Angela,
On 11/16/22 20:27, Cantor, Angela T. wrote:
Thanks to Joey and Chris for responding.
Joey had said
Jump through the hoop of rebuilding the keystore with the current java
I believe this is what we did that made the difference I am not
familiar with PKCS11
we use Http11Nio2Protocol with PKCS12 for complete chain bundling.
Chris had some questions about my PKCS11 setup, but I'm taking a left turn and
changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 and
this community seems to know more about it.
So I changed back to using PKCS12. I recreated the keystore from my key and
signed cert using openssl and switched to using Http11Nio2Protocol. Now the
connector is this:
<Connector port="8843"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
server="Apache"
keyAlias="tomcat9"
keystorePass="XXXXXXXXXXXXXX" keystoreType="PKCS12"
keystoreFile="<path>/tomcat9.p12"
maxHttpHeaderSize="32768"
sslEnabledProtocols="TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
clientAuth="false" sslProtocol="TLSv1.2"/>
This produced the following error:
>
> [snip]
>
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe
contents entry: java.security.NoSuchAlgorithmException: Cannot find any
provider supporting PBEWithSHA1AndDESede
... 29 more
16-Nov-2022 14:54:58.860 INFO [main] org.apache.catalina.startup.Catalina.load
Server initialization in [6240] milliseconds
I am sure I am using the correct password, having created the
keystore moments before this, so I assume the issue is with
PBEWithSHA1AndDESede. And now I'm in over my head...any advice?
Back in Java 8 days, this was a JVM bug. You'd need to update to a fixed
version (https://bugs.openjdk.org/browse/JDK-8266279).
But since you are using Java 17... hmm.
Are you sure Tomcat is running with your Java 17?
Did you build the PKCS12 file using openssl or keytool? IIRC, openssl
sometimes does things that are within the spec but aren't handled by
Java's implementations of these standards.
-chris
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, November 15, 2022 21:50
To: users@tomcat.apache.org
Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK
upgrade
Angela,
On 11/14/22 11:56, Cantor, Angela T. wrote:
We just upgraded OpenJDK from 17.0.4.0.8-2.el8_6 to the above version. Now
tomcat won't listen on the desired port. Something is wonky with it accessing
the keystore. If you all see anything obvious, could you please advise?
Especially if it involves switching to a pkcs12 keystore (which I tried but
that also failed - I am no expert on setting up either type so maybe I did
something wrong.) Nothing other than the OpenJDK version seems to matter - if
we downgrade it back to 17.0.4.0.8, tomcat once again works fine. Note that
17.0.4.1.1-2.el8_6 also caused the same problem.
> [snip]
certificateKeystoreProvider="SunPKCS11-NSS-FIPS"
Could this be the problem? Does your new Java version have that security
provider available? I have some code which can dump-out the available providers
if you aren't sure.
certificateKeystoreType="PKCS11"
This also looks weird to me: PKCS11 is an API, not a file type. But maybe you
have to use this in order to access a keystore via the OpenSSL API? It makes
some sense since you haven't specified a filename for the keystore. I don't
have any experience with that. :/
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
