SSL

Joseph Walters Wed, 23 Mar 2011 06:48:50 -0700

We are setting up a stand-alone Tomcat (5.5.33) server on an Iseries
running on V5R4 for a client.


The non-secure port (using port 8022) works fine. Tomcat listens on the
secure port 

(set as port 7019). When connecting using https://domain.name:7019 a
certificate 

warning is presented (not issued by a trusted Certificate authority)
then I get 

an 'Unable to display screen' error.

 

Also perplexing is the certificate (when viewing details through Mozilla
Firefox) is

that the certificate is always being dipslyed fromm the IBM default.kdb
*SYSTEM keystore.

This is ultimately Ok because that is where the client will be placing
their signed 

certificate but it is often not what is specified for the connector.

 

This is true whether the connector is with any of the three settings
below:

 

 

1.

<Connector port="7019" maxHttpHeaderSize="8192"


           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"


           enableLookups="false" disableUploadTimeout="true"


           acceptCount="100" scheme="https" secure="true"


           algorithm="IbmIseriesX509" SSLEnabled="true"
sslProtocol="SSL"

           clientAuth="false" />


 


 

2. 

 

<Connector port="7019" maxHttpHeaderSize="8192"


           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"


           enableLookups="false" disableUploadTimeout="true"


           acceptCount="100" scheme="https" secure="true"


           algorithm="IbmIseriesX509" SSLEnabled="true"
sslProtocol="SSL"

           clientAuth="false"                        

           keystoreFile="/QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB"


           keystorePass="xxxxxxxx" />  

 

3. 

<Connector port="7019" maxHttpHeaderSize="8192"


           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"


           enableLookups="false" disableUploadTimeout="true"


           acceptCount="100" scheme="https" secure="true"


           algorithm="IbmIseriesX509" SSLEnabled="true"
sslProtocol="SSL"

           clientAuth="false" />  

           keystoreFile="/home/User/.keystore2"         

           keystorePass="changeit" />  

 

 

I have also tried changing the sslProtocal between "SSL" and "TLS"

 

The java.security default keystore.type is "JKS".  I have tried
specifying

values "JKS" (which is the type for .keystore2),

"PKCS" (which is the format in DEFAULT.KDB), and unspecified.

 

With the certificate retrieved from *SYSTEM in
/QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB,

 

 

The java.security service provder selection is as follows:

 

security.provider.1=sun.security.provider.Sun              

security.provider.2=com.ibm.crypto.provider.IBMJCE         

security.provider.3=com.sun.rsajca.Provider                

security.provider.4=com.ibm.security.cert.IBMCertPath      

security.provider.5=com.ibm.as400.ibmonly.net.ssl.Provider 

security.provider.6=com.ibm.jsse.IBMJSSEProvider           

security.provider.7=com.ibm.security.jgss.IBMJGSSProvider  

#security.provider.8=com.sun.net.ssl.internal.ssl.Provider 

 

 

 

 

I am seeing the following errors in Catalina.out:

 

1.

 

keymanager: Exception in X509KeyManagerImpl initialization 

java.security.KeyStoreException: Keystore type is invalid  

...

sslserversocket: enabledCipherSuites =

{                                     

SSL_RSA_WITH_RC4_128_MD5              

SSL_RSA_WITH_RC4_128_SHA              

SSL_RSA_WITH_AES_CBC_128_SHA          

SSL_RSA_WITH_AES_CBC_256_SHA          

SSL_RSA_WITH_3DES_EDE_CBC_SHA         

SSL_RSA_WITH_DES_CBC_SHA              

SSL_RSA_WITH_DES_CBC_MD5              

SSL_RSA_WITH_3DES_EDE_CBC_MD5         

SSL_RSA_WITH_RC2_CBC_128_MD5          

SSL_RSA_EXPORT_WITH_RC4_40_MD5        

SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5    

}                                     

sslserversocket: enabledProtocols =   

{                                     

SSLv2                                 

SSLv3                                 

TLSv1                                 

}

-------------

2.

sslsocket: SSLSocket.startHandshake()


sslsocket: SSLSocket.isClosed()


sslsocket: SSLSocket.startHandshake() exception


javax.net.ssl.SSLProtocolException: Peer not recognized or badly
formatted message received.                

 at java.lang.Throwable.<init>(Throwable.java:195)


 at java.lang.Exception.<init>(Exception.java:41)


 at java.io.IOException.<init>(IOException.java:40)


 at javax.net.ssl.SSLProtocolException.<init>(Unknown Source)


 at
com.ibm.as400.ibmonly.net.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl
.java:1743)                     

 at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFa
ctory.java:156)                 

 at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint
.java:521)                      

 at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow
erWorkerThread.java:81)         

 at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
.java:689)                      

 at java.lang.Thread.run(Thread.java:534)


sslsocket: SSLServerSocket.close()


sslsocket: SSLSocket.isClosed()                            

 

Thanks,

_________________

Joseph Walters

Joseph Walters | Mincron Software Systems | 281-999-7010 ext 3061 |
jwalt...@mincron.com <mailto:281-723-8497jwalt...@mincron.com>

SSL

Reply via email to