Re: Switch to in-memory key store in tomcat 8.5.23 fails application to load

2018-02-15 Thread Mark Thomas 
On 15/02/18 07:52, Emil John wrote:
> Context
> ---
> 
> Exact tomcat version, Operating Systems, other configurations-
> 
> Current Tomcat version - 8.5.15
> Operating Systems - Windows/ Linux
> Upgrading to tomcat version - 8.5.23
> Application - Java Application.
> 
> I have an application with tomcat, say fooapp. I also have a custom
> keystore type, say DKS (Java by default has the JKS keystore). During start
> of my application, it loads the DKS keystore to get the certificate for the
> application. This is done using the following changes in server.xml
> 
>  sslImplementationName="com.vmware.identity.tomcat.GKSAwareImpl"
> store="CERT_STORE"
> port="${bio-ssl-localhost.https.port}"
> protocol="com.vmware.identity.tomcat. GKSAwareHttp11NioProtocol"
> redirectPort="${bio-ssl-localhost.https.port}"
> scheme="https"
> secure="true"
> maxHttpHeaderSize="16384">
>  
> 
> Problem
> ---
> 
> The new version of tomcat has a changed code that is causing my application
> from not able to load the GKS keystore.
> 
> In Tomcat 8.5.15,
> getKeyManagers() method - if ks is not null, it simply proceeds further
> doing the ks.isKeyEntry() etc..
> 
> In Tomcat 8.5.23,
> getKeyManagers() method - if ks is initialized as before and create a new
> reference -
> KeyStore ks = certificate.getCertificateKeystore();
> KeyStore ksUsed = ks;
> 
> After the below code, the ksUsed is getting back to JKS and fails to load
> my custom keystore type "GKS"
> 
> // Switch to in-memory key store String provider =
> certificate.getCertificateKeystoreProvider(); if (provider == null) {
> ksUsed = KeyStore.getInstance(certificate.getCertificateKeystoreType()); }
> else { ksUsed =
> KeyStore.getInstance(certificate.getCertificateKeystoreType(), provider); }
> ksUsed.load(null, null); --> throws unimplmented method
> 
> I am setting the provider type properly in java.security which is also used
> while loading the application.
> 
> Has anybody faced similar problem?

You should try 8.5.24 or later since there was a further change in
8.5.24 in this area.

You might want to talk to VMware support about the unimplemented method
as I'd expect any custom KeyStore to support that usage.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Switch to in-memory key store in tomcat 8.5.23 fails application to load

2018-02-15 Thread Nitkalya Wiriyanuparb (Ing) 
Emil,

On 15 Feb 2018, 8:52 PM +1300, Emil John , wrote:
> Context
> ---
>
> Exact tomcat version, Operating Systems, other configurations-
>
> Current Tomcat version - 8.5.15
> Operating Systems - Windows/ Linux
> Upgrading to tomcat version - 8.5.23
> Application - Java Application.
>
> I have an application with tomcat, say fooapp. I also have a custom
> keystore type, say DKS (Java by default has the JKS keystore). During start
> of my application, it loads the DKS keystore to get the certificate for the
> application. This is done using the following changes in server.xml
>
>  sslImplementationName="com.vmware.identity.tomcat.GKSAwareImpl"
> store="CERT_STORE"
> port="${bio-ssl-localhost.https.port}"
> protocol="com.vmware.identity.tomcat. GKSAwareHttp11NioProtocol"
> redirectPort="${bio-ssl-localhost.https.port}"
> scheme="https"
> secure="true"
> maxHttpHeaderSize="16384"
> 
>
> Problem
> ---
>
> The new version of tomcat has a changed code that is causing my application
> from not able to load the GKS keystore.
>
> In Tomcat 8.5.15,
> getKeyManagers() method - if ks is not null, it simply proceeds further
> doing the ks.isKeyEntry() etc..
>
> In Tomcat 8.5.23,
> getKeyManagers() method - if ks is initialized as before and create a new
> reference -
> KeyStore ks = certificate.getCertificateKeystore();
> KeyStore ksUsed = ks;
>
> After the below code, the ksUsed is getting back to JKS and fails to load
> my custom keystore type "GKS"
>
> // Switch to in-memory key store String provider =
> certificate.getCertificateKeystoreProvider(); if (provider == null) {
> ksUsed = KeyStore.getInstance(certificate.getCertificateKeystoreType()); }
> else { ksUsed =
> KeyStore.getInstance(certificate.getCertificateKeystoreType(), provider); }
> ksUsed.load(null, null); --> throws unimplmented method
>
> I am setting the provider type properly in java.security which is also used
> while loading the application.
>
> Has anybody faced similar problem?

I had a similar problem – not quite the same but close enough. I ended up 
creating another key store type that wraps around my existing types. See my 
threads here http://markmail.org/message/5vus3jpsp5secm44

Cheers,
Ing
>
> Thanks,
> Emil

Switch to in-memory key store in tomcat 8.5.23 fails application to load

2018-02-14 Thread Emil John 
Context
---

Exact tomcat version, Operating Systems, other configurations-

Current Tomcat version - 8.5.15
Operating Systems - Windows/ Linux
Upgrading to tomcat version - 8.5.23
Application - Java Application.

I have an application with tomcat, say fooapp. I also have a custom
keystore type, say DKS (Java by default has the JKS keystore). During start
of my application, it loads the DKS keystore to get the certificate for the
application. This is done using the following changes in server.xml


 throws unimplmented method

I am setting the provider type properly in java.security which is also used
while loading the application.

Has anybody faced similar problem?

Thanks,
Emil