Having security (SSL) issues moving tomcat from one host computer to another

Thu, 13 Sep 2007 16:25:55 -0700 

Hi,
I'm wondering if any has ever seen this and how did they fix it. I have a production tomcat server (v5.5.23) that I need to move to another host system. I copied over the full installation and made sure I was using the same version of the runtime (jdk1.5.0_03). But when I try to access a secured page on the new host I get the following it fails and I get the following StackTrace in tomcat.log: 



DEBUG http-10.171.255.17-443-Processor25 
org.apache.tomcat.util.net.PoolTcpEndpoint - Handshake failed

javax.net.ssl.SSLException: Error generating DH server key exchange

       at 
com.sun.net.ssl.internal.ssl.Handshaker.throwSSLException(Handshaker.java:907)
       at 
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:556)
       at 
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
       at 
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
       at 
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
       at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
       at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
       at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
       at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:120)
       at 
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:521)
       at 
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
       at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)

       at java.lang.Thread.run(Thread.java:595)

Caused by: java.security.InvalidKeyException: No installed provider 
supports this key: sun.security.rsa.RSAPrivateCrtKeyImpl
       at 
java.security.Signature$Delegate.chooseProvider(Signature.java:1059)
       at 
java.security.Signature$Delegate.engineInitSign(Signature.java:1109)

       at java.security.Signature.initSign(Signature.java:503)

       at 
com.sun.net.ssl.internal.ssl.HandshakeMessage$DH_ServerKeyExchange.<init>(HandshakeMessage.java:671)
       at 
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:550)

       ... 11 more

Caused by: java.security.NoSuchAlgorithmException: NONEwithRSA Signature 
not available

       at java.security.Signature.getInstance(Signature.java:208)

       at 
com.sun.net.ssl.internal.ssl.JsseJce.getSignature(JsseJce.java:104)
       at 
com.sun.net.ssl.internal.ssl.RSASignature.<init>(RSASignature.java:45)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native 
Method)
       at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
       at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)

       at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
       at java.lang.Class.newInstance0(Class.java:350)
       at java.lang.Class.newInstance(Class.java:303)
       at java.security.Provider$Service.newInstance(Provider.java:1075)
       at java.security.Signature$Delegate.newInstance(Signature.java:941)

       at 
java.security.Signature$Delegate.chooseProvider(Signature.java:1035)

       ... 15 more


The JDKs on both the current production host system (which works) and 
the host I'm moving to are identical (I double checked 
security.providers in jre/lib/security/java.security) and just in case I 
screwed up the certificate and went to Thawte and reissued it.  The 
reference above to NONEwithRSA makes no sense to me. The certificate is 
a PKCS#7 chain and the signature algorithms are SHA1withRSA and 
MD5withRSA.  Where does the NONEwithRSA come from?



The only difference between the two hosts machine is the OS.  The 
current production machine is RedHat v9 (just a bit out of date) and the 
new box is running Fedora Core 7.  I don't know whether that's a 
difference that makes a difference or not, but I thought I would mention 
it anyway.



I've been hitting my head against a wall for two days now, and I need 
SSL working before I can switch over to the new box.  As you can weell 
imagine, this is driving me crazy.  Any ideas?


Thanks,
Rob


--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR














    











					Reply via email to