[prev in list] [next in list] [prev in thread] [next in thread]
List: tomcat-user
Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade
From: Christopher Schultz <chris () christopherschultz ! net>
Date: 2022-11-22 19:30:29
Message-ID: d5816227-9129-b0d6-4e24-53d7b2e907a3 () christopherschultz ! net
[Download RAW message or body]
Angela,
On 11/22/22 13:49, Cantor, Angela T. wrote:
> Problem solved - the answer was embarrassingly easy.
>
> I chowned /etc/pki/nssdb and its contents to tomcat, and everything worked. The \
> "read_only" part of CKR_SESSION_READ_ONLY was a clue.
> I'm not sure what changed with the newer OpenJDK, as tomcat had run fine for months \
> with root owning /etc/pki/nssdb before. Also now it is updating the cert*.db and \
> key*.db files each time tomcat starts, which it was not doing before.
That's weird.
I would NOT expect anything in /etc/pki/* to be updated each time I
start a service, unless it's explicitly a service that should be
updating trust stores and/or key stores.
But if that's what YOU expect, well, then ... okay, I guess :)
> Anyway, all is well, and thanks again to Chris and Joey for looking at it and \
> providing suggestions - I learned a lot in the process.
> )
-chris
> -----Original Message-----
> From: Christopher Schultz <chris@christopherschultz.net>
> Sent: Friday, November 18, 2022 14:37
> To: users@tomcat.apache.org
> Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK \
> upgrade
> Joey,
>
> On 11/17/22 10:52, Joey Cochran wrote:
> > You might still have a passphrase on the private key that is different
> > from the passphrase on the keystore.
> This may be the case, but is pretty uncommon.
>
> > After that, my next try would be without explicitly setting ciphers.
>
> This exception occurs way before any cipher suites are being negotiated, so don't \
> aorry about that.
> -chris
>
> > -----Original Message-----
> > From: Cantor, Angela T. <Angela.Cantor@gtri.gatech.edu.INVALID>
> > Sent: Wednesday, November 16, 2022 7:28 PM
> > To: Tomcat Users List <users@tomcat.apache.org>
> > Subject: RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error
> > after OpenJDK upgrade
> >
> > Thanks to Joey and Chris for responding.
> >
> > Joey had said
> > > Jump through the hoop of rebuilding the keystore with the current java
> > > I believe this is what we did that made the difference I am not familiar with \
> > > PKCS11 we use Http11Nio2Protocol with PKCS12 for complete chain bundling.
> >
> > Chris had some questions about my PKCS11 setup, but I'm taking a left turn and \
> > changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 and \
> > this community seems to know more about it.
> > So I changed back to using PKCS12. I recreated the keystore from my key and \
> > signed cert using openssl and switched to using Http11Nio2Protocol. Now the \
> > connector is this: <Connector port="8843"
> > protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> > server="Apache"
> > keyAlias="tomcat9"
> > keystorePass="XXXXXXXXXXXXXX" keystoreType="PKCS12"
> > keystoreFile="<path>/tomcat9.p12"
> > maxHttpHeaderSize="32768"
> > sslEnabledProtocols="TLSv1.2"
> > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
> > clientAuth="false" sslProtocol="TLSv1.2"/>
> >
> >
> > This produced the following error:
> > 16-Nov-2022 14:54:58.858 SEVERE [main] \
> > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to \
> > initialize component \
> > [Connector[org.apache.coyote.http11.Http11Nio2Protocol-8843]]
> > org.apache.catalina.LifecycleException: Protocol handler initialization failed
> > at org.apache.catalina.connector.Connector.initInternal(Connector.java:1051)
> > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
> > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
> > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
> > at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.base/java.lang.reflect.Method.invoke(Method.java:568)
> > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
> > Caused by: java.lang.IllegalArgumentException: keystore password was incorrect
> > at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
> > at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
> > at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:145)
> > at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
> > at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
> > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606)
> > at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77)
> > at org.apache.catalina.connector.Connector.initInternal(Connector.java:1048)
> > ... 13 more
> > Caused by: java.io.IOException: keystore password was incorrect
> > at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
> > at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
> > at java.base/java.security.KeyStore.load(KeyStore.java:1473)
> > at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:67)
> > at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217)
> > at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207)
> > at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283)
> > at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
> > at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
> >
> > ... 20 more
> > Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe \
> > contents entry: java.security.NoSuchAlgorithmException: Cannot find any provider \
> > supporting PBEWithSHA1AndDESede
> > ... 29 more
> > 16-Nov-2022 14:54:58.860 INFO [main]
> > org.apache.catalina.startup.Catalina.load Server initialization in
> > [6240] milliseconds
> >
> >
> > I am sure I am using the correct password, having created the keystore moments \
> > before this, so I assume the issue is with PBEWithSHA1AndDESede. And now I'm in \
> > over my head...any advice?
> >
> > Thanks so much,
> > Angela
> >
> >
> >
> > -----Original Message-----
> > From: Christopher Schultz <chris@christopherschultz.net>
> > Sent: Tuesday, November 15, 2022 21:50
> > To: users@tomcat.apache.org
> > Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error
> > after OpenJDK upgrade
> >
> > Angela,
> >
> > On 11/14/22 11:56, Cantor, Angela T. wrote:
> > > We just upgraded OpenJDK from 17.0.4.0.8-2.el8_6 to the above version. Now \
> > > tomcat won't listen on the desired port. Something is wonky with it accessing \
> > > the keystore. If you all see anything obvious, could you please advise? \
> > > Especially if it involves switching to a pkcs12 keystore (which I tried but \
> > > that also failed - I am no expert on setting up either type so maybe I did \
> > > something wrong.) Nothing other than the OpenJDK version seems to matter - if \
> > > we downgrade it back to 17.0.4.0.8, tomcat once again works fine. Note that \
> > > 17.0.4.1.1-2.el8_6 also caused the same problem.
> > > [snip]
> > > certificateKeystoreProvider="SunPKCS11-NSS-FIPS"
> >
> > Could this be the problem? Does your new Java version have that security provider \
> > available? I have some code which can dump-out the available providers if you \
> > aren't sure.
> > > certificateKeystoreType="PKCS11"
> >
> > This also looks weird to me: PKCS11 is an API, not a file type. But
> > maybe you have to use this in order to access a keystore via the
> > OpenSSL API? It makes some sense since you haven't specified a
> > filename for the keystore. I don't have any experience with that. :/
> >
> > -chris
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> > �B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
> > KCB � �[ X ܚX K��K[XZ[
> > �\ \ ][ X ܚX P�� X ]
> > \�X �K ܙ B ܈�Y��]�[ۘ[�� [X[ � ��K[XZ[
> > �\ \ Z�[���� X ]
> > \�X �K ܙ B
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic