Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade
Angela, On 11/22/22 13:49, Cantor, Angela T. wrote: Problem solved - the answer was embarrassingly easy. I chowned /etc/pki/nssdb and its contents to tomcat, and everything worked. The "read_only" part of CKR_SESSION_READ_ONLY was a clue. I'm not sure what changed with the newer OpenJDK, as tomcat had run fine for months with root owning /etc/pki/nssdb before. Also now it is updating the cert*.db and key*.db files each time tomcat starts, which it was not doing before. That's weird. I would NOT expect anything in /etc/pki/* to be updated each time I start a service, unless it's explicitly a service that should be updating trust stores and/or key stores. But if that's what YOU expect, well, then ... okay, I guess :) Anyway, all is well, and thanks again to Chris and Joey for looking at it and providing suggestions - I learned a lot in the process. :) -chris -Original Message- From: Christopher Schultz Sent: Friday, November 18, 2022 14:37 To: users@tomcat.apache.org Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade Joey, On 11/17/22 10:52, Joey Cochran wrote: You might still have a passphrase on the private key that is different from the passphrase on the keystore. This may be the case, but is pretty uncommon. After that, my next try would be without explicitly setting ciphers. This exception occurs way before any cipher suites are being negotiated, so don't aorry about that. -chris -Original Message- From: Cantor, Angela T. Sent: Wednesday, November 16, 2022 7:28 PM To: Tomcat Users List Subject: RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade Thanks to Joey and Chris for responding. Joey had said Jump through the hoop of rebuilding the keystore with the current java I believe this is what we did that made the difference I am not familiar with PKCS11 we use Http11Nio2Protocol with PKCS12 for complete chain bundling. Chris had some questions about my PKCS11 setup, but I'm taking a left turn and changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 and this community seems to know more about it. So I changed back to using PKCS12. I recreated the keystore from my key and signed cert using openssl and switched to using Http11Nio2Protocol. Now the connector is this: This produced the following error: 16-Nov-2022 14:54:58.858 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11Nio2Protocol-8843]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:1051) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:724) at org.apache.catalina.startup.Catalina.load(Catalina.java:746) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) Caused by: java.lang.IllegalArgumentException: keystore password was incorrect at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:145) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1048) ... 13 more Caused by: java.io.IOException: keystore password was incorrect at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159) at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegato
RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade
Problem solved - the answer was embarrassingly easy. I chowned /etc/pki/nssdb and its contents to tomcat, and everything worked. The "read_only" part of CKR_SESSION_READ_ONLY was a clue. I'm not sure what changed with the newer OpenJDK, as tomcat had run fine for months with root owning /etc/pki/nssdb before. Also now it is updating the cert*.db and key*.db files each time tomcat starts, which it was not doing before. Anyway, all is well, and thanks again to Chris and Joey for looking at it and providing suggestions - I learned a lot in the process. Angela -Original Message- From: Christopher Schultz Sent: Friday, November 18, 2022 14:37 To: users@tomcat.apache.org Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade Joey, On 11/17/22 10:52, Joey Cochran wrote: > You might still have a passphrase on the private key that is different > from the passphrase on the keystore. This may be the case, but is pretty uncommon. > After that, my next try would be without explicitly setting ciphers. This exception occurs way before any cipher suites are being negotiated, so don't aorry about that. -chris > -Original Message- > From: Cantor, Angela T. > Sent: Wednesday, November 16, 2022 7:28 PM > To: Tomcat Users List > Subject: RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error > after OpenJDK upgrade > > Thanks to Joey and Chris for responding. > > Joey had said >> Jump through the hoop of rebuilding the keystore with the current java >> I believe this is what we did that made the difference I am not >> familiar with PKCS11 >> we use Http11Nio2Protocol with PKCS12 for complete chain bundling. > > Chris had some questions about my PKCS11 setup, but I'm taking a left turn > and changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 > and this community seems to know more about it. > > So I changed back to using PKCS12. I recreated the keystore from my key and > signed cert using openssl and switched to using Http11Nio2Protocol. Now the > connector is this: > protocol="org.apache.coyote.http11.Http11Nio2Protocol" >maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >server="Apache" >keyAlias="tomcat9" >keystorePass="XX" keystoreType="PKCS12" >keystoreFile="/tomcat9.p12" >maxHttpHeaderSize="32768" >sslEnabledProtocols="TLSv1.2" > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, >TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, >TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, >TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" >clientAuth="false" sslProtocol="TLSv1.2"/> > > > This produced the following error: > 16-Nov-2022 14:54:58.858 SEVERE [main] > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to > initialize component > [Connector[org.apache.coyote.http11.Http11Nio2Protocol-8843]] > org.apache.catalina.LifecycleException: Protocol handler initialization > failed >at > org.apache.catalina.connector.Connector.initInternal(Connector.java:1051) >at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) >at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:556) >at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) >at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045) >at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) >at org.apache.catalina.startup.Catalina.load(Catalina.java:724) >at org.apache.catalina.startup.Catalina.load(Catalina.java:746) >at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) >at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >at java.base/java.lang.reflect.Method.invoke(Method.java:568) >at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) >at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) > Caused by: java.lang.IllegalArgumentException: keystore password was > incorrect >at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoi
Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade
Joey, On 11/17/22 10:52, Joey Cochran wrote: You might still have a passphrase on the private key that is different from the passphrase on the keystore. This may be the case, but is pretty uncommon. After that, my next try would be without explicitly setting ciphers. This exception occurs way before any cipher suites are being negotiated, so don't aorry about that. -chris -Original Message- From: Cantor, Angela T. Sent: Wednesday, November 16, 2022 7:28 PM To: Tomcat Users List Subject: RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade Thanks to Joey and Chris for responding. Joey had said Jump through the hoop of rebuilding the keystore with the current java I believe this is what we did that made the difference I am not familiar with PKCS11 we use Http11Nio2Protocol with PKCS12 for complete chain bundling. Chris had some questions about my PKCS11 setup, but I'm taking a left turn and changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 and this community seems to know more about it. So I changed back to using PKCS12. I recreated the keystore from my key and signed cert using openssl and switched to using Http11Nio2Protocol. Now the connector is this: This produced the following error: 16-Nov-2022 14:54:58.858 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11Nio2Protocol-8843]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:1051) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:724) at org.apache.catalina.startup.Catalina.load(Catalina.java:746) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) Caused by: java.lang.IllegalArgumentException: keystore password was incorrect at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:145) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1048) ... 13 more Caused by: java.io.IOException: keystore password was incorrect at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159) at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221) at java.base/java.security.KeyStore.load(KeyStore.java:1473) at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:67) at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217) at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207) at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105) ... 20 more Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.NoSuchAlgorithmException: Cannot find any provider supporting PBEWithSHA1AndDESede ... 29 more 16-Nov-2022 14:54:58.860 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [6240] milliseconds I am sure I am using the correct password, having created the keystore moments before this, so I assume the issue
Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade
Angela,
On 11/16/22 20:31, Cantor, Angela T. wrote:
And one thing I forgot - yes Chris, could you please provide the code
you mentioned in case that is the issue?
Sure:
import java.security.Provider;
import java.security.Security;
import java.util.*;
/**
* A crude class for displaying all the information about security
providers.
*
* When invoked with no arguments, this class prints out information about
* all detected security providers. You can optionally list the security
* providers you wish to query on the command line.
*
* @author Chris Schultz
* @version $Revision: 1.3 $ $Date: 2012-02-08 16:09:13 $
*/
public class GetProviderInfo
{
public static void main(String args[])
{
Provider providers[];
if(null != args && 0 < args.length)
{
providers = new Provider[args.length];
for(int i = 0; i < args.length; i++)
providers[i] = Security.getProvider(args[i]);
}
else
{
providers = Security.getProviders();
}
for(Provider p : providers)
{
System.out.println("Provider: " + p + " (name=" +
p.getName() + ")");
System.out.println("===");
System.out.println("provider properties:");
ArrayList keys = new ArrayList();
// Grab only the String keys
for(Object o : p.keySet())
if(o instanceof String)
keys.add((String)o);
Collections.sort(keys);
for(String key : keys)
{
System.out.print(key);
System.out.print('=');
System.out.println(p.get(key));
}
System.out.println("---");
}
}
}
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade
Angela, On 11/16/22 20:27, Cantor, Angela T. wrote: Thanks to Joey and Chris for responding. Joey had said Jump through the hoop of rebuilding the keystore with the current java I believe this is what we did that made the difference I am not familiar with PKCS11 we use Http11Nio2Protocol with PKCS12 for complete chain bundling. Chris had some questions about my PKCS11 setup, but I'm taking a left turn and changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 and this community seems to know more about it. So I changed back to using PKCS12. I recreated the keystore from my key and signed cert using openssl and switched to using Http11Nio2Protocol. Now the connector is this: This produced the following error: > > [snip] > Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.NoSuchAlgorithmException: Cannot find any provider supporting PBEWithSHA1AndDESede