https://bz.apache.org/bugzilla/show_bug.cgi?id=61557
Bug ID: 61557 Summary: KeyStoreException make Tomcat could not startup successfully Product: Tomcat 8 Version: 8.5.x-trunk Hardware: PC Status: NEW Severity: normal Priority: P2 Component: Connectors Assignee: dev@tomcat.apache.org Reporter: hyderai....@gmail.com Target Milestone: ---- [Overview] In Tomcat 8.5 and Tomcat 9, if we turn on FIPS mode, there are KeyStoreException which cause tomcat service could not startup successfully. [Steps to Reproduce] 1. Follow the Oracle doc to enable FIPS mode https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/FIPS.html The cryptographic provider 2. Edit Tomcat server.xml to enable SSL Note: Provider depends on what FIPS-complinat cryptographic provider you used. <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="c:\test.bcfks" type="RSA" certificateKeystorePassword="changeit" certificateKeystoreType="BCFKS" certificateKeystoreProvider="CCJ"/> </SSLHostConfig> </Connector> 3. startup Tomcat [Actual Results] KeyStoreException occurs! The log is like the following shows: Sep 19, 2017 2:59:59 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["https-jsse-nio-4119"] Sep 19, 2017 3:00:00 PM org.apache.coyote.AbstractProtocol init SEVERE: Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio-4119"] java.lang.IllegalArgumentException: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider CCJ at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66) at org.apache.catalina.connector.Connector.initInternal(Connector.java:997) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:140) at org.apache.catalina.startup.Tomcat.start(Tomcat.java:367) at com.thirdbrigade.manager.service.Tomcat.startTomcat(Tomcat.java:171) at com.thirdbrigade.manager.service.DSMService$WorkerThread.run(DSMService.java:247) Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider CCJ at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67) at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:232) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112) ... 16 more Sep 19, 2017 3:00:00 PM org.apache.catalina.core.StandardService initInternal SEVERE: Failed to initialize connector [Connector[HTTP/1.1-4119]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-4119]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:140) at org.apache.catalina.startup.Tomcat.start(Tomcat.java:367) at com.thirdbrigade.manager.service.Tomcat.startTomcat(Tomcat.java:171) at com.thirdbrigade.manager.service.DSMService$WorkerThread.run(DSMService.java:247) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:999) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) ... 8 more Caused by: java.lang.IllegalArgumentException: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider CCJ at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66) at org.apache.catalina.connector.Connector.initInternal(Connector.java:997) ... 9 more Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider CCJ at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67) at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:232) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112) ... 16 more [Expected Results] Tomcat should be startup successfully. [Build] the latest 8.5.20 and 9.0.0.M26 have this issue. [Additional Information] In nightly build 8.5.21, there is related fix but it doesn't solve this issue. https://github.com/apache/tomcat/commit/5fca54ea7b653403b5b12ac1d830a8a5fa5484d7#diff-a067af9186cf2818d35dbaa0828e2960 It's caused by hard code "JKS" for the in-memory keystore in JSSEUtil.java ========================= if (k != null && "PKCS#8".equalsIgnoreCase(k.getFormat())) { // Switch to in-memory key store ksUsed = KeyStore.getInstance("JKS"); ksUsed.load(null, null); ksUsed.setKeyEntry(keyAlias, k, keyPassArray, ks.getCertificateChain(keyAlias)); } ===================== The keystoretype should use what user assign in connector setting. for example, in this example, it should be BCFKS. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org