Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade
Angela, On 11/22/22 13:49, Cantor, Angela T. wrote: Problem solved - the answer was embarrassingly easy. I chowned /etc/pki/nssdb and its contents to tomcat, and everything worked. The "read_only" part of CKR_SESSION_READ_ONLY was a clue. I'm not sure what changed with the newer OpenJDK, as tomcat had run fine for months with root owning /etc/pki/nssdb before. Also now it is updating the cert*.db and key*.db files each time tomcat starts, which it was not doing before. That's weird. I would NOT expect anything in /etc/pki/* to be updated each time I start a service, unless it's explicitly a service that should be updating trust stores and/or key stores. But if that's what YOU expect, well, then ... okay, I guess :) Anyway, all is well, and thanks again to Chris and Joey for looking at it and providing suggestions - I learned a lot in the process. :) -chris -Original Message- From: Christopher Schultz Sent: Friday, November 18, 2022 14:37 To: users@tomcat.apache.org Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade Joey, On 11/17/22 10:52, Joey Cochran wrote: You might still have a passphrase on the private key that is different from the passphrase on the keystore. This may be the case, but is pretty uncommon. After that, my next try would be without explicitly setting ciphers. This exception occurs way before any cipher suites are being negotiated, so don't aorry about that. -chris -Original Message- From: Cantor, Angela T. Sent: Wednesday, November 16, 2022 7:28 PM To: Tomcat Users List Subject: RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade Thanks to Joey and Chris for responding. Joey had said Jump through the hoop of rebuilding the keystore with the current java I believe this is what we did that made the difference I am not familiar with PKCS11 we use Http11Nio2Protocol with PKCS12 for complete chain bundling. Chris had some questions about my PKCS11 setup, but I'm taking a left turn and changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 and this community seems to know more about it. So I changed back to using PKCS12. I recreated the keystore from my key and signed cert using openssl and switched to using Http11Nio2Protocol. Now the connector is this: This produced the following error: 16-Nov-2022 14:54:58.858 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11Nio2Protocol-8843]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:1051) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:724) at org.apache.catalina.startup.Catalina.load(Catalina.java:746) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) Caused by: java.lang.IllegalArgumentException: keystore password was incorrect at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:145) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1048) ... 13 more Caused by: java.io.IOException: keystore password was incorrect at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159) at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
[ANN] Apache Tomcat 8.5.84 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.84. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 8.5.84 is a bugfix and feature release. The notable changes compared to 8.5.83 include: - Fix concurrency issue in evaluation of expression language containing lambda expressions. - Correct the date format used with the expires attribute of HTTP cookies. A single space rather than a single dash should be used to separate the day, month and year components to be compliant with RFC 6265. - Update to Commons Daemon 1.3.2. Along with lots of other bug fixes and improvements. Please refer to the change log for the complete list of changes: https://tomcat.apache.org/tomcat-8.5-doc/changelog.html Downloads: https://tomcat.apache.org/download-80.cgi Migration guides from Apache Tomcat 7.x and 8.0: https://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade
Problem solved - the answer was embarrassingly easy. I chowned /etc/pki/nssdb and its contents to tomcat, and everything worked. The "read_only" part of CKR_SESSION_READ_ONLY was a clue. I'm not sure what changed with the newer OpenJDK, as tomcat had run fine for months with root owning /etc/pki/nssdb before. Also now it is updating the cert*.db and key*.db files each time tomcat starts, which it was not doing before. Anyway, all is well, and thanks again to Chris and Joey for looking at it and providing suggestions - I learned a lot in the process. Angela -Original Message- From: Christopher Schultz Sent: Friday, November 18, 2022 14:37 To: users@tomcat.apache.org Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade Joey, On 11/17/22 10:52, Joey Cochran wrote: > You might still have a passphrase on the private key that is different > from the passphrase on the keystore. This may be the case, but is pretty uncommon. > After that, my next try would be without explicitly setting ciphers. This exception occurs way before any cipher suites are being negotiated, so don't aorry about that. -chris > -Original Message- > From: Cantor, Angela T. > Sent: Wednesday, November 16, 2022 7:28 PM > To: Tomcat Users List > Subject: RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error > after OpenJDK upgrade > > Thanks to Joey and Chris for responding. > > Joey had said >> Jump through the hoop of rebuilding the keystore with the current java >> I believe this is what we did that made the difference I am not >> familiar with PKCS11 >> we use Http11Nio2Protocol with PKCS12 for complete chain bundling. > > Chris had some questions about my PKCS11 setup, but I'm taking a left turn > and changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 > and this community seems to know more about it. > > So I changed back to using PKCS12. I recreated the keystore from my key and > signed cert using openssl and switched to using Http11Nio2Protocol. Now the > connector is this: > protocol="org.apache.coyote.http11.Http11Nio2Protocol" >maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >server="Apache" >keyAlias="tomcat9" >keystorePass="XX" keystoreType="PKCS12" >keystoreFile="/tomcat9.p12" >maxHttpHeaderSize="32768" >sslEnabledProtocols="TLSv1.2" > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, >TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, >TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, >TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" >clientAuth="false" sslProtocol="TLSv1.2"/> > > > This produced the following error: > 16-Nov-2022 14:54:58.858 SEVERE [main] > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to > initialize component > [Connector[org.apache.coyote.http11.Http11Nio2Protocol-8843]] > org.apache.catalina.LifecycleException: Protocol handler initialization > failed >at > org.apache.catalina.connector.Connector.initInternal(Connector.java:1051) >at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) >at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:556) >at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) >at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045) >at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) >at org.apache.catalina.startup.Catalina.load(Catalina.java:724) >at org.apache.catalina.startup.Catalina.load(Catalina.java:746) >at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) >at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >at java.base/java.lang.reflect.Method.invoke(Method.java:568) >at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) >at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) > Caused by: java.lang.IllegalArgumentException: keystore password was > incorrect >at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107) >at > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) >at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:145) >at > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227) >at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240
Re: listing (db) resources
Take a look at how the ManagerServlet lists resources: https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/manager/ManagerServlet.java#L1193 Hopefully that will give you some pointers. Mark On 22/11/2022 14:56, Rob Sargent wrote: I trying to get the list of available db resources to send to a web page. My context.xml file below is generated at startup since the user(s) and dbs change regularly and I would like to see "who's on first" from my monitor servlet. I tried context.getEnvironment() but that's empty. Is there programmatic access t the list of Resource names? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
listing (db) resources
I trying to get the list of available db resources to send to a web page. My context.xml file below is generated at startup since the user(s) and dbs change regularly and I would like to see "who's on first" from my monitor servlet. I tried context.getEnvironment() but that's empty. Is there programmatic access t the list of Resource names?