On Tue, Nov 15, 2016 at 2:17 PM, <john.e.gr...@wellsfargo.com> wrote:
> > > > -----Original Message----- > > From: William Boyd [mailto:william.b...@gmail.com] > > Sent: Tuesday, November 15, 2016 3:44 PM > > To: Tomcat Users List > > Subject: Re: 8.5.4 to 8.5.5 SSL Issue > > > > On Tue, Nov 15, 2016 at 10:50 AM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA256 > > > > > > William, > > > > > > On 11/14/16 7:18 PM, William Boyd wrote: > > > > First, I'd like to thank everyone for the help. > > > > > > > > Is it now safe to say that the behaviour we've been taking advantage > > > > of is undocumented and will no long be supported? > > > > > > > > Also, for those that hit this thread and need to get HTTPS working > > > > with a *self-signed* certificate in a dev environment... > > > > > > > > Here's what worked for me: 1. Copy > > > > %JAVA_HOME%\jre\lib\security\cacerts some place (say C:\keystore) 2. > > > > Create a *self-signed* certificate with %JAVA_HOME%\bin\keytool > > > > -genkeypair -keyalg RSA -alias myAlias -keystore > > > > "C:\keystore\keystore.jsk" -storepass changeit -validity 360 > > > > -keysize 2048 -dname > > > > CN=localhost,OU=OrgUnit,O=Org,L=City,ST=State,C=Country 3. Export > > > > the myAlias certificate with %JAVA_HOME%\bin\keytool -export -alias > > > > myAlias -keystore C:\keystore\keystore.jsk -rfc -file > > > > C:\keystore\myAlias.cer 4. Import the myAlias certificate into your > > > > copy of cacerts with: %JAVA_HOME%\bin\keytool -import -alias myAlias > > > > -keystore C:\keystore\cacerts -file C:\keystore\myAlias.cer 5. Add > > > > this to setclasspath.bat in tomcat: > > > > set JAVA_OPTS=%JAVA_OPTS% > > > > -Djavax.net.ssl.trustStore="C:\keystore\cacert" 6. In server.xml, > > > > add these attributes to the Connector element > > > > keystoreFile="C:\keystore\keystore.jsk" keystorePass="changeit" > > > > keyAlias="myAlias" scheme="https" secure="true" SSLEnabled="true" > > > > clientAuth="false" sslProtocol="TLS" > > > > > > > > Now you should be good to go in with HTTPS in Tomcat 8.5.5 + > > > > > > This is exactly what I suggested, except that you set the trust store > > > using a system property instead of using truststoreFile in the > > > <Connector>. You do not need to duplicate the JRE's trust store. You > > > only need your own single certificate in your local truststore. > > > > > > Can you use keystoreFile and truststoreFile separately pointing to > > > those files and re-check that it works? Perhaps Tomcat chokes when > > > using the same file for both. That's what I'd like to verify. > > > > > > - -chris > > > -----BEGIN PGP SIGNATURE----- > > > Comment: GPGTools - http://gpgtools.org > > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > > > > > > > iQIcBAEBCAAGBQJYK1kHAAoJEBzwKT+lPKRYa48P/jl6hWa1mj5HCnawJZ3mHbjX > > > > > ADdXYl45aym/E6QV/n99XYVYG2q+ZN9w0XDVP54lQhQhcgOUtCiPbTHEcYSYdwr > > U > > > > > kLYMc3Ge8Jt7/zDMvem+pKYkHMvyHbspVqSujZ4uJ3Ozr9mYD89hSFgxqG0iYSE+ > > > 5c0pvz1nW4Pt1F4A/+WETkL4Y5Xrq1Vn1LSAxAZoYiU/o93nVos7etIBUO9E430+ > > > GihbhvkpS/yBitvrir/YacvWauBxpi30wR++6ZNAhpzlb+j90dk3i6iPcDO6K1f2 > > > SNeqZATJDlXyU1hEksW4UxWLhtUeekqmJEiEqqWCYxNz9lwJG9f4kILUrzsZexlu > > > > > FmP2o4IxWTBcgOUs5Km5DlfYwogJmlRhqQoOlg2JOpv+KIb67DX+PuY6bhGomDf > > f > > > > > YQ03Y7WQcjNZ/uOIoadAkXxKRaRHmuz2KkPYwgDutOgxtJV1jNxTT3A3znGT1cW > > N > > > > > yekjXHOpe2FdXnaoG0X7mTpvx5AhkHN9mRdW+5/ZBpPzUN0M7zy8oBEpLtZKfrT > > J > > > k40Xz70DnNxBP3XS/1w7DJ1H3/FBxNdatVVbbcJ/+lS/NiS4Gn2kMAZgrCuZrUsn > > > > > FdpdyCwq3VLJ2X9LVBR03rJOyPIiybANNjfhPpiEMC9uQu2ENm4A4Hm1p/cXdpo3 > > > 2J2O1AQA7tfew10t3F4K > > > =a+Um > > > -----END PGP SIGNATURE----- > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > Hi Christopher, > > > > Thanks, I'm glad to hear I'm heading in the right direction. :) > > > > I tested some more configuration. > > > > Firstly, I removed the system property but retained these Connector > attributes > > > > keystoreFile="C:\keystore\keystore.jsk" keystorePass="changeit" > > keyAlias="myAlias" > > scheme="https" secure="true" SSLEnabled="true" clientAuth="false" > > sslProtocol="TLS" > > > > Then I tried the