Ah. No, our client cert is signed by a self-signed root. But only the client cert is in the keystore and only the client cert is registered on the Datapower server. I can connect using the same keystore with a standalone Java client that just opens a URL connection and input stream, and also with SoapUI as a client. But not with our client app deployed in Tomcat.
Regards, Diarmuid On 1 Sep 2015 22:23, <jeffery.scott.cr...@gmail.com> wrote: > I'm referring to when a certificate is a combo such as a GoDaddy g1_g2 > root. The intermediate is usually fine. > > Sent from my BlackBerry 10 smartphone on the > Verizon Wireless 4G LTE network. > Original Message > From: dmccrthy > Sent: Tuesday, September 1, 2015 4:12 PM > To: Tomcat Users List > Reply To: Tomcat Users List > Subject: RE: Tomcat 7.0.55 Not loading truststore or keystore > > Hi Jeff, > > Our client keystore has one certificate, but the truststore has multiple > certs. I'll try removing everything from the truststore except the server > cert and see what happens. > > Thanks, > Diarmuid > On 1 Sep 2015 19:53, <jeffery.scott.cr...@gmail.com> wrote: > > > > > >> openssl s_client -tls1 -connect server-dns-name:15305 -CAfile > > server-cert-with-intermediate-and-root-in-one-file.cer -cert > > client-public-key.cer -key client-private-key.key -pass > > pass:client-private-key-password > > > > I've had trouble when there are more certificate packaged in the same > file > > as the root certificate. If you can separate the certificates your > problem > > should go away. > > > > Jeff Crump > > > > > > Sent from Mail for Windows 10 > > > > > > > > From: George Stanchev > > Sent: Tuesday, September 1, 2015 1:02 PM > > To: Tomcat Users List > > Subject: RE: Tomcat 7.0.55 Not loading truststore or keystore > > > > > > Hi Diarmuid, > > > > We have run similar issue with client cert SSL. Is your 3rd party web > > service hosted on Windows/IIS? > > > > George > > > > -----Original Message----- > > From: dmccrthy [mailto:dmccr...@gmail.com] > > Sent: Tuesday, September 01, 2015 11:07 AM > > To: Tomcat Users List > > Subject: Tomcat 7.0.55 Not loading truststore or keystore > > > > Hi All, > > > > I am having trouble getting Tomcat to load a truststore and keystore. > > This seems to be a basic configuration issue but I can't figure out what > > the problem is. Any insights would be gratefully received. > > > > The scenario is: > > > > * A 3rd party web application is deployed in Tomcat > > * The 3rrd party web application is making outbound HTTPS connections to > a > > 3rd party web service > > * Tomcat JVM parameters are configured with > > > > -Djavax.net.ssl.trustStore=d:\Tomcat_ENV1\conf\tomcat_truststore.jks > > -Djavax.net.ssl.trustStorePassword=<snip> > > -Djavax.net.ssl.keyStore=d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks > > -Djavax.net.ssl.keyStorePassword=<snip> > > -Dhttps.protocols="TLSv1" > > -Djavax.net.debug=ALL > > > > * Both truststore and keystore are JKS > > * Mutual authentication is used for the SSL handshake > > * There are no errors in the Tomcat logs to indicate a problem with the > > truststore and keystore > > * The Tomcat logs show the server-side certificate being downloaded but > > not reporting the expected lines > > > > Found trusted certificate: > > matching alias: <client cert alias> > > > > Or for the keystore, I am expecting to see a log that it is loading the > > keystore (example below), but there is no sign that the keystore is being > > loaded. I got the log extract below from a standalone java client which > > successfully connects using MA to the remote service. > > > > keyStore is : c:\temp\DWCHASSMESA002.pfx > > keyStore type is : PKCS12 > > keyStore provider is : > > init keystore > > init keymanager of type SunX509 > > > > *** > > found key for : dwchassmesa002 > > chain [0] = [ > > > > * The Tomcat logs show that the SSL handshake gets as far as the > > ClientKeyExchange, but there is no client certificate sent and the > > handshake terminates with "Software caused connection abort: recv > failed". > > On DataPower the error is that the client is not sending the certificate. > > > > <sip> > > http-bio-8080-exec-2, READ: