Hi Diarmuid, We have run similar issue with client cert SSL. Is your 3rd party web service hosted on Windows/IIS?
George -----Original Message----- From: dmccrthy [mailto:dmccr...@gmail.com] Sent: Tuesday, September 01, 2015 11:07 AM To: Tomcat Users List Subject: Tomcat 7.0.55 Not loading truststore or keystore Hi All, I am having trouble getting Tomcat to load a truststore and keystore. This seems to be a basic configuration issue but I can't figure out what the problem is. Any insights would be gratefully received. The scenario is: * A 3rd party web application is deployed in Tomcat * The 3rrd party web application is making outbound HTTPS connections to a 3rd party web service * Tomcat JVM parameters are configured with -Djavax.net.ssl.trustStore=d:\Tomcat_ENV1\conf\tomcat_truststore.jks -Djavax.net.ssl.trustStorePassword=<snip> -Djavax.net.ssl.keyStore=d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks -Djavax.net.ssl.keyStorePassword=<snip> -Dhttps.protocols="TLSv1" -Djavax.net.debug=ALL * Both truststore and keystore are JKS * Mutual authentication is used for the SSL handshake * There are no errors in the Tomcat logs to indicate a problem with the truststore and keystore * The Tomcat logs show the server-side certificate being downloaded but not reporting the expected lines Found trusted certificate: matching alias: <client cert alias> Or for the keystore, I am expecting to see a log that it is loading the keystore (example below), but there is no sign that the keystore is being loaded. I got the log extract below from a standalone java client which successfully connects using MA to the remote service. keyStore is : c:\temp\DWCHASSMESA002.pfx keyStore type is : PKCS12 keyStore provider is : init keystore init keymanager of type SunX509 *** found key for : dwchassmesa002 chain [0] = [ * The Tomcat logs show that the SSL handshake gets as far as the ClientKeyExchange, but there is no client certificate sent and the handshake terminates with "Software caused connection abort: recv failed". On DataPower the error is that the client is not sending the certificate. <sip> http-bio-8080-exec-2, READ: TLSv1 Handshake, length = 13 *** CertificateRequest Cert Types: RSA, DSS Cert Authorities: <Empty> [read] MD5 and SHA1 hashes: len = 9 0000: 0D 00 00 05 02 01 02 00 00 ......... *** ServerHelloDone [read] MD5 and SHA1 hashes: len = 4 0000: 0E 00 00 00 .... *** Certificate chain *** *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 [write] MD5 and SHA1 hashes: len = 269 <snip> http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 269 [Raw write]: length = 274 0000: 16 03 01 01 0D 0B 00 00 03 00 00 00 10 00 01 02 ................ <snip> 0110: 2E 32 .2 SESSION KEYGEN: PreMaster Secret: <snip> http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 48 http-bio-8080-exec-2, waiting for close_notify or alert: state 1 http-bio-8080-exec-2, Exception while waiting for close java.net.SocketException: Software caused connection abort: recv failed http-bio-8080-exec-2, handling exception: java.net.SocketException: Software caused connection abort: recv failed %% Invalidated: [Session-163, TLS_RSA_WITH_AES_128_CBC_SHA] http-bio-8080-exec-2, called close() http-bio-8080-exec-2, called closeInternal(true) http-bio-8080-exec-2, called closeSocket( We are using the software below on the client environment: * Java(TM) SE Runtime Environment (build 1.7.0_67-b01) * Java HotSpot(TM) 64-Bit Server VM (build 24.65-b04, mixed mode) * JCE Unlimited Security: No * Apache Tomcat/7.0.55 * Microsoft Windows Server 2008 R2 Enterprise 64-bit Analysis Steps ============== 1) Openssl connects with MA parameters connects with no errors openssl s_client -tls1 -connect server-dns-name:15305 -CAfile server-cert-with-intermediate-and-root-in-one-file.cer -cert client-public-key.cer -key client-private-key.key -pass pass:client-private-key-password New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 893D24420CC89DED5E8E0E18C3D97270C3DD04B7A4B86602D5B34FC5E58DDE8F Session-ID-ctx: Master-Key: 89ABDA0ED080567E0CB8494AC236B107B7430A5487986BE7F3B468AF81B19BC27FD9C7D3EBC46280B9A608E5517D447C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1441125595 Timeout : 7200 (sec) Verify return code: 0 (ok) 2) A standalone Java program with a couple of lines to open a HTTPS connection to the 3rd party certificate works. This uses the same truststore and keystore 3) SoapUI works using the same truststore and keystore 4) Our 3rd party vendor can connect 5) I have googled various phrases like "Tomcat JVM not loading truststore". There are hundreds of examples involving HTTPS connectors and/or configuration errors. However we are not using server-side connectors and I can't see anything wrong with the configuration. The only potential hit I found for a defect was in Tomcat 6 http://tomcat.10.x6.nabble.com/configured-truststore-ignored-by-tomcat-td4986884.html 6) I tried installing a HTTPS connector in our Tomcat client instance. This then shows that the truststore is being loaded, but it is not used by the outbound HTTPS client connections 7) Tried playing with the format of the file paths by adding double quotes, changing the path separator to forward or backslash, moving the location of the files. But this didn't make any difference. "d:\Tomcat_ENV1\DWCHASSMESA002_keystore.jks" d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks d:/Tomcat_ENV1/DWCHASSMESA002_keystore.jks Thanks, Diarmuid --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