following: > > > > 1. adding truststoreFile="C:\keystore\cacerts" to my Connector and got > the > > following error in an IE11 browser > > Caught Exception (javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: > > PKIX path building failed: > > sun.security.provider.certpath.SunCertPathBuilderException: > > unable to find valid certification path to requested target): ; > > nested exception is: javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: > > PKIX path building failed: > > sun.security.provider.certpath.SunCertPathBuilderException: > > unable to find valid certification path to requested target > > > > 2. adding truststoreFile="C:\keystore\myAlias.cer" to my Connector and > got the > > following error at startup > > 15-Nov-2016 12:34:57.379 SEVERE [main] > > org.apache.coyote.AbstractProtocol.init > > Failed to initialize end point associated with ProtocolHandler > ["https-openssl- > > nio-8001"] > > java.lang.IllegalArgumentException: java.io.IOException: Invalid > keystore > > format > > at > > org.apache.tomcat.util.net.AbstractJsseEndpoint. > createSSLContext(AbstractJsse > > Endpoint.java:103) > > : > > Caused by: java.io.IOException: Invalid keystore format > > at > > sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658) > > at > > sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) > > at > > sun.security.provider.KeyStoreDelegator.engineLoad( > KeyStoreDelegator.java:22 > > 4) > > at > > sun.security.provider.JavaKeyStore$DualFormatJKS. > engineLoad(JavaKeyStore.ja > > va:70) > > at java.security.KeyStore.load(KeyStore.java:1445) > > at > > org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:136) > > ... 20 more > > > > 3. adding truststoreFile="C:\keystore\keystore.jsk" to my Connector and > got the > > following error at startup > > 15-Nov-2016 12:45:58.625 SEVERE [main] > > org.apache.coyote.AbstractProtocol.init > > Failed to initialize end point associated with ProtocolHandler > ["https-openssl- > > nio-8001"] > > java.lang.IllegalArgumentException: > > java.security.InvalidAlgorithmParameterException: the trustAnchors > parameter > > must be non-empty > > at > > org.apache.tomcat.util.net.AbstractJsseEndpoint. > createSSLContext(AbstractJsse > > Endpoint.java:103) > > : > > Caused by: java.security.InvalidAlgorithmParameterException: the > > trustAnchors parameter must be non-empty > > at > > java.security.cert.PKIXParameters.setTrustAnchors( > PKIXParameters.java:200) > > at java.security.cert.PKIXParameters.<init>( > PKIXParameters.java:157) > > at > > java.security.cert.PKIXBuilderParameters.<init>( > PKIXBuilderParameters.java:130) > > at > > org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters( > JSSEUtil.java:332) > > at > > org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil. > java:264) > > at > > org.apache.tomcat.util.net.openssl.OpenSSLUtil. > getTrustManagers(OpenSSLUtil > > .java:93) > > at > > org.apache.tomcat.util.net.AbstractJsseEndpoint. > createSSLContext(AbstractJsse > > Endpoint.java:101) > > ... 20 more > > > > 4. I generated a new trustStore using “keytool -import -file > myAlias.cer -alias > > myAlias -keystore MyTrustStore” > > then I adding truststoreFile="C:\keystore\MyTrustStore" to my > Connector and > > got the same PKIX error as 1 above. > > > > 5. finally I removed the truststoreFile attribute and used - > > Djavax.net.ssl.trustStore="C:\keystore\MyTrustStore" > > This worked... > > Let me know if I've miss understanding your request or if there's > something else > > you'd like me to try. > > > > Regards > > Will > > I haven't been following this super closely, but it sounds like there is a > lot of trial and error going on so let me try to explain how the key stores > and trust stores are used. > Will: Ultimately I am trying to determine why a configuration that worked since Tomcat 5, stopped working in Tomcat 8.5.5 so I can explain the issue to operations. We used to be able to use the same keystore for both keystoreFile in the Connector and the javax.net.ssl.trustStore system property but that no longer works. The only variable is Tomcat. This will affect many