RE: SSL issue : java.security.KeyStoreException: Cannot store non-PrivateKeys

2019-09-26 Thread jonmcalexander 
Sounds like you need to share your JAVA_OPTS or CATALINA_OPTS, not your 
connector.


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

From: Venkataraman Srinivasan 
Sent: Thursday, September 26, 2019 4:30 PM
To: users@tomcat.apache.org
Subject: SSL issue : java.security.KeyStoreException: Cannot store 
non-PrivateKeys


Hi,

I am getting below error while I am starting TOMCAT

Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1086)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
... 13 more
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
at 
sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:250)
at 
sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:55)
at java.security.KeyStore.setKeyEntry(KeyStore.java:909)
at org.apache.tomcat.util.net.jsse.
++

Environment :

Tomcat Version : 8.5.32
Certificate Issuer : Thawte
KeyStore created with : Key Algorithm RSA
CSR Requested with : < NO Key Alogorithm is pased>
Certificate Signature algorithm name: SHA1withRSA


Connector Entry in server.xml



  sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
  defaultSSLHostConfigName="https://blabla.bla.org:8443";
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  maxThreads="200"
  enableLookups="false"
  clientAuth="false"
  acceptCount="10"
  SSLEnabled="true"
  connectionTimeout="6"
  
  https://blabla.bla.org:8443"; >

  sslProtocols="+TLS+TLSv1.2+TLSv1.3"
  
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
   
   


Thanks
Venkat

SSL issue : java.security.KeyStoreException: Cannot store non-PrivateKeys

2019-09-26 Thread Venkataraman Srinivasan 

Hi,
 
I am getting below error while I am starting TOMCAT
 
Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1086)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268)
at 
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
... 13 more
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
at 
sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:250)
at 
sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:55)
at java.security.KeyStore.setKeyEntry(KeyStore.java:909)
at org.apache.tomcat.util.net.jsse.
++
 
Environment :
 
Tomcat Version : 8.5.32
Certificate Issuer : Thawte
KeyStore created with : Key Algorithm RSA
CSR Requested with : < NO Key Alogorithm is pased>
Certificate Signature algorithm name: SHA1withRSA  
 
 
Connector Entry in server.xml
 


  
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
  defaultSSLHostConfigName="https://blabla.bla.org:8443";
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  maxThreads="200"
  enableLookups="false"
  clientAuth="false"
  acceptCount="10"
  SSLEnabled="true"
  connectionTimeout="6"
  
  https://blabla.bla.org:8443"; >

  sslProtocols="+TLS+TLSv1.2+TLSv1.3"
  
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
   
   
 
 
Thanks
Venkat

 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 9.0.24/9.0.26 suspected memory leak

2019-09-26 Thread Mark Thomas 
On 26/09/2019 18:22, Chen Levy wrote:
> Hello Experts
> 
> Several of my production servers were recently upgraded from Tomcat 9.0.14 to 
> 9.0.24; immediately after the upgrade the servers started accumulating memory 
> in a steady trend that was not observed before. In addition, CPU utilization 
> that used to hover around 2% not sits at 8%.
> For now the servers are still serving but I suspect they'll become 
> unresponsive in a few hours.
> I loaded a heap dump from one of the servers into MAT and received the 
> following Leak Suspect:
> 
> One instance of "org.apache.coyote.http11.Http11NioProtocol" loaded by 
> "java.net.URLClassLoader @ 0x503f02c40" occupies 9,282,972,608 (96.88%) 
> bytes. The memory is accumulated in one instance of 
> "java.util.concurrent.ConcurrentHashMap$Node[]" loaded by " loader>".
> 
> The HashMap referenced in the report appears to be "waitingProcessors" inside 
> AbstractProtocol which contain 262K entries.

OK. Those are asynchronous Servlets that are still in async mode.

While it is possible for an application to deliberately get itself into
a state like this (infinite async timeouts and don't complete/dispatch
the async requests) given that it doesn't happen with 9.0.14 but does
with 9.0.24 (and .26) that suggests a Tomcat bug.

> The same issue was reproduced using v9.0.26 as well
> 
> Please let me know whether I should provide additional information

Can you do a binary search to determine which Tomcat 9.0.x release this
problem was introduced in?

How easily can you reproduce this? Do you have something approaching a
test case we could use to repeat the issue?

Meanwhile, I'll take a look at the changelog and see if anything jumps
out as a possible cause.

Thanks,

Mark


> 
> Current setup of the production servers:
> AdoptOpenJDK (build 11.0.3+7) 
> Amazon Linux 2
> 
> maxHttpHeaderSize="16384"
>maxThreads="500" minSpareThreads="25"
>enableLookups="false" disableUploadTimeout="true"
>connectionTimeout="1"
>compression="on"
>SSLEnabled="true" scheme="https" secure="true">
>keepAliveTimeout="2"
>  overheadDataThreadhold="0"/>
> 
>   certificateKeyAlias="tomcat"
>  certificateKeystorePassword=""
>  certificateKeystoreType="PKCS12"/>
> 
> 
> 
> Thanks
> Chen
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 9.0.24/9.0.26 suspected memory leak

2019-09-26 Thread Chen Levy 
Hello Experts

Several of my production servers were recently upgraded from Tomcat 9.0.14 to 
9.0.24; immediately after the upgrade the servers started accumulating memory 
in a steady trend that was not observed before. In addition, CPU utilization 
that used to hover around 2% not sits at 8%.
For now the servers are still serving but I suspect they'll become unresponsive 
in a few hours.
I loaded a heap dump from one of the servers into MAT and received the 
following Leak Suspect:

One instance of "org.apache.coyote.http11.Http11NioProtocol" loaded by 
"java.net.URLClassLoader @ 0x503f02c40" occupies 9,282,972,608 (96.88%) bytes. 
The memory is accumulated in one instance of 
"java.util.concurrent.ConcurrentHashMap$Node[]" loaded by "".

The HashMap referenced in the report appears to be "waitingProcessors" inside 
AbstractProtocol which contain 262K entries.

The same issue was reproduced using v9.0.26 as well

Please let me know whether I should provide additional information

Current setup of the production servers:
AdoptOpenJDK (build 11.0.3+7) 
Amazon Linux 2








Thanks
Chen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org