RE: Standalone SSL Problem (was: Re: [DOC] TC4 Status)
i have seen this. little background first... i had some webapps that needed to use jsse, plus catalina needed it for https. so, i figured i'd put the jsse jars somewhere in the tc4 dist tree so that both the webapps and catalina could find them. i believe that was $TC4_HOME/common/lib. well, long story short, that barfed and i saw errors like the stack trace you saw. i got rid of the problem by taking the jsse jars out of the tc4 dist tree, and putting them into the ext dir under the jre installation, plus adding the proper line to $JAVA_HOME/jre/lib/security/java.security. Starting service Tomcat-Standalone Apache Tomcat/4.0-b6 initProxy: java.security.NoSuchAlgorithmException: Class com.sun.net.ssl.internal.ssl.SSLContextImpl configured for SSLContext not a SSLContext java.security.NoSuchAlgorithmException: Class com.sun.net.ssl.internal.ssl.SSLContextImpl configured for SSLContext not a SSLContext at com.sun.net.ssl.b.a([DashoPro-V1.2-120198]) at com.sun.net.ssl.SSLContext.getInstance([DashoPro-V1.2-120198]) at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLSe rverSocketFactory.java:385) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLS erverSocketFactory.java:328) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SS LServerSocketFactory.java:281) at org.apache.catalina.connector.http.HttpConnector.open(HttpConn ector.java:905) at org.apache.catalina.connector.http.HttpConnector.start(HttpCon nector.java:1078) at org.apache.catalina.core.StandardService.start(StandardService .java:360) at org.apache.catalina.core.StandardServer.start(StandardServer.java:458) at org.apache.catalina.startup.Catalina.start(Catalina.java:737) at org.apache.catalina.startup.Catalina.execute(Catalina.java:657) at org.apache.catalina.startup.Catalina.process(Catalina.java:178) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:202) Catalina.start: LifecycleException: HttpConnector[8443].open: java.io.IOException: java.security.NoSuchAlgorithmException: Class com.sun.net.ssl.internal.ssl.SSLContextImpl configured for SSLContext not a SSLContext LifecycleException: HttpConnector[8443].open: java.io.IOException: java.security.NoSuchAlgorithmException: Class com.sun.net.ssl.internal.ssl.SSLContextImpl configured for SSLContext not a SSLContext at org.apache.catalina.connector.http.HttpConnector.start(HttpCon nector.java:1080) at org.apache.catalina.core.StandardService.start(StandardService .java:360) at org.apache.catalina.core.StandardServer.start(StandardServer.java:458) at org.apache.catalina.startup.Catalina.start(Catalina.java:737) at org.apache.catalina.startup.Catalina.execute(Catalina.java:657) at org.apache.catalina.startup.Catalina.process(Catalina.java:178) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:202) - Root Cause - java.io.IOException: java.security.NoSuchAlgorithmException: Class com.sun.net.ssl.internal.ssl.SSLContextImpl configured for SSLContext not a SSLContext at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLSe rverSocketFactory.java:409) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLS erverSocketFactory.java:328) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SS LServerSocketFactory.java:281) at org.apache.catalina.connector.http.HttpConnector.open(HttpConn ector.java:905) at org.apache.catalina.connector.http.HttpConnector.start(HttpCon nector.java:1078) at org.apache.catalina.core.StandardService.start(StandardService .java:360) at org.apache.catalina.core.StandardServer.start(StandardServer.java:458) at org.apache.catalina.startup.Catalina.start(Catalina.java:737) at org.apache.catalina.startup.Catalina.execute(Catalina.java:657) at org.apache.catalina.startup.Catalina.process(Catalina.java:178) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:202) Stopping service Tomcat-Standalone
Re: Standalone SSL Problem (was: Re: [DOC] TC4 Status)
Hot damn. Taking the classes out of the TC hierarchy got rid of that No Such Algorithm business. Thanks Kevin! Is that more-or-less expected behavior, or should I log it into bugzilla so that it gets tracked as a bug? I'd be happy to look into it further, although with my rather limited exposure to Catalina classloading it might take a little while to get a patch for it. Back to SSL ... unfortunately, in looking at the new stack trace, we're now apparently back to my basic confusion about how to specify the keystore stuff in the https connector. The server.xml snippet I posted in my last message is presumably not right. Either that or I specified something I shouldn't have when generating the keystore (also posted). Can someone straighten me out? Also, feel free to beat me about the head if I missed it in the docs somewhere =) - Christopher Starting service Tomcat-Standalone Apache Tomcat/4.0-b6 initProxy: java.security.UnrecoverableKeyException: Cannot recover key java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:308) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:110) at java.security.KeyStore.getKey(KeyStore.java:264) at com.sun.net.ssl.internal.ssl.X509KeyManagerImpl.init([DashoPro-V1.2-120198]) at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl.engineInit([DashoPro-V1.2-120198]) at com.sun.net.ssl.KeyManagerFactory.init([DashoPro-V1.2-120198]) at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocketFactory.java:390) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocketFactory.java:328) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:281) at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java:905) at org.apache.catalina.connector.http.HttpConnector.start(HttpConnector.java:1078) at org.apache.catalina.core.StandardService.start(StandardService.java:360) at org.apache.catalina.core.StandardServer.start(StandardServer.java:458) at org.apache.catalina.startup.Catalina.start(Catalina.java:737) at org.apache.catalina.startup.Catalina.execute(Catalina.java:657) at org.apache.catalina.startup.Catalina.process(Catalina.java:178) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:202) Catalina.start: LifecycleException: HttpConnector[8443].open: java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key LifecycleException: HttpConnector[8443].open: java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key at org.apache.catalina.connector.http.HttpConnector.start(HttpConnector.java:1080) at org.apache.catalina.core.StandardService.start(StandardService.java:360) at org.apache.catalina.core.StandardServer.start(StandardServer.java:458) at org.apache.catalina.startup.Catalina.start(Catalina.java:737) at org.apache.catalina.startup.Catalina.execute(Catalina.java:657) at org.apache.catalina.startup.Catalina.process(Catalina.java:178) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:202) - Root Cause - java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocketFactory.java:409) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocketFactory.java:328) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:281) at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java:905) at org.apache.catalina.connector.http.HttpConnector.start(HttpConnector.java:1078) at org.apache.catalina.core.StandardService.start(StandardService.java:360) at org.apache.catalina.core.StandardServer.start(StandardServer.java:458) at org.apache.catalina.startup.Catalina.start(Catalina.java:737) at org.apache.catalina.startup.Catalina.execute(Catalina.java:657) at org.apache.catalina.startup.Catalina.process(Catalina.java:178) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:202) Kevin Seguin wrote: i have seen this. little background first... i had some webapps that needed to use jsse, plus catalina needed it for https. so, i figured i'd put the jsse jars somewhere in the tc4 dist tree so that both the webapps and catalina could find them. i believe that was $TC4_HOME/common/lib. well, long story short, that barfed and i saw errors like the stack trace you saw. i got rid of the problem by taking the jsse jars out of
Re: Standalone SSL Problem (was: Re: [DOC] TC4 Status)
Quoting Christopher Cain [EMAIL PROTECTED]: Hot damn. Taking the classes out of the TC hierarchy got rid of that No Such Algorithm business. Thanks Kevin! Is that more-or-less expected behavior, or should I log it into bugzilla so that it gets tracked as a bug? I don't know if it's fixable. The secrity algorithms probably have to be loaded from the system class loader. Remy
Re: Standalone SSL Problem (was: Re: [DOC] TC4 Status)
Remy Maucherat wrote: Quoting Christopher Cain [EMAIL PROTECTED]: Hot damn. Taking the classes out of the TC hierarchy got rid of that No Such Algorithm business. Thanks Kevin! Is that more-or-less expected behavior, or should I log it into bugzilla so that it gets tracked as a bug? I don't know if it's fixable. The secrity algorithms probably have to be loaded from the system class loader. Remy You're quite right, I'm sure. I was actually thinking more along the lines of having the startup routine ignore them should they be found in any of the internal lib directories, so that at least they don't conflict with the system loader. Of course, the other alternative would be to simply include a warning in the SSL config doc I'm planning. Either way, I guess ... - Christopher
Re: Standalone SSL Problem (was: Re: [DOC] TC4 Status)
