Angela,
You might still have a passphrase on the private key that is different from the
passphrase on the keystore.
I generally do without passwords on the private key, or make sure the key
passwords and store passwords are the same.
The store password will be tried/used (when needed) on nested passphrases.
When it is different, this exception or one similar can be thrown.
After that, my next try would be without explicitly setting ciphers.
____________________________________________________________________________________________________________
Joey Cochran • Middle Tennessee State University • Information Technology
Division • Systems Administrator II • office: (615) 898-2714
-----Original Message-----
From: Cantor, Angela T. <angela.can...@gtri.gatech.edu.INVALID>
Sent: Wednesday, November 16, 2022 7:28 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK
upgrade
Thanks to Joey and Chris for responding.
Joey had said
>Jump through the hoop of rebuilding the keystore with the current java
> I believe this is what we did that made the difference I am not
> familiar with PKCS11
> we use Http11Nio2Protocol with PKCS12 for complete chain bundling.
Chris had some questions about my PKCS11 setup, but I'm taking a left turn and
changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 and
this community seems to know more about it.
So I changed back to using PKCS12. I recreated the keystore from my key and
signed cert using openssl and switched to using Http11Nio2Protocol. Now the
connector is this:
<Connector port="8843"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
server="Apache"
keyAlias="tomcat9"
keystorePass="XXXXXXXXXXXXXX" keystoreType="PKCS12"
keystoreFile="<path>/tomcat9.p12"
maxHttpHeaderSize="32768"
sslEnabledProtocols="TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
clientAuth="false" sslProtocol="TLSv1.2"/>
This produced the following error:
16-Nov-2022 14:54:58.858 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component
[Connector[org.apache.coyote.http11.Http11Nio2Protocol-8843]]
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1051)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException: keystore password was
incorrect
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:145)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1048)
... 13 more
Caused by: java.io.IOException: keystore password was incorrect
at
java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
at
java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
at java.base/java.security.KeyStore.load(KeyStore.java:1473)
at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:67)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217)
at
org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207)
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
... 20 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe
contents entry: java.security.NoSuchAlgorithmException: Cannot find any
provider supporting PBEWithSHA1AndDESede
... 29 more
16-Nov-2022 14:54:58.860 INFO [main] org.apache.catalina.startup.Catalina.load
Server initialization in [6240] milliseconds
I am sure I am using the correct password, having created the keystore moments
before this, so I assume the issue is with PBEWithSHA1AndDESede. And now I'm
in over my head...any advice?
Thanks so much,
Angela
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, November 15, 2022 21:50
To: users@tomcat.apache.org
Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK
upgrade
Angela,
On 11/14/22 11:56, Cantor, Angela T. wrote:
> We just upgraded OpenJDK from 17.0.4.0.8-2.el8_6 to the above version. Now
> tomcat won't listen on the desired port. Something is wonky with it
> accessing the keystore. If you all see anything obvious, could you please
> advise? Especially if it involves switching to a pkcs12 keystore (which I
> tried but that also failed - I am no expert on setting up either type so
> maybe I did something wrong.) Nothing other than the OpenJDK version seems
> to matter - if we downgrade it back to 17.0.4.0.8, tomcat once again works
> fine. Note that 17.0.4.1.1-2.el8_6 also caused the same problem.
>
> [snip]
> certificateKeystoreProvider="SunPKCS11-NSS-FIPS"
Could this be the problem? Does your new Java version have that security
provider available? I have some code which can dump-out the available providers
if you aren't sure.
> certificateKeystoreType="PKCS11"
This also looks weird to me: PKCS11 is an API, not a file type. But maybe you
have to use this in order to access a keystore via the OpenSSL API? It makes
some sense since you haven't specified a filename for the keystore. I don't
have any experience with that. :/
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
�B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB����[��X��ܚX�K��K[XZ[
��\�\��][��X��ܚX�P���X�]
�\�X��K�ܙ�B��܈�Y��]�[ۘ[����[X[�����K[XZ[
��\�\��Z�[�����X�]
�\�X��K�ܙ�B�
