Hello,
I tried 7.0.2 from 6.0.2X with an identical config (I looked at the migration
guide--no changes needed for my config).
With 7.0.2, my SSL connector failed to start because "password verification
failed." The logged password and jks file on the in the WARNING an SEVERE log
statements are correct. Also, I can reliably revert to tomcat 6.0.X with the
same password and keystore with no error.
Below is error log output as well as my server.xml config. I also narrowed down
the server.xml config to the minimal changes from the stock server.xml (I have
elided the real keystore and password).
This may be irrelevant, but my keypass had a '$' character in it, but that has
always worked in the past.
Any changes to keystore/password handling that would make 7.0.2 not backward
compatible?
Thank you!
Armando
Aug 18, 2010 6:35:47 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'keypass' to 'XXXXXX' did not find a matching property.
Aug 18, 2010 6:35:47 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-80
Aug 18, 2010 6:35:47 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory
getStore
SEVERE: Failed to load keystore type JKS with path /path/to/conf/XXXXXXXX.jks
due to Keystore was tampered with, or password was incorrect
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
at
sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:380)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:289)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:524)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:455)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:137)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:357)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:125)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:873)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:546)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:702)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:537)
at org.apache.catalina.startup.Catalina.load(Catalina.java:560)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
... 23 more
Aug 18, 2010 6:35:47 PM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
at
sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:380)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:289)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:524)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:455)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:137)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:357)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:125)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:873)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:546)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:702)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:537)
at org.apache.catalina.startup.Catalina.load(Catalina.java:560)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccesso
rImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
... 23 more
Aug 18, 2010 6:35:47 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-443]]
LifecycleException: Protocol handler initialization failed:
java.io.IOException: Keystore was tampered with, or password was incorrect
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:546)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:702)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:537)
at org.apache.catalina.startup.Catalina.load(Catalina.java:560)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
Here is a diff of minimal server.xml changes against the stock 7.0.2 server.xml
that reproduce the problem.
--- old 2010-08-18 17:19:36.000000000 -0700
+++ new 2010-08-18 17:18:30.000000000 -0700
@@ -22,7 +22,7 @@
<Server port="8005" shutdown="SHUTDOWN">
<!--APR library loader. Documentation at /docs/apr.html -->
- <Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
+ <!-- DISABLE: apr not used <Listener
className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> -->
<!--Initialize Jasper prior to webapps are loaded. Documentation at
/docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
@@ -51,10 +51,13 @@
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more
named thread pools-->
- <!--
- <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
- maxThreads="150" minSpareThreads="4"/>
+ <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+ maxThreads="500" minSpareThreads="50"/>
+
<!-- A "Connector" represents an endpoint by which requests are received
@@ -62,11 +65,27 @@
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
- Define a non-SSL HTTP/1.1 Connector on port 8080
+ Define a non-SSL HTTP/1.1 Connector on port 80
-->
- <Connector port="8080" protocol="HTTP/1.1"
- connectionTimeout="20000"
- redirectPort="8443" />
+ <Connector executor="tomcatThreadPool" URIEncoding="UTF-8" server="PC"
+ port="80" protocol="HTTP/1.1" enableLookups="false"
acceptCount="100"
+ redirectPort="443"
+ disableUploadTimeout="true" connectionTimeout="20000"
+ compression="on" compressionMinSize="2048"
+
compressableMimeType="text/html,text/css,text/xml,text/javascript,application/x-javascript,application/javascript"
/>
+
+ <Connector executor="tomcatThreadPool" URIEncoding="UTF-8" server="PC"
+ port="443" protocol="HTTP/1.1" enableLookups="false"
acceptCount="100"
+ disableUploadTimeout="true" connectionTimeout="20000"
+ SSLEnabled="true" secure="true" keyAlias="server"
keystoreFile="conf/XXXXXXXX.jks" keypass="XXXXXXX" clientAuth="false"
sslProtocol="TLS"
+ compression="on" compressionMinSize="2048"
+
compressableMimeType="text/html,text/css,text/xml,text/javascript,application/x-javascript,application/javascript"
/>
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
@@ -84,9 +103,9 @@
clientAuth="false" sslProtocol="TLS" />
-->
- <!-- Define an AJP 1.3 Connector on port 8009 -->
+ <!-- Define an AJP 1.3 Connector on port 8009
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
-
+ -->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