TEST and PROD sites. > The system properties affect things like outgoing connections that use > SSL, like https calls. javax.net.ssl.trustStore would contain the certs > for the CAs that sign the backend server's cert. javax.net.ssl.keyStore > would come into play if the backend uses mutual authentication/client > authentication/2-way SSL. If that's required by the backend, you would put > your own cert and private key in the key store. I think you can combine > them all into one file, but usually they're kept separate. > Will: Thanks, I think this explains our need for javax.net.ssl.trustStore. The system I'm supporting is using axis jaxrpc to communicate between WARs over HTTPS within Tomcat. These connections in axis must be the reason we require javax.net.ssl.trustStore. The Tomcat connector parameters are for Tomcat's use when serving https > connections to clients. I don't think they have any impact on outgoing > calls. The key store would contain Tomcat's cert and private key. > Likewise the trust store would contain the certs of the CA or CAs who sign > your client's certs if you have mutual auth enabled. It might also be > required to form the chain linking the server's cert to the CA. In that > case, though, I might be inclined to putting the CA in the key store itself > for simplicity. According to the docs, Tomcat will fall back to the system > properties if the connector doesn't explicitly them. > Will: Sorry I'm confused by the last bit here. Using "keytool -genkeypair" I have a file containing a self-signed certificate yet I now need to export, than import that cert into a separate truststore in order for our servers to work. If this is to spec and Tomcat it tightening up the rules I could understand. > Also, keep your client and server straight. Is the client you're using to > connect to Tomcat a separate process or is it an app deployed in Tomcat? > If it's a separate process, whatever configuration you do to Tomcat will > have no bearing on the client. Instead, if the client is java, it will > need the trustStore and maybe the keyStore system properties set. Even if > the client is within Tomcat, it will still need those settings to make > outgoing https connections. The Tomcat connector config doesn't come into > play in the case of outgoing connections. > Will: It appears the client is embedded in the WARs (RPC calls from one WAR to another). To address each of your tests: > 1. This typically means that the CA wasn't found in the trust store, > though I don't know what you mean that you're getting it in IE. This is a > java message. IE will give you a different error message. > Will: I’m guessing its AXIS that can’t find the CA in the trust store. Regarding IE, I can clarify, the error occurs in a servlet which returns the message to the browser. > 2. Probably you need to do something else to your connector config to > handle this type of file, like set the truststoreType parameter > appropriately. > Will: In this test I supplied the exported cert as a trust store. I was expecting it to fail. > 3. Does that file actually exist? Is the file extension correct? Usually > it's jks, not jsk. > Will: Yes, though oddly named, the file exists. > 4. Same as #1. > 5. Not sure why this worked but #1 and #4 did not. > Will: Most likely due to the RPC calls. So I think I understand why I need javax.net.ssl.trustStore and keystoreFile configured to get our system working. Thank you for making me walk through it in more detail. The question remains why does Tomcat 8.5.5 no longer allow me to use a JKS file as a trustStore and raise the following exception at startup? 16-Nov-2016 09:02:03.195 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-openssl-nio-8001"] java.lang.IllegalArgumentException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103) : Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:332) at org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:264) at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getTrustManagers(OpenSSLUtil.java:93) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:101) ... 20 more Regards William