Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade

Christopher Schultz Tue, 22 Nov 2022 11:31:09 -0800

Angela,

On 11/22/22 13:49, Cantor, Angela T. wrote:

Problem solved - the answer was embarrassingly easy.


I chowned /etc/pki/nssdb and its contents to tomcat, and everything worked.  The 
"read_only" part of CKR_SESSION_READ_ONLY was a clue.

I'm not sure what changed with the newer OpenJDK, as tomcat had run fine for 
months with root owning /etc/pki/nssdb before.  Also now it is updating the 
cert*.db and key*.db files each time tomcat starts, which it was not doing 
before.


That's weird.

I would NOT expect anything in /etc/pki/* to be updated each time Istart a service, unless it's explicitly a service that should beupdating trust stores and/or key stores.


But if that's what YOU expect, well, then ... okay, I guess :)

Anyway, all is well, and thanks again to Chris and Joey for looking at it and 
providing suggestions - I learned a lot in the process.


:)

-chris

-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Friday, November 18, 2022 14:37
To: users@tomcat.apache.org
Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK 
upgrade

Joey,

On 11/17/22 10:52, Joey Cochran wrote:

You might still have a passphrase on the private key that is different
from the passphrase on the keystore.

This may be the case, but is pretty uncommon.

After that, my next try would be without explicitly setting ciphers.


This exception occurs way before any cipher suites are being negotiated, so 
don't aorry about that.

-chris

-----Original Message-----
From: Cantor, Angela T. <angela.can...@gtri.gatech.edu.INVALID>
Sent: Wednesday, November 16, 2022 7:28 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error
after OpenJDK upgrade

Thanks to Joey and Chris for responding.

Joey had said

Jump through the hoop of rebuilding the keystore with the current java
        I believe this is what we did that made the difference I am not 
familiar with PKCS11
        we use Http11Nio2Protocol with PKCS12 for complete chain bundling.


Chris had some questions about my PKCS11 setup, but I'm taking a left turn and 
changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 and 
this community seems to know more about it.

So I changed back to using PKCS12.  I recreated the keystore from my key and 
signed cert using openssl and switched to using Http11Nio2Protocol.  Now the 
connector is this:
          <Connector port="8843"
                protocol="org.apache.coyote.http11.Http11Nio2Protocol"
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                server="Apache"
                keyAlias="tomcat9"
                keystorePass="XXXXXXXXXXXXXX" keystoreType="PKCS12"
                keystoreFile="<path>/tomcat9.p12"
                maxHttpHeaderSize="32768"
                sslEnabledProtocols="TLSv1.2"
                   ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                            TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                            TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                            TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
                clientAuth="false" sslProtocol="TLSv1.2"/>


This produced the following error:
16-Nov-2022 14:54:58.858 SEVERE [main] 
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to 
initialize component 
[Connector[org.apache.coyote.http11.Http11Nio2Protocol-8843]]
     org.apache.catalina.LifecycleException: Protocol handler initialization 
failed
        at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1051)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
        at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
     Caused by: java.lang.IllegalArgumentException: keystore password was 
incorrect
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
        at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:145)
        at 
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
        at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606)
        at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77)
        at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1048)
        ... 13 more
     Caused by: java.io.IOException: keystore password was incorrect
        at 
java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
        at 
java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
        at java.base/java.security.KeyStore.load(KeyStore.java:1473)
        at 
org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:67)
        at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217)
        at 
org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207)
        at 
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283)
        at 
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
        ... 20 more
     Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe 
contents entry: java.security.NoSuchAlgorithmException: Cannot find any 
provider supporting PBEWithSHA1AndDESede
        ... 29 more
16-Nov-2022 14:54:58.860 INFO [main]
org.apache.catalina.startup.Catalina.load Server initialization in
[6240] milliseconds


I am sure I am using the correct password, having created the keystore moments 
before this, so I assume the issue is with PBEWithSHA1AndDESede.  And now I'm 
in over my head...any advice?


Thanks so much,
Angela



-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, November 15, 2022 21:50
To: users@tomcat.apache.org
Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error
after OpenJDK upgrade

Angela,

On 11/14/22 11:56, Cantor, Angela T. wrote:

We just upgraded OpenJDK from 17.0.4.0.8-2.el8_6 to the above version.  Now 
tomcat won't listen on the desired port.  Something is wonky with it accessing 
the keystore.  If you all see anything obvious, could you please advise?  
Especially if it involves switching to a pkcs12 keystore (which I tried but 
that also failed - I am no expert on setting up either type so maybe I did 
something wrong.)  Nothing other than the OpenJDK version seems to matter - if 
we downgrade it back to 17.0.4.0.8, tomcat once again works fine.  Note that 
17.0.4.1.1-2.el8_6 also caused the same problem.

   > [snip]

                       certificateKeystoreProvider="SunPKCS11-NSS-FIPS"


Could this be the problem? Does your new Java version have that security 
provider available? I have some code which can dump-out the available providers 
if you aren't sure.

                       certificateKeystoreType="PKCS11"


This also looks weird to me: PKCS11 is an API, not a file type. But
maybe you have to use this in order to access a keystore via the
OpenSSL API? It makes some sense since you haven't specified a
filename for the keystore. I don't have any experience with that. :/

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KCB  [  X  ܚX KK[XZ[
  \ \  ][  X  ܚX P X ]
  \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
  \ \  Z[ X ]
  \X K ܙ B

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade

Reply via email to