Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]

Thu, 31 Jan 2008 01:14:45 -0800 

Update on this thing Tomcat+SSL+keystore thing:
I dug into the Tomcat 5.5.25 source code to see what's really going on. Here's what I found - hopefully it's useful to someone. 

Tomcat SSL <Connector> entries accept the following parameters:
- keystorePass (password for the JKS (Java keystore)
- keypass (password for the key inside the JKS
- keystoreFile (keystore location in filesystem)


At least Tomcat 5.5.20 (older, yes) supports only the "keystoreFile" 
parameter. The "keypass" and "keystorePass" get messed up somehow, no 
matter how they're defined in the <Connector> part. The default password 
("changeit") is used instead.



In Tomcat 5.5.21 a Java property check was added to the code to allow a 
property (javax.net.keystorePassword or something) to define the 
keystore password.



In Tomcat 5.5.25 it seems to be possible to use a different keystore 
password and key password. One of them has to be the default 
("changeit"), can't remember which. I didn't have time to check this 
properly.



There's also a "bug" in Tomcat SSL Howto - I'll file a bug report on it 
unless it's has been done already. At least on 5.5.20 the "keystoreFile" 
parameters has to be inserted straight into <Connector>, contrary to 
what the Howto says. This is easily verifiable with "strace".



Unless somebody proves me wrong, I would consider the parameters 
"keypass" and "keystorePass" useless with Tomcat 5.5.x versions. There 
is no practical way to change those without Java debugging and/or 
patching, which is beyond the skill of most system admins. If the 
parameters are indeed usable, please update the Tomcat 5.5 SSL 
documentation to reflect their correct usage. Alternatively tell me how 
to use them correctly and I'll file a patch to the SSL howto.



This configuration hell aside, Tomcat has been a real workhorse. Keep on 
the good work!


Best regards,

Samuli



Some additional info:

Debian Etch w/o system-wide Java installation

These are included in the Funambol sync server bundle (6.5.12):
 Java Runtime environment 1.5.0
 Tomcat 5.5.20


First of all, instead of recipes, I'd prefer to be pointed at 
information on how to debug this problem. I'm not a professional Java 
developer so all these Servlet/Java/log4j/properties/Connector/Factory 
things are a bit strange for me.



Anyways, here are the HTTPS/SSL connector settings that I've tried to no 
avail. Please tell me which one _should_  work, or if they are all 
faulty. The paths are correct.


<!-- This is based strictly on Tomcat 5.5 SSL Howto. Still -->
<!-- it does not work. The keystoreFile should be in -->
<!-- Connector part, not Factory part. Feel free to -->
<!-- verify with "strace" to see what I mean. -->
    <Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150"
               minSpareThreads="25"
               maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystorePass="something"
               keyAlias="tomcat">
        <Factory clientAuth="false" protocol="TLS"
                 keystoreFile="/root/newkeystore"/>
    </Connector>

    <!-- Another variant with keystorePass in Connector -->
    <Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25"
               maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystorePass="something"
               keyAlias="tomcat"
               keystoreFile="/root/newkeystore">
        <Factory clientAuth="false" protocol="TLS"/>
    </Connector>

    <!-- Another variant with keystorePass inside Factory -->
    <Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25"
               maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keyAlias="tomcat"
               keystoreFile="/root/newkeystore">
        <Factory clientAuth="false" protocol="TLS"
               keystorePass="something"/>
    </Connector>

    <!-- Another variant without Factory part -->
    <Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25"
               maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystorePass="something"
               keyAlias="tomcat"
               keystoreFile="/root/newkeystore"/>

So none of these work. Any ideas?


Hi!


I migrated from Tomcat 5.0 to Tomcat 5.5. I had SSL working in Tomcat 
5.0 with both a self-created certificate and a signed (trusted) 
certificate, both inside a Java keystore (JKS).



Now, with Tomcat 5.5 the SSL connector refuses to start with the 
dreaded "keystore was tampered with" error. This only happens _if_ I 
change the keystore password to anything else than "changeit".



I already searched the mailinglist archives, Tomcat Wiki, Tomcat 
Howto's and Google. No definitive answers. Just lots of contradicting 
information. I also read the Tomcat 5.5 SSL HOWTO carefully so I'm 
positive I did miss anything.


Anyways, the process in a nutshell:

First I create a new Java keystore (JKS) with keytool, like this:

 keytool -genkey -alias tomcat -keyalg RSA -keystore /root/newkeystore


Next I move on to modifying the server.xml. No matter what I do, I 
can't get Tomcat to use the correct password. The 
"keystoreFile="/root/newkeystore" in the <Connector> statement works 
as it should (I straced Tomcat startup). The "keystorePass", however, 
does not work whether it's inside <Connector> or inside <Factory> 
(which is inside the <Connector>. The "keyAlias" entry  did not help 
either.



I can open my Java keystore just fine with keytool an with the defined 
password, so  it seems that Tomcat is just not using the password 
that's defined in server.xml and therefore reverts to default.



Does anyone have a functional Tomcat 5.5 SSL/https connector 
definition which I could use? Or does someone have an idea what's 
happening here? I'd be really happy if this thing gets sorted out!


Best regards to all,

Samuli

---

Btw. The Tomcat 5.5 SSL-Howto seems to have an error in it:


"If the keystore file is anywhere else, you will need to add a 
keystoreFile attribute to the <Factory>  element in the Tomcat 
configuration file."



I straced Tomcat startup and if the keystoreFile was defined in 
<Connector> element, strace showed that Tomcat was trying to open 
keystorefile from that location. Adding it to <Factory> did not work.



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to