- how are are starting Tomcat? ββββββTomcat is starting as a service with "Domain\account1$" (Managed Service Account)
- is Tomcat installed as a Windows service? ββββββYes - which account is Tomcat running under? ββββββ"Domain\account1$" (Managed Service Account) It is not a normal domain account used for the service. Secure group managed service accounts - Microsoft Entra | Microsoft Learn<https://learn.microsoft.com/en-us/entra/architecture/service-accounts-group-managed#assess-gmsa-security-posture> Regarding the mean of "user" I'm referring to the user who is running the Tomcat Service. In this case, the Managed Service Account. ________________________________ De: Mark Thomas <ma...@apache.org> Enviado: martes, 25 de junio de 2024 12:51 Para: users@tomcat.apache.org <users@tomcat.apache.org> Asunto: Re: How to configure Tomcat with a Managed Service Account when using LocalMachine certificates for TLS A few questions: - how are are starting Tomcat? - is Tomcat installed as a Windows service? - which account is Tomcat running under? There are a few references to "user" in your question. It is not clear if this is: - the user administering a Tomcat service - a user that is starting Tomcat from the command line - the user that the Tomcat service is running as - something else Mark On 25/06/2024 11:30, Alberto Corral wrote: > Hello! > > After some research, docs, and test, I didn't found an answer to my issue. > > I'm writing to the list because I have to configure a probably not very > common Tomcat configuration and didn't found correct configuration of if it > is posible to do it. > Also I didn't find previous information or examples on internet and the wiki. > > There is a similar question in Server Fault > https://serverfault.com/questions/1161457/can-i-use-certificates-in-the-local-machine-from-a-managed-service-account, > but not solved yet. > > The configuration has been also involved with a JDK recent bug-fix (but 10 > years old), but this part is fixed using latest available JDK versions. > So I think it would be valuable to document an Use Case based on real > experience that can be both, tested in future versions, and also useful for > future users, available in the wiki or official docs :-) > > May be what's I'm trying to do is not really possible, but need to know if > this is a Tomcat limitation or a Windows one. > > My actual configuration > > Server version name: Apache Tomcat/9.0.65 > Server version number: 9.0.65.0 > Server built: Jul 14 2022 12:28:53 UTC > Architecture: amd64 > OS Version: 10.0 > OS Name: Windows Server 2019 > JVM Vendor: Eclipse Adoptium > JVM Version: 11.0.23+9 > Java Home: > C:\OpenJDK11U-jdk_x64_windows_hotspot_11.0.23_9\jdk-11.0.23+9 > > Actual secure configuration used: > > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" > server="Unknown" > maxThreads="150" scheme="https" secure="true" > enableLookups="true" > KeystoreType="Windows-MY-LOCALMACHINE" > clientAuth="false" sslProtocol="TLS" > KeystoreFile="" > KeyAlias="tomcat" /> > > > Configuration: > - The certificate is in the LOCALMACHINE Windows Storage and allows read > access to the user "account1$" which is an AD Managed Service Account. > - > > Facts: > - If the user have read access but not local admin, then the previous stack > trace is generated. > - If I give local Admin rights to the service account, it seems can access to > the Certificate Storage, in other case, the previous Stack Trace is generated. > - Unless I gave local Admin rights, apache opens port 8443, but doesn't > respond to requests on 8443 when testing and no error in logs appears. > > What is the question is "How to configure Tomcat with a Managed Service > Account when using LocalMachine certificates for TLS" > > Notes: > - JDK 11.0.20+ is required due a well known bug that has been backported from > JDK 21 [JDK-6782021] It is not possible to read local computer certificates > with the SunMSCAPI provider - Java Bug System > (openjdk.org<http://openjdk.org/>) > (https://bugs.openjdk.org/browse/JDK-6782021) and [JDK-8303520] It is not > possible to read local computer certificates with the SunMSCAPI provider - > Java Bug System (openjdk.org<http://openjdk.org/>) > (https://bugs.openjdk.org/browse/JDK-8303520) > > Next program can help to check different configurations, and it works when > the certificate has read permission for the user who is running it. > > // JDK8313367test.java - Simple test case to demonstrate OpenJDK defect > JDK-8313367 > // References: > // * https://bugs.java.com/bugdatabase/view_bug?bug_id=JDK-8313367 > // * > https://stackoverflow.com/questions/75255985/java-keystore-type-windows-my-root-localmachine-requires-administrator-permissio > > /* > Here is the command line to run the test using JDK 11.0.20+, 17.0.20+ or > 20.0.2+ > java --add-modules=jdk.crypto.mscapi > --add-exports=jdk.crypto.mscapi/sun.security.mscapi=ALL-UNNAMED > JDK8313367test.java > */ > > import java.io.*; > import java.security.KeyStore; > import java.security.Security; > import java.util.Enumeration; > import sun.security.mscapi.SunMSCAPI; > > public class JDK8313367test { > public static void main(String[] args) { > try { > Security.addProvider(new SunMSCAPI()); > KeyStore keyStore = > KeyStore.getInstance("Windows-My-LOCALMACHINE"); > // When running as non-elevated, the SunMSCAPI provider, > enhanced with JDK-6782021, incorrectly > // triggers system error 5 "Access is denied" when > attempting to load the keystore when invoking the following method: > keyStore.load(null, null); > Enumeration<String> aliases = keyStore.aliases(); > // Print Friendly Names, a.k.a. aliases, of each > certificate in the keystore > for (int i = 0 ; aliases.hasMoreElements() ; i++) { > System.out.println( aliases.nextElement() ); > } > } catch (Exception e) { > throw new RuntimeException(e); > } > } > } > > Pending tests: > - What I haven't tested, but it is an idea to test, is to launch this code > from Tomcat and validate if it works (It isn't possible to run a CLI program > using a Managed Service Account as per my knowledge). In case this test > succeeds, it would mean the program flow in tomcat side is doing something > different with ACL or something. > Thank you in advance for your support. > Please, send me back any question or clarification about the Use Case I could > miss. > /Gavioto > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
