RE: Tomcat 9: Application in not starting with TrustStore attributes

Tue, 20 Apr 2021 20:40:02 -0700 

Thanks John,

I will debug this further with pointers you have provided.

Thanks
Manish

-----Original Message-----
From: john.e.gr...@wellsfargo.com.INVALID <john.e.gr...@wellsfargo.com.INVALID> 
Sent: Tuesday, April 20, 2021 7:27 PM
To: users@tomcat.apache.org
Subject: RE: Tomcat 9: Application in not starting with TrustStore attributes

CAUTION: External email. Do not click links or open attachments unless you 
recognize the sender and know the content is safe.

Manish,

> -----Original Message-----
> From: Palod, Manish <manish_pa...@mcafee.com>
> Sent: Tuesday, April 20, 2021 8:37 AM
> To: users@tomcat.apache.org
> Subject: Tomcat 9: Application in not starting with TrustStore 
> attributes
> 
> Hi,
> 
> We are in process of upgrading Tomcat 7 to Tomcat 9 and stuck with 
> Trust store settings for Client certificate, following is the connector 
> setting:
> 
> <Connector port="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>                    maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true" compression="on"
> compressibleMimeType="text/html,text/xml,text/plain,text/javascript,te
> xt/ css,application/x-javascript,application/javascript"
>                    address="0.0.0.0"
>                    maxPostSize="10485760"
>                    URIEncoding="UTF-8" server=" ">
>             <SSLHostConfig truststoreFile="${tomcat.bind.truststore}"
> truststorePassword="${tomcat.bind.truststorepass}" truststoreType="jks"
>                     ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
>                     certificateVerification="optional" sslProtocol="TLS"
>                     protocols="TLSv1.2">
>                 <Certificate certificateKeystoreFile="${tomcat.bind.keystore}"
> certificateKeystorePassword ="${tomcat.bind.keystorepass}"
>                              type="RSA" />
>             </SSLHostConfig>
> </Connector>
> 
> Application is working properly when truststoreFile, 
> truststorePassword and truststoreType attributes are not defined in 
> SSLHostConfig, when these attributes are defined, we are getting following 
> errors at Tomcat start:
> The same configuration parameters are working fine with Tomcat 7. 
> Store has 1 valid certificate and rechecked that with keytool with 
> password and able to list the certificate.
> Parametrized values are replaced with actual value and that part is 
> working fine.
> 
> 
> INFO: Initializing ProtocolHandler ["http-nio-0.0.0.0-80"] Apr 20, 
> 2021 6:59:31 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["https-jsse-nio-0.0.0.0-443"] Apr 
> 20, 2021
> 6:59:31 PM org.apache.catalina.util.LifecycleBase 
> handleSubClassException
> SEVERE: Failed to initialize component [Connector[HTTP/1.1-443]]
> org.apache.catalina.LifecycleException: Protocol handler initialization failed
>         at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1049)
>         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>         at
> org.apache.catalina.core.StandardService.initInternal(StandardService.
> java:5
> 58)
>         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>         at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja
> va:10
> 45)
>         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>         at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
>         at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:62)
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
>         at
> Caused by: java.lang.IllegalArgumentException: the trustAnchors 
> parameter must be non-empty
>         at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
> act
> JsseEndpoint.java:99)
>         at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract
> JsseEn
> dpoint.java:71)
>         at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:246)
>         at
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEn
> dp
> oint.java:1193)
>         at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java
> :1206
> )
>         at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:597)
>         at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro
> toc
> ol.java:80)
>         at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1046)
>         ... 14 more
> Caused by: java.security.InvalidAlgorithmParameterException: the 
> trustAnchors parameter must be non-empty
>         at
> java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:
> 200
> )
>         at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
>         at
> java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:
> 130)
>         at
> org.apache.tomcat.util.net.SSLUtilBase.getParameters(SSLUtilBase.java:501)
>         at
> org.apache.tomcat.util.net.SSLUtilBase.getTrustManagers(SSLUtilBase.ja
> va:4
> 32)
>         at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.ja
> va:2
> 46)
>         at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
> act
> JsseEndpoint.java:97)
>         ... 21 more
> 
> Apr 20, 2021 6:59:31 PM org.apache.catalina.startup.Catalina load
> INFO: Server initialization in [2010] milliseconds
> 
> 
> What is the error I am making with configuration in the connector part?
> 
> Thanks
> Manish

Is your trust store empty?

Below is the code that Tomcat is calling.  The hashSet must be empty for this 
exception to occur so look closely at the conditions that are checked when the 
hashSet is populated.  Obviously the store should not be empty.  In addition, 
normally a "trust store" would contain certificates but no keys, so I would 
expect isCertificateEntry() to return true for all entries but at least one 
would be the minimum.

    public PKIXParameters(KeyStore keystore)
        throws KeyStoreException, InvalidAlgorithmParameterException
    {
        if (keystore == null)
            throw new NullPointerException("the keystore parameter must be " +
                "non-null");
        Set<TrustAnchor> hashSet = new HashSet<TrustAnchor>();
        Enumeration<String> aliases = keystore.aliases();
        while (aliases.hasMoreElements()) {
            String alias = aliases.nextElement();
            if (keystore.isCertificateEntry(alias)) {
                Certificate cert = keystore.getCertificate(alias);
                if (cert instanceof X509Certificate)
                    hashSet.add(new TrustAnchor((X509Certificate)cert, null));
            }
        }
        setTrustAnchors(hashSet);
        this.unmodInitialPolicies = Collections.<String>emptySet();
        this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
        this.certStores = new ArrayList<CertStore>();
    }

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to