Aughra,
On 7/27/24 10:32, aughra wrote:
Hello everyone,
Maybe this question has been asked many times, but I have a problem that
I can't find a solution for,.
To summarize, I have: A Java program WAR on Tomcat, and Tomcat must
contain a provider to call an encryption module to obtain keys.
The Tomcat version is 10.1.26
In Java 11, to specify where the pass/crt of the module is located, I
specify it in the java.security file as follows:
properties
Copier le code
#
# List of providers and their preference orders (see above):
#
security.provider.1=SUN
security.provider.2=SunRsaSign
security.provider.3=SunEC
security.provider.4=SunJSSE
security.provider.5=SunJCE
security.provider.6=SunJGSS
security.provider.7=SunSASL
security.provider.8=XMLDSig
security.provider.9=SunPCSC
security.provider.10=JdkLDAP
security.provider.11=JdkSASL
security.provider.12=SunPKCS11
/opt/tomcat/webapps/prgmwar/WEB-INF/classes/Crypto.properties
The Crypto.propertiesfile contains the name of the provider to use and
the library to call the Sun PKCS#11 provider:
library=lib.so
name=cryptto
Which is used in the application parameter (SunPKCS11 is normal, WL, and
the documentation states it):
module.titi.providerName=SunPKCS11-cryptto
However, it is clearly stated that in Java 17, this solution is no
longer supported, and it must be done differently; otherwise, I get
errors in Catalina.
It is stated not to put the path in the java.securityfile and to leave:
security.provider.12=SunPKCS11
I have tried several solutions, putting the path in setenv, in
catalina.shwith the option:
JAVA_OPTS="$JAVA_OPTS -Djava.security.properties=file:/toto.file"
CATALINA_OPTS="$CATALINA_OPTS -Djava.security.properties=file:/toto.file"
With the file containing the path: toto.file:
security.provider.12=SunPKCS11
/opt/tomcat/webapps/prgmwar/WEB-INF/classes/Crypto.properties
Almost everywhere I could put it.
But in catalina.out, I still get the same error with Tomcat:
/opt/tomcat/webapps/prgmwar/WEB-INF/classes/appli.properties-> it loads
the application
HSM-SERVICE|WARN|http-nio-8080-exec-1||GET
appli||SecurityModuleFactory|Module appli ignored: error during
initialization
When it searches for the provider, it can't find it because it doesn't
have: security.provider.12= SunPKCS11
/opt/tomcat/webapps/prgmwar/WEB-INF/classes/Crypto.propertiesProvider
"SunPKCS11-crypt" unknown
However, it works very well in a normal Java JAR (without Tomcat), for
example, to list the keys, because I directly list the provider's
location via the -Doption of Java:
DEBUG [main] (SecurityModuleFactory.java:112) - Loading crypt module.
DEBUG [main] (SecurityModuleFactory.java:125) - -> SunPKCS11-crypt
Security.java:125)
DEBUG [main] (SecurityModule.java:59) - Creating HardwareSecurityModule
crypt
crypt - Beginning listKeys
(SecurityModule.java:121) - name = riri
So my library works...
*My question is, how do we do in Java 17 what I did in Java 8 in :
java.security:*
*security.provider.12=SunPKCS11
/opt/tomcat/webapps/prgmwar/WEB-INF/classes/Crypto.properties***
Please don't look for any flaws in the variable names as I have just
changed them.
How are you launching Tomcat?
Setting CATALINA_OPTS in setenv.sh is, I believe, the correct way to do
this, but it depends upon how Tomcat is launched. Some environments
ignore the setenv.sh script.
Can you use 'ps' or similar to see the full command-line used to launch
the JVM and confirm your -D appears there? If it's not there, you have
made a small mistake somewhere or Tomcat isn't being started using
catalina.sh.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
