Angela,
I have seen this before when changing java sources, in our case 7 to 8.
Jump through the hoop of rebuilding the keystore with the current java
I believe this is what we did that made the difference
I am not familiar with PKCS11
we use Http11Nio2Protocol with PKCS12 for complete chain bundling.
Hope this helps.
-Joey
-----Original Message-----
From: Cantor, Angela T. <angela.can...@gtri.gatech.edu.INVALID>
Sent: Monday, November 14, 2022 10:56 AM
To: users@tomcat.apache.org
Subject: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK
upgrade
Hi all,
We have
- tomcat 9.0.68
- RHEL 8.6 with FIPS
- OpenJDK 17.0.5.0.8-2.el8_6
We just upgraded OpenJDK from 17.0.4.0.8-2.el8_6 to the above version. Now
tomcat won't listen on the desired port. Something is wonky with it accessing
the keystore. If you all see anything obvious, could you please advise?
Especially if it involves switching to a pkcs12 keystore (which I tried but
that also failed - I am no expert on setting up either type so maybe I did
something wrong.) Nothing other than the OpenJDK version seems to matter - if
we downgrade it back to 17.0.4.0.8, tomcat once again works fine. Note that
17.0.4.1.1-2.el8_6 also caused the same problem.
Tomcat with this connector worked fine with OpenJDK 17.0.4:
<Connector port="8843"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
maxHttpHeaderSize="32768">
<SSLHostConfig
certificateVerification="none"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
protocols="TLSv1.2"
sslProtocol="TLSv1.2">
<Certificate type="RSA"
certificateKeyAlias="tomcat"
certificateKeystoreProvider="SunPKCS11-NSS-FIPS"
certificateKeystoreType="PKCS11"
/>
</SSLHostConfig>
</Connector>
java.security for 17.0.5 has these entries for FIPS:
fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
fips.provider.2=SUN
fips.provider.3=SunEC
fips.provider.4=SunJSSE
fips.provider.5=SunJCE
fips.provider.6=SunRsaSign
...
fips.keystore.type=pkcs12
nss.fips.cfg is this:
name = NSS-FIPS
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
Upon starting tomcat, we get this:
14-Nov-2022 11:24:21.174 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["https-jsse-nio-8843"]
14-Nov-2022 11:24:21.431 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component [Connector[HTTP/1.1-8843]]
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1051)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:235)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1048)
... 13 more
Caused by: java.security.KeyStoreException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
at
jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1113)
at
jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetKeyEntry(P11KeyStore.java:458)
at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1167)
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:366)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
... 20 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
at
jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_DestroyObject(Native
Method)
at
jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.destroyChain(P11KeyStore.java:1989)
at
jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.updatePkey(P11KeyStore.java:1452)
at
jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1097)
... 25 more
14-Nov-2022 11:24:21.432 INFO [main] org.apache.catalina.startup.Catalina.load
Server initialization in [787] milliseconds
I did see that java.security for 17.0.4 had
fips.keystore.type=PKCS11
instead of pkcs12. I switched back to that temporarily but got the same error
as above.
Thank you for any help,
Angela
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
