not starting with TrustStore attributes
> 
> Hi,
> 
> We are in process of upgrading Tomcat 7 to Tomcat 9 and stuck with Trust
> store settings for Client certificate, following is the connector setting:
> 
> <Connector port="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>                    maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true" compression="on"
> compressibleMimeType="text/html,text/xml,text/plain,text/javascript,text/
> css,application/x-javascript,application/javascript"
>                    address="0.0.0.0"
>                    maxPostSize="10485760"
>                    URIEncoding="UTF-8" server=" ">
>             <SSLHostConfig truststoreFile="${tomcat.bind.truststore}"
> truststorePassword="${tomcat.bind.truststorepass}" truststoreType="jks"
>                     ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
>                     certificateVerification="optional" sslProtocol="TLS"
>                     protocols="TLSv1.2">
>                 <Certificate certificateKeystoreFile="${tomcat.bind.keystore}"
> certificateKeystorePassword ="${tomcat.bind.keystorepass}"
>                              type="RSA" />
>             </SSLHostConfig>
> </Connector>
> 
> Application is working properly when truststoreFile, truststorePassword and
> truststoreType attributes are not defined in SSLHostConfig, when these
> attributes are defined, we are getting following errors at Tomcat start:
> The same configuration parameters are working fine with Tomcat 7. Store
> has 1 valid certificate and rechecked that with keytool with password and
> able to list the certificate.
> Parametrized values are replaced with actual value and that part is working
> fine.
> 
> 
> INFO: Initializing ProtocolHandler ["http-nio-0.0.0.0-80"] Apr 20, 2021 
> 6:59:31
> PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["https-jsse-nio-0.0.0.0-443"] Apr 20, 2021
> 6:59:31 PM org.apache.catalina.util.LifecycleBase handleSubClassException
> SEVERE: Failed to initialize component [Connector[HTTP/1.1-443]]
> org.apache.catalina.LifecycleException: Protocol handler initialization failed
>         at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1049)
>         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>         at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:5
> 58)
>         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>         at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:10
> 45)
>         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>         at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
>         at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:62)
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
>         at
> com.intruvert.common.utility.startup.StartupChecks.main(StartupChecks.jav
> a:140)
> Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter
> must be non-empty
>         at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstract
> JsseEndpoint.java:99)
>         at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEn
> dpoint.java:71)
>         at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:246)
>         at
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndp
> oint.java:1193)
>         at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1206
> )
>         at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:597)
>         at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protoc
> ol.java:80)
>         at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1046)
>         ... 14 more
> Caused by: java.security.InvalidAlgorithmParameterException: the
> trustAnchors parameter must be non-empty
>         at
> java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200
> )
>         at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
>         at
> java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:
> 130)
>         at
> org.apache.tomcat.util.net.SSLUtilBase.getParameters(SSLUtilBase.java:501)
>         at
> org.apache.tomcat.util.net.SSLUtilBase.getTrustManagers(SSLUtilBase.java:4
> 32)
>         at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:2
> 46)
>         at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstract
> JsseEndpoint.java:97)
>         ... 21 more
> 
> Apr 20, 2021 6:59:31 PM org.apache.catalina.startup.Catalina load
> INFO: Server initialization in [2010] milliseconds
> 
> 
> What is the error I am making with configuration in the connector part?
> 
> Thanks
> Manish

Is your trust store empty?

Below is the code that Tomcat is calling.  The hashSet must be empty for this 
exception to occur so look closely at the conditions that are checked when the 
hashSet is populated.  Obviously the store should not be empty.  In addition, 
normally a "trust store" would contain certificates but no keys, so I would 
expect isCertificateEntry() to return true for all entries but at least one 
would be the minimum.

    public PKIXParameters(KeyStore keystore)
        throws KeyStoreException, InvalidAlgorithmParameterException
    {
        if (keystore == null)
            throw new NullPointerException("the keystore parameter must be " +
                "non-null");
        Set<TrustAnchor> hashSet = new HashSet<TrustAnchor>();
        Enumeration<String> aliases = keystore.aliases();
        while (aliases.hasMoreElements()) {
            String alias = aliases.nextElement();
            if (keystore.isCertificateEntry(alias)) {
                Certificate cert = keystore.getCertificate(alias);
                if (cert instanceof X509Certificate)
                    hashSet.add(new TrustAnchor((X509Certificate)cert, null));
            }
        }
        setTrustAnchors(hashSet);
        this.unmodInitialPolicies = Collections.<String>emptySet();
        this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
        this.certStores = new ArrayList<CertStore>();
    }

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org