Hi George, The 3rd party service is behind IBM Datapower. Datapower is reporting that our HTTPS client connections aren't sending the client certificate as part of the MA handshake. I'll double-check what the actual service is running on behind that, but according to our 3rd party application team the connections aren't getting that far.
Thanks, Diarmuid On 1 Sep 2015 19:03, "George Stanchev" <gstanc...@serena.com> wrote: > Hi Diarmuid, > > We have run similar issue with client cert SSL. Is your 3rd party web > service hosted on Windows/IIS? > > George > > -----Original Message----- > From: dmccrthy [mailto:dmccr...@gmail.com] > Sent: Tuesday, September 01, 2015 11:07 AM > To: Tomcat Users List > Subject: Tomcat 7.0.55 Not loading truststore or keystore > > Hi All, > > I am having trouble getting Tomcat to load a truststore and keystore. > This seems to be a basic configuration issue but I can't figure out what > the problem is. Any insights would be gratefully received. > > The scenario is: > > * A 3rd party web application is deployed in Tomcat > * The 3rrd party web application is making outbound HTTPS connections to a > 3rd party web service > * Tomcat JVM parameters are configured with > > -Djavax.net.ssl.trustStore=d:\Tomcat_ENV1\conf\tomcat_truststore.jks > -Djavax.net.ssl.trustStorePassword=<snip> > -Djavax.net.ssl.keyStore=d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks > -Djavax.net.ssl.keyStorePassword=<snip> > -Dhttps.protocols="TLSv1" > -Djavax.net.debug=ALL > > * Both truststore and keystore are JKS > * Mutual authentication is used for the SSL handshake > * There are no errors in the Tomcat logs to indicate a problem with the > truststore and keystore > * The Tomcat logs show the server-side certificate being downloaded but > not reporting the expected lines > > Found trusted certificate: > matching alias: <client cert alias> > > Or for the keystore, I am expecting to see a log that it is loading the > keystore (example below), but there is no sign that the keystore is being > loaded. I got the log extract below from a standalone java client which > successfully connects using MA to the remote service. > > keyStore is : c:\temp\DWCHASSMESA002.pfx > keyStore type is : PKCS12 > keyStore provider is : > init keystore > init keymanager of type SunX509 > > *** > found key for : dwchassmesa002 > chain [0] = [ > > * The Tomcat logs show that the SSL handshake gets as far as the > ClientKeyExchange, but there is no client certificate sent and the > handshake terminates with "Software caused connection abort: recv failed". > On DataPower the error is that the client is not sending the certificate. > > <sip> > http-bio-8080-exec-2, READ: TLSv1 Handshake, length = 13 > *** CertificateRequest > Cert Types: RSA, DSS > Cert Authorities: > <Empty> > > [read] MD5 and SHA1 hashes: len = 9 > 0000: 0D 00 00 05 02 01 02 00 00 ......... > *** ServerHelloDone > [read] MD5 and SHA1 hashes: len = 4 > 0000: 0E 00 00 00 .... > *** Certificate chain > *** > *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 [write] MD5 and SHA1 > hashes: len = 269 > > <snip> > http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 269 [Raw write]: > length = 274 > 0000: 16 03 01 01 0D 0B 00 00 03 00 00 00 10 00 01 02 ................ > <snip> > > 0110: 2E 32 .2 > SESSION KEYGEN: > PreMaster Secret: > <snip> > > http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 48 > http-bio-8080-exec-2, waiting for close_notify or alert: state 1 > http-bio-8080-exec-2, Exception while waiting for close > java.net.SocketException: Software caused connection abort: recv failed > http-bio-8080-exec-2, handling exception: java.net.SocketException: > Software caused connection abort: recv failed %% Invalidated: > [Session-163, TLS_RSA_WITH_AES_128_CBC_SHA] http-bio-8080-exec-2, called > close() http-bio-8080-exec-2, called closeInternal(true) > http-bio-8080-exec-2, called closeSocket( > > We are using the software below on the client environment: > > * Java(TM) SE Runtime Environment (build 1.7.0_67-b01) > * Java HotSpot(TM) 64-Bit Server VM (build 24.65-b04, mixed mode) > * JCE Unlimited Security: No > * Apache Tomcat/7.0.55 > * Microsoft Windows Server 2008 R2 Enterprise 64-bit > > Analysis Steps > ============== > > 1) Openssl connects with MA parameters connects with no errors > > openssl s_client -tls1 -connect server-dns-name:15305 -CAfile > server-cert-with-intermediate-and-root-in-one-file.cer -cert > client-public-key.cer -key client-private-key.key -pass > pass:client-private-key-password > > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > 893D24420CC89DED5E8E0E18C3D97270C3DD04B7A4B86602D5B34FC5E58DDE8F > Session-ID-ctx: > Master-Key: > > 89ABDA0ED080567E0CB8494AC236B107B7430A5487986BE7F3B468AF81B19BC27FD9C7D3EBC46280B9A608E5517D447C > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1441125595 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > > 2) A standalone Java program with a couple of lines to open a HTTPS > connection to the 3rd party certificate works. This uses the same > truststore and keystore > 3) SoapUI works using the same truststore and keystore > 4) Our 3rd party vendor can connect > 5) I have googled various phrases like "Tomcat JVM not loading > truststore". There are hundreds of examples involving HTTPS connectors > and/or configuration errors. However we are not using server-side > connectors and I can't see anything wrong with the configuration. The only > potential hit I found for a defect was in Tomcat 6 > http://tomcat.10.x6.nabble.com/configured-truststore-ignored-by-tomcat-td4986884.html > > 6) I tried installing a HTTPS connector in our Tomcat client instance. > This then shows that the truststore is being loaded, but it is not used by > the outbound HTTPS client connections > > 7) Tried playing with the format of the file paths by adding double > quotes, changing the path separator to forward or backslash, moving the > location of the files. But this didn't make any difference. > > "d:\Tomcat_ENV1\DWCHASSMESA002_keystore.jks" > d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks > d:/Tomcat_ENV1/DWCHASSMESA002_keystore.jks > > Thanks, > Diarmuid > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
