All, We have a Tomcat application (that ships/includes Tomcat with it) that requires we use multiple domains and therefore set up SSLHostConfig settings in our server.xml file to accommodate each domain. We have been using this configuration and it works well:
Tomcat 8.5.32 <Connector port="8443" maxHttpHeaderSize="8192" maxPostSize="6291456" maxThreads="200" protocol="org.apache.coyote.http11.Http11NioProtocol" executor="appExecutor" enableLookups="false" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8" SSLEnabled="true" scheme="https" secure="true" defaultSSLHostConfigName="*.example.com"> <SSLHostConfig hostName="*.example.com"> <Certificate certificateKeystoreType="PKCS12" certificateKeystoreFile="/app/config/keystore.p12" certificateKeyAlias="example_wildcard" certificateKeystorePassword="maskedpasswd" type="RSA"/> </SSLHostConfig> <SSLHostConfig hostName="*.example.ca"> <Certificate certificateKeystoreType="PKCS12" certificateKeystoreFile="/app/config/keystore.p12" certificateKeyAlias="example_ca_wildcard" certificateKeystorePassword="maskedpasswd" type="RSA"/> </SSLHostConfig> <SSLHostConfig hostName="*.example1.com"> <Certificate certificateKeystoreType="PKCS12" certificateKeystoreFile="/app/config/keystore.p12" certificateKeyAlias="example1_wildcard" certificateKeystorePassword="maskedpasswd" type="RSA"/> </SSLHostConfig> </Connector> This works fine in 8.5.32. However, we are rolling out an updated version of the application and it ships with Tomcat 8.5.40. If we try to run with the same configuration above in the 8.5.40 version of Tomcat, the application fails to start with the following SEVERE error: SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:639) at org.apache.catalina.startup.Catalina.load(Catalina.java:662) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.software.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:325) at java.lang.Thread.run(Thread.java:748) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:995) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) ... 18 more Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1105) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) at org.apache.catalina.connector.Connector.initInternal(Connector.java:993) ... 19 more Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) at org.apache.tomcat.util.net.SSLUtilBase.getParameters(SSLUtilBase.java:483) at org.apache.tomcat.util.net.SSLUtilBase.getTrustManagers(SSLUtilBase.java:414) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98) ... 26 more As you can see it complains about "trustAnchors parameter must be non-empty". However if I try to add trust entry lines into the connector config: <snip> <Certificate certificateKeystoreType="PKCS12" certificateKeystoreFile="/app/config/keystore.p12" certificateKeyAlias="example_wildcard" certificateKeystorePassword="maskedpasswd" truststoreFile="/app/config/truststore.p12" truststorePassword="maskedpasswd" type="RSA"/> <snip> I still receive the same SEVERE error. Questions: 1. What has changed in between Tomcat 8.5.32 --> 8.5.40 that seemingly now requires truststore information in this connector configuration? 2. What needs to be done to allow this to work in the 8.5.40 Tomcat version? Thanks in advance, any guidance is greatly appreciated. HB