Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade

Fri, 18 Nov 2022 11:37:10 -0800 

Joey,

On 11/17/22 10:52, Joey Cochran wrote:

You might still have a passphrase on the private key that is
different from the passphrase on the keystore.

This may be the case, but is pretty uncommon.


After that, my next try would be without explicitly setting ciphers.
This exception occurs way before any cipher suites are being negotiated, so don't aorry about that. 

-chris


-----Original Message-----
From: Cantor, Angela T. <angela.can...@gtri.gatech.edu.INVALID>
Sent: Wednesday, November 16, 2022 7:28 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK 
upgrade

Thanks to Joey and Chris for responding.

Joey had said

Jump through the hoop of rebuilding the keystore with the current java
        I believe this is what we did that made the difference I am not 
familiar with PKCS11
        we use Http11Nio2Protocol with PKCS12 for complete chain bundling.


Chris had some questions about my PKCS11 setup, but I'm taking a left turn and 
changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 and 
this community seems to know more about it.

So I changed back to using PKCS12.  I recreated the keystore from my key and 
signed cert using openssl and switched to using Http11Nio2Protocol.  Now the 
connector is this:
         <Connector port="8843"
               protocol="org.apache.coyote.http11.Http11Nio2Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               server="Apache"
               keyAlias="tomcat9"
               keystorePass="XXXXXXXXXXXXXX" keystoreType="PKCS12"
               keystoreFile="<path>/tomcat9.p12"
               maxHttpHeaderSize="32768"
               sslEnabledProtocols="TLSv1.2"
                  ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                           TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
               clientAuth="false" sslProtocol="TLSv1.2"/>


This produced the following error:
16-Nov-2022 14:54:58.858 SEVERE [main] 
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to 
initialize component 
[Connector[org.apache.coyote.http11.Http11Nio2Protocol-8843]]
    org.apache.catalina.LifecycleException: Protocol handler initialization 
failed
       at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1051)
       at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
       at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
       at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
       at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
       at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
       at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
       at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
       at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
       at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.base/java.lang.reflect.Method.invoke(Method.java:568)
       at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
       at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
    Caused by: java.lang.IllegalArgumentException: keystore password was 
incorrect
       at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
       at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
       at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:145)
       at 
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
       at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
       at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606)
       at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77)
       at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1048)
       ... 13 more
    Caused by: java.io.IOException: keystore password was incorrect
       at 
java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
       at 
java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
       at java.base/java.security.KeyStore.load(KeyStore.java:1473)
       at 
org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:67)
       at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217)
       at 
org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207)
       at 
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283)
       at 
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
       at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
       ... 20 more
    Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe 
contents entry: java.security.NoSuchAlgorithmException: Cannot find any 
provider supporting PBEWithSHA1AndDESede
       ... 29 more
16-Nov-2022 14:54:58.860 INFO [main] org.apache.catalina.startup.Catalina.load 
Server initialization in [6240] milliseconds


I am sure I am using the correct password, having created the keystore moments 
before this, so I assume the issue is with PBEWithSHA1AndDESede.  And now I'm 
in over my head...any advice?


Thanks so much,
Angela



-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, November 15, 2022 21:50
To: users@tomcat.apache.org
Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK 
upgrade

Angela,

On 11/14/22 11:56, Cantor, Angela T. wrote:

We just upgraded OpenJDK from 17.0.4.0.8-2.el8_6 to the above version.  Now 
tomcat won't listen on the desired port.  Something is wonky with it accessing 
the keystore.  If you all see anything obvious, could you please advise?  
Especially if it involves switching to a pkcs12 keystore (which I tried but 
that also failed - I am no expert on setting up either type so maybe I did 
something wrong.)  Nothing other than the OpenJDK version seems to matter - if 
we downgrade it back to 17.0.4.0.8, tomcat once again works fine.  Note that 
17.0.4.1.1-2.el8_6 also caused the same problem.


  > [snip]

                      certificateKeystoreProvider="SunPKCS11-NSS-FIPS"


Could this be the problem? Does your new Java version have that security 
provider available? I have some code which can dump-out the available providers 
if you aren't sure.


                      certificateKeystoreType="PKCS11"


This also looks weird to me: PKCS11 is an API, not a file type. But maybe you 
have to use this in order to access a keystore via the OpenSSL API? It makes 
some sense since you haven't specified a filename for the keystore. I don't 
have any experience with that. :/

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��[��X��ܚX�KK[XZ[
�\�\��][��X��ܚX�P�X�]
�\X�K�ܙ�B��܈Y][ۘ[��[X[��K[XZ[
�\�\��Z[�X�]
�\X�K�ܙ�B�

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to