On Mon, 30 Jul 2001, Christopher Cain wrote: (Two different mails snipped and referenced below :-) Craig R. McClanahan wrote: Yes, that should be conf/server/lib. Alternatively (and the way I run it), you can put these three JAR files in $JAVA_HOME/jre/lib/ext. A few things here. First, it is unnecessary, then, to have the JSSE jars in the Tomcat hierarchy if they are installed extensions (/jre/lib/ext)? That is correct. That's the way my setup works. Second, and just out of curiousity, the server/lib directory appears to have moved up to the $TCHOME rather than underneath the conf subdirectory. Was that a typo on your part, or does the container actually search that path (in which case one would now have to manually create it)? Yes, the above is a typo -- it's really $CATALINA_HOME/server/lib. Just uncommenting the 8443 connector example in the standard conf/server.xml works for me. But I still need to point it to my keystore, right? Basically, I uncommented the section and added keystoreFile and keystorePass attributes to the Connector tag. The second Http connector section now reads this: Connector className=org.apache.catalina.connector.http.HttpConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true keystoreFile=/usr/local/tomcat/conf/my.keystore keystorePass=mypass Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS/ /Connector Again, all I changed was to add the two keystore attribs. I didn't, because the defaults work for me: keystoreFile - Default is .keystore in the user home directory of the user that is running Tomcat. keystorePass - changeit (as the docco in server.xml tells you to do You can, of course, override these values as you have done, if you have done something different. You also have to set up your JSSE environment according to the instructions immediately above this connector entry. I think so. I have JSSE 1.0.2, with the 3 jars in jre/lib/ext (and also in the system classpath, although not that Catalina cares, of course). I have the com.sun.net.ssl... provider in the security file (I assume the pecking order doesn't matter). My keystore was generated with: keytool -genkey -alias tomcat -keyalg RSA -keystore my.keystore -keypasswd thepassword -storepasswd thepassword The shouldn't you set keystorePass to thepassword instead of mypass? Key and store passwords are the same. my.keystore is in the tomcat conf directory and world-readable. What do your log files say? First of all, the silent failure bit I mentioned this morning was simply my own goofiness. No message was thrown on the command line, and there were no errors in the catalina_log... file, but I somehow missed the catalina.out file (my only defense is that it was 2:00am at the time :-) Below is the stack trace from that file. PATHETIC DISCLAIMER: I haven't tried to track it down yet, as I just now discovered this log file. Although nothing jumps out at me from viewing the calling stack, it may well be something braindead. I suppose this is technically a bit of dev-list abuse now, but I am still familiarizing myself with the 4.0 codebase and am not yet up to speed on the container startup process. If nothing appears obvious from my setup and/or stack trace, feel free to call me a bum and tell me to track it down my own damn self. I simply couldn't resist an invitation such as What do your log files say =) (Although on the upshot, I can definitely promise you a Standalone SSL Configuration and Troubleshooting doc once this is all said and done.) Looks like the kind of problem you will have if the classes are BOTH in the system extensions directory AND in the Tomcat hierarchy. You really don't want to do that. - Christopher P.S. TC4 takes about 2 minutes to start up on my P133 Redhat 7.1 box with 256M of RAM. Is that normal or excessive? I'll definitely track that one down myself, I just want to know if that is out of the ordinary and therefore something I should even check into. I know for a fact that javac compilations are almost surrealistically slow on that machine, so maybe it has something to do with that. *shrug* The largest time consumer in the Tomcat code is creating multiple SAXParserFactory instances in XmlMapper, which is apparently pretty expensive. There's already an enhancement request logged to reuse the first one you create instead, which we'll get to at some point. Tomcat 4 on my system (800mHz, 512mb) starts up with just the standard apps in less than 5 seconds. Of course, if you've got an app with load-on-startup servlets that take a long time (such as Cocoon), then it's not really Tomcat's fault anyway :-). Anyway, thanks a ton for the SSL assistance! Craig -- Starting service