TLSv1 Handshake, length = 13 > > *** CertificateRequest > > Cert Types: RSA, DSS > > Cert Authorities: > > <Empty> > > > > [read] MD5 and SHA1 hashes: len = 9 > > 0000: 0D 00 00 05 02 01 02 00 00 ......... > > *** ServerHelloDone > > [read] MD5 and SHA1 hashes: len = 4 > > 0000: 0E 00 00 00 .... > > *** Certificate chain > > *** > > *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 [write] MD5 and SHA1 > > hashes: len = 269 > > > > <snip> > > http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 269 [Raw write]: > > length = 274 > > 0000: 16 03 01 01 0D 0B 00 00 03 00 00 00 10 00 01 02 ................ > > <snip> > > > > 0110: 2E 32 .2 > > SESSION KEYGEN: > > PreMaster Secret: > > <snip> > > > > http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 48 > > http-bio-8080-exec-2, waiting for close_notify or alert: state 1 > > http-bio-8080-exec-2, Exception while waiting for close > > java.net.SocketException: Software caused connection abort: recv failed > > http-bio-8080-exec-2, handling exception: java.net.SocketException: > > Software caused connection abort: recv failed %% Invalidated: > > [Session-163, TLS_RSA_WITH_AES_128_CBC_SHA] http-bio-8080-exec-2, called > > close() http-bio-8080-exec-2, called closeInternal(true) > > http-bio-8080-exec-2, called closeSocket( > > > > We are using the software below on the client environment: > > > > * Java(TM) SE Runtime Environment (build 1.7.0_67-b01) > > * Java HotSpot(TM) 64-Bit Server VM (build 24.65-b04, mixed mode) > > * JCE Unlimited Security: No > > * Apache Tomcat/7.0.55 > > * Microsoft Windows Server 2008 R2 Enterprise 64-bit > > > > Analysis Steps > > ============== > > > > 1) Openssl connects with MA parameters connects with no errors > > > > openssl s_client -tls1 -connect server-dns-name:15305 -CAfile > > server-cert-with-intermediate-and-root-in-one-file.cer -cert > > client-public-key.cer -key client-private-key.key -pass > > pass:client-private-key-password > > > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > Server public key is 2048 bit > > Secure Renegotiation IS supported > > Compression: NONE > > Expansion: NONE > > No ALPN negotiated > > SSL-Session: > > Protocol : TLSv1 > > Cipher : AES256-SHA > > Session-ID: > > 893D24420CC89DED5E8E0E18C3D97270C3DD04B7A4B86602D5B34FC5E58DDE8F > > Session-ID-ctx: > > Master-Key: > > > > > 89ABDA0ED080567E0CB8494AC236B107B7430A5487986BE7F3B468AF81B19BC27FD9C7D3EBC46280B9A608E5517D447C > > Key-Arg : None > > PSK identity: None > > PSK identity hint: None > > SRP username: None > > Start Time: 1441125595 > > Timeout : 7200 (sec) > > Verify return code: 0 (ok) > > > > 2) A standalone Java program with a couple of lines to open a HTTPS > > connection to the 3rd party certificate works. This uses the same > > truststore and keystore > > 3) SoapUI works using the same truststore and keystore > > 4) Our 3rd party vendor can connect > > 5) I have googled various phrases like "Tomcat JVM not loading > > truststore". There are hundreds of examples involving HTTPS connectors > > and/or configuration errors. However we are not using server-side > > connectors and I can't see anything wrong with the configuration. The > only > > potential hit I found for a defect was in Tomcat 6 > > > http://tomcat.10.x6.nabble.com/configured-truststore-ignored-by-tomcat-td4986884.html > > > > 6) I tried installing a HTTPS connector in our Tomcat client instance. > > This then shows that the truststore is being loaded, but it is not used > by > > the outbound HTTPS client connections > > > > 7) Tried playing with the format of the file paths by adding double > > quotes, changing the path separator to forward or backslash, moving the > > location of the files. But this didn't make any difference. > > > > "d:\Tomcat_ENV1\DWCHASSMESA002_keystore.jks" > > d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks > > d:/Tomcat_ENV1/DWCHASSMESA002_keystore.jks > > > > Thanks, > > Diarmuid > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > > > > > --- > > This email has been checked for viruses by Avast antivirus software. > > https://www.avast.com/antivirus > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
