RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade

Tue, 22 Nov 2022 10:49:28 -0800 

Problem solved - the answer was embarrassingly easy.

I chowned /etc/pki/nssdb and its contents to tomcat, and everything worked.  
The "read_only" part of CKR_SESSION_READ_ONLY was a clue.

I'm not sure what changed with the newer OpenJDK, as tomcat had run fine for 
months with root owning /etc/pki/nssdb before.  Also now it is updating the 
cert*.db and key*.db files each time tomcat starts, which it was not doing 
before.

Anyway, all is well, and thanks again to Chris and Joey for looking at it and 
providing suggestions - I learned a lot in the process.


Angela




-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net> 
Sent: Friday, November 18, 2022 14:37
To: users@tomcat.apache.org
Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK 
upgrade

Joey,

On 11/17/22 10:52, Joey Cochran wrote:
> You might still have a passphrase on the private key that is different 
> from the passphrase on the keystore.
This may be the case, but is pretty uncommon.

> After that, my next try would be without explicitly setting ciphers.

This exception occurs way before any cipher suites are being negotiated, so 
don't aorry about that.

-chris

> -----Original Message-----
> From: Cantor, Angela T. <angela.can...@gtri.gatech.edu.INVALID>
> Sent: Wednesday, November 16, 2022 7:28 PM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error 
> after OpenJDK upgrade
> 
> Thanks to Joey and Chris for responding.
> 
> Joey had said
>> Jump through the hoop of rebuilding the keystore with the current java
>>      I believe this is what we did that made the difference I am not 
>> familiar with PKCS11
>>      we use Http11Nio2Protocol with PKCS12 for complete chain bundling.
> 
> Chris had some questions about my PKCS11 setup, but I'm taking a left turn 
> and changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 
> and this community seems to know more about it.
> 
> So I changed back to using PKCS12.  I recreated the keystore from my key and 
> signed cert using openssl and switched to using Http11Nio2Protocol.  Now the 
> connector is this:
>          <Connector port="8843"
>                protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>                server="Apache"
>                keyAlias="tomcat9"
>                keystorePass="XXXXXXXXXXXXXX" keystoreType="PKCS12"
>                keystoreFile="<path>/tomcat9.p12"
>                maxHttpHeaderSize="32768"
>                sslEnabledProtocols="TLSv1.2"
>                   ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>                            TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
>                            TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>                            TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
>                clientAuth="false" sslProtocol="TLSv1.2"/>
> 
> 
> This produced the following error:
> 16-Nov-2022 14:54:58.858 SEVERE [main] 
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to 
> initialize component 
> [Connector[org.apache.coyote.http11.Http11Nio2Protocol-8843]]
>     org.apache.catalina.LifecycleException: Protocol handler initialization 
> failed
>        at 
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1051)
>        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>        at 
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
>        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>        at 
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
>        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>        at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
>        at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
>        at 
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>        at 
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
>        at 
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
>        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
>        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
>     Caused by: java.lang.IllegalArgumentException: keystore password was 
> incorrect
>        at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
>        at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
>        at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:145)
>        at 
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
>        at 
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
>        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606)
>        at 
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77)
>        at 
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1048)
>        ... 13 more
>     Caused by: java.io.IOException: keystore password was incorrect
>        at 
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
>        at 
> java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
>        at java.base/java.security.KeyStore.load(KeyStore.java:1473)
>        at 
> org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:67)
>        at 
> org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217)
>        at 
> org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207)
>        at 
> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283)
>        at 
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
>        at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
>        ... 20 more
>     Caused by: java.security.UnrecoverableKeyException: failed to decrypt 
> safe contents entry: java.security.NoSuchAlgorithmException: Cannot find any 
> provider supporting PBEWithSHA1AndDESede
>        ... 29 more
> 16-Nov-2022 14:54:58.860 INFO [main] 
> org.apache.catalina.startup.Catalina.load Server initialization in 
> [6240] milliseconds
> 
> 
> I am sure I am using the correct password, having created the keystore 
> moments before this, so I assume the issue is with PBEWithSHA1AndDESede.  And 
> now I'm in over my head...any advice?
> 
> 
> Thanks so much,
> Angela
> 
> 
> 
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Tuesday, November 15, 2022 21:50
> To: users@tomcat.apache.org
> Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error 
> after OpenJDK upgrade
> 
> Angela,
> 
> On 11/14/22 11:56, Cantor, Angela T. wrote:
>> We just upgraded OpenJDK from 17.0.4.0.8-2.el8_6 to the above version.  Now 
>> tomcat won't listen on the desired port.  Something is wonky with it 
>> accessing the keystore.  If you all see anything obvious, could you please 
>> advise?  Especially if it involves switching to a pkcs12 keystore (which I 
>> tried but that also failed - I am no expert on setting up either type so 
>> maybe I did something wrong.)  Nothing other than the OpenJDK version seems 
>> to matter - if we downgrade it back to 17.0.4.0.8, tomcat once again works 
>> fine.  Note that 17.0.4.1.1-2.el8_6 also caused the same problem.
>>
>   > [snip]
>>                       certificateKeystoreProvider="SunPKCS11-NSS-FIPS"
> 
> Could this be the problem? Does your new Java version have that security 
> provider available? I have some code which can dump-out the available 
> providers if you aren't sure.
> 
>>                       certificateKeystoreType="PKCS11"
> 
> This also looks weird to me: PKCS11 is an API, not a file type. But 
> maybe you have to use this in order to access a keystore via the 
> OpenSSL API? It makes some sense since you haven't specified a 
> filename for the keystore. I don't have any experience with that. :/
> 
> -chris
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
> KCB  [  X  ܚX KK[XZ[
>  \ \  ][  X  ܚX P X ]
>  \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
>  \ \  Z[ X ]
>  \X K ܙ B 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to