Abirami,

On 1/9/25 11:50 PM, S Abirami wrote:
Below is the stack trace, the same keystore file working fine in tomcat 9.

Caused by: org.apache.catalina.LifecycleException: Protocol handler 
initialization failed
>
> [....]
>
Caused by: java.io.IOException: Keystore was tampered with, or password was 
incorrect
         at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:794)
         at 
sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:57)
         at 
sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
         at 
sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:71)
         at java.security.KeyStore.load(KeyStore.java:1449)
         at 
org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:69)
         at 
org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217)

Okay, good: Java is using the JKS implementation. Recent versions of Java prefer PKCS12 IIRC so you should always specify the keystore type whenever possible.

org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207)
         at 
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283)
         at 
org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:98)
         at 
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
         at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
         ... 17 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
         at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:792)
         ... 28 more

I agree with Maxim's response to this thread:

On 1/10/25 12:12 AM, Maxim Solodovnik wrote:
I'm not an expert But I guess you should specify "keystore password" for ex. by calling
>  setCertificateKeystorePassword(String certificateKeystorePassword)

It appears you are calling setCertificateKeyPassword instead of setCertificateKeystorePassword

The documentation is a little unclear here:

https://tomcat.apache.org/tomcat-10.1-doc/config/http.html#SSL_Support_-_Certificate

certificateKeyPassword says it's for the "specified file" but doesn't say it's specifically for PEM files... which it probably is.

If you look at the other attribute, though, it says:

"
certificateKeystorePassword     

JSSE only.

The password to use to access the keystore containing the server's private key and certificate. If not specified, a default of changeit will be used.
"

So I think you will get "changeit" as your default password if you don't call setCertificateKeystorePassword.

-chris

-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Thursday, January 9, 2025 11:40 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat 9 to Tomcat 10 SSLHostConfig issue in Embedded Tomcat

Abirami,

On 1/9/25 6:57 AM, S Abirami wrote:
After migrating from Tomcat 9 to Tomcat 10, there is an error to introduce 
SSLHostConfig.
Introduced SSLHostConfig with Keystorefile and KeystorePassword as mentioned 
below is not working and throwing error with file is tampered.

SSLHostConfig sslHostConfig = new SSLHostConfig();
SSLHostConfigCertificate sslHostConfigCer = new
SSLHostConfigCertificate( sslHostConfig,
SSLHostConfigCertificate.Type.UNDEFINED );
sslHostConfig.setInsecureRenegotiation( false );
sslHostConfigCer.setCertificateKeystoreFile(
"/var/tmp/cert/server.jks" );
sslHostConfigCer.setCertificateKeyPassword( "Temp@123456" );
sslHostConfig.addCertificate( sslHostConfigCer );
this.addSslHostConfig( sslHostConfig );

Are you missing a call to sslHostConfig.setCertificateKeystoreType("JKS")?

Can you post the stack trace you are getting and the full error message?

-chris


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to