tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade

[Cantor, Angela T.]

Hi all,

We have
- tomcat 9.0.68
- RHEL 8.6 with FIPS
- OpenJDK 17.0.5.0.8-2.el8_6

We just upgraded OpenJDK from 17.0.4.0.8-2.el8_6 to the above version.  Now 
tomcat won't listen on the desired port.  Something is wonky with it accessing 
the keystore.  If you all see anything obvious, could you please advise?  
Especially if it involves switching to a pkcs12 keystore (which I tried but 
that also failed - I am no expert on setting up either type so maybe I did 
something wrong.)  Nothing other than the OpenJDK version seems to matter - if 
we downgrade it back to 17.0.4.0.8, tomcat once again works fine.  Note that 
17.0.4.1.1-2.el8_6 also caused the same problem.

Tomcat with this connector worked fine with OpenJDK 17.0.4:
        <Connector port="8843"
              protocol="org.apache.coyote.http11.Http11NioProtocol"
              maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
              maxHttpHeaderSize="32768">
           <SSLHostConfig
                 certificateVerification="none"
                 ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                          TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                          TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
                 protocols="TLSv1.2"
                 sslProtocol="TLSv1.2">
              <Certificate type="RSA"
                    certificateKeyAlias="tomcat"
                    certificateKeystoreProvider="SunPKCS11-NSS-FIPS"
                    certificateKeystoreType="PKCS11"
              />
           </SSLHostConfig>
        </Connector>

java.security for 17.0.5 has these entries for FIPS:
fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
fips.provider.2=SUN
fips.provider.3=SunEC
fips.provider.4=SunJSSE
fips.provider.5=SunJCE
fips.provider.6=SunRsaSign
...
fips.keystore.type=pkcs12



nss.fips.cfg is this:
name = NSS-FIPS
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips

attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }



Upon starting tomcat, we get this:
14-Nov-2022 11:24:21.174 INFO [main] org.apache.coyote.AbstractProtocol.init 
Initializing ProtocolHandler ["https-jsse-nio-8843"]
14-Nov-2022 11:24:21.431 SEVERE [main] 
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to 
initialize component [Connector[HTTP/1.1-8843]]
   org.apache.catalina.LifecycleException: Protocol handler initialization 
failed
      at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1051)
      at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
      at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
     at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
      at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
      at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
      at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
      at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
      at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method)
      at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
      at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.base/java.lang.reflect.Method.invoke(Method.java:568)
      at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
   Caused by: java.lang.IllegalArgumentException: 
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
      at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
      at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
      at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:235)
      at 
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
      at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
      at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606)
      at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77)
      at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1048)
      ... 13 more
   Caused by: java.security.KeyStoreException: 
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
      at 
jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1113)
      at 
jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetKeyEntry(P11KeyStore.java:458)
      at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1167)
      at 
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:366)
      at 
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
      at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
      ... 20 more
   Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
      at 
jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_DestroyObject(Native 
Method)
      at 
jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.destroyChain(P11KeyStore.java:1989)
      at 
jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.updatePkey(P11KeyStore.java:1452)
     at 
jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1097)
      ... 25 more
14-Nov-2022 11:24:21.432 INFO [main] org.apache.catalina.startup.Catalina.load 
Server initialization in [787] milliseconds


I did see that java.security for 17.0.4 had
       fips.keystore.type=PKCS11
instead of pkcs12.  I switched back to that temporarily but got the same error 
as above.


Thank you for any help,
Angela