-----Ursprüngliche Nachricht-----
Von: Jerry Malcolm <techst...@malcolms.com>
Gesendet: Dienstag, 13. Juni 2023 17:35
An: users@tomcat.apache.org
Betreff: Re: AW: Crypto Randomly Not Getting Initialized
Hi Thomas,
On 6/13/2023 2:08 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote:
Hello Jerry,
-----Ursprüngliche Nachricht-----
Von: Jerry Malcolm <techst...@malcolms.com>
Gesendet: Dienstag, 13. Juni 2023 08:50
An: users@tomcat.apache.org
Betreff: Crypto Randomly Not Getting Initialized
I am running Tomcat 9.0.56 in multiple AWS EC2 instances with Amazon
Linux2 in a production environment. A couple of years ago, we
started getting weird errors that the "Crypto Mechanism" failed to
initialize. Through a lot of trial and error, and reasons I don't
quite remember, we put a 2-min delay in rc.local before starting
Tomcat, and the problem went away. I'm not a Linux nor a crypto
guru. But we traced it to some crypto file that we assumed was not
available until later in the Linux boot sequence. Anyway, the 2
minute delay made it go away, for over two years. Then all of a
sudden in the last day or so, it's back with a vengeance. It fails
with the same crypto error from 2 years ago in about 50% of the EC2 boot
ups. I tried bumping the wait to 3 min, and no change.
I need help. Our whole production environment is unstable now since
every time an ASG brings a new instance online, I've got a 50-50
chance that tomcat is going to die (and the health check doesn't
catch it, but that's a different issue).
There are no errors in the Tomcat boot sequence logs. But the first
time and every subsequent time I try to get a connection from the
DataSource pool, I get the stack dump shown below.
I figure it has to be a timing/race condition. But I have no clue
what to do to fix it. I'm baffled that it worked for two years, and
now fails every other time I start an instance. And every instance
is running copies of the exact same Amazon Machine Image. The same
EC2 will come up clean 50% of the time the next time it boots.
Can somebody with Tomcat/Crypto/Linux knowledge unravel what's
going
on here? Thx
java.lang.ExceptionInInitializerError
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:540)
at java.base/sun.security.ssl.JsseJce.getCipher(JsseJce.java:190)
at
java.base/sun.security.ssl.SSLCipher.isTransformationAvailable(SSLCip
her.jav
a:509)
at java.base/sun.security.ssl.SSLCipher.<init>(SSLCipher.java:498)
at java.base/sun.security.ssl.SSLCipher.<clinit>(SSLCipher.java:81)
at
java.base/sun.security.ssl.CipherSuite.<clinit>(CipherSuite.java:65)
at
java.base/sun.security.ssl.SSLContextImpl.getApplicableSupportedCiphe
rSuit
es(SSLContextImpl.java:348)
at
java.base/sun.security.ssl.SSLContextImpl$AbstractTLSContext.<clinit>
(SSLC
ontextImpl.java:580)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:315)
...
at
com.mysql.cj.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:
948)
at
com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:818)
at
com.mysql.cj.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:448)
at
com.mysql.cj.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:241)
at
com.mysql.cj.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:
198)
at
org.apache.tomcat.dbcp.dbcp2.DriverConnectionFactory.createConnection
(
DriverConnectionFactory.java:52)
at
org.apache.tomcat.dbcp.dbcp2.PoolableConnectionFactory.makeObject(Po
olableConnectionFactory.java:415)
at
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.validateConnectionFactor
y
(BasicDataSource.java:111)
at
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createPoolableConnection
Factory(BasicDataSource.java:649)
at
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createDataSource(BasicDa
taSource.java:532)
at
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.getConnection(BasicDataS
ource.java:731)
at jwm.db.DBData.getConnection(DBData.java:506) //// my
call to get a db connection from connection pool ////
...
Caused by: java.lang.SecurityException: Can not initialize
cryptographic mechanism
at
java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:120) ...
86 mo Caused by: java.lang.SecurityException: Can't read
cryptographic policy
directory: unlimited
at
java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:
326)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:111)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:108)
at
java.base/java.security.AccessController.doPrivileged(Native
Method)
at
java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:107)
... 86 more
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Could it be this issue?
https://github.com/docker-library/openjdk/issues/101
Maybe you can add information about the used jdk and whether you are
using containers.
Greetings,
Thomas
I'm running Java 11.0.16. No Docker or other containers. Just straight
Tomcat running standalone. The github link refers to a Java 9 / Docker
issue. I guess it could be related. But I'm not sure due to different
environments, and my situation only fails half the time. Thx
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org