SSLHostConfig configuration

Mon, 09 Sep 2019 15:29:44 -0700 

All,

We have a Tomcat application (that ships/includes Tomcat with it) that
requires we use multiple domains and therefore set up SSLHostConfig
settings in our server.xml file to accommodate each domain.  We have been
using this configuration and it works well:

Tomcat 8.5.32

<Connector port="8443"
                maxHttpHeaderSize="8192"
                maxPostSize="6291456"
                maxThreads="200"
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                executor="appExecutor"
                enableLookups="false"
                acceptCount="100"
                connectionTimeout="20000"
                disableUploadTimeout="true"
                URIEncoding="UTF-8"
                SSLEnabled="true"
                scheme="https"
                secure="true"
                defaultSSLHostConfigName="*.example.com">

                <SSLHostConfig hostName="*.example.com">

                        <Certificate certificateKeystoreType="PKCS12"
                        certificateKeystoreFile="/app/config/keystore.p12"
                        certificateKeyAlias="example_wildcard"
                        certificateKeystorePassword="maskedpasswd"
                        type="RSA"/>

                </SSLHostConfig>

                <SSLHostConfig hostName="*.example.ca">

                        <Certificate certificateKeystoreType="PKCS12"
                        certificateKeystoreFile="/app/config/keystore.p12"
                        certificateKeyAlias="example_ca_wildcard"
                        certificateKeystorePassword="maskedpasswd"
                        type="RSA"/>

                </SSLHostConfig>

<SSLHostConfig hostName="*.example1.com">

                        <Certificate certificateKeystoreType="PKCS12"
                        certificateKeystoreFile="/app/config/keystore.p12"
                        certificateKeyAlias="example1_wildcard"
                        certificateKeystorePassword="maskedpasswd"
                        type="RSA"/>

                </SSLHostConfig>

   </Connector>


This works fine in 8.5.32.  However, we are rolling out an updated version
of the application and it ships with Tomcat 8.5.40.  If we try to run with
the same configuration above in the 8.5.40 version of Tomcat, the
application fails to start with the following SEVERE error:

SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.software.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:325)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
... 18 more
Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter
must be non-empty
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1105)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
... 19 more
Caused by: java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
at
java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
at
java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
at
org.apache.tomcat.util.net.SSLUtilBase.getParameters(SSLUtilBase.java:483)
at
org.apache.tomcat.util.net.SSLUtilBase.getTrustManagers(SSLUtilBase.java:414)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98)
... 26 more

As you can see it complains about "trustAnchors parameter must be
non-empty".  However if I try to add trust entry lines into the connector
config:

<snip>
<Certificate certificateKeystoreType="PKCS12"
                        certificateKeystoreFile="/app/config/keystore.p12"
                        certificateKeyAlias="example_wildcard"
                        certificateKeystorePassword="maskedpasswd"
                        truststoreFile="/app/config/truststore.p12"
                        truststorePassword="maskedpasswd"
                        type="RSA"/>
<snip>

I still receive the same SEVERE error.

Questions:

1. What has changed in between Tomcat 8.5.32 --> 8.5.40 that seemingly now
requires truststore information in this connector configuration?

2. What needs to be done to allow this to work in the 8.5.40 Tomcat version?

Thanks in advance, any guidance is greatly appreciated.

HB

Reply via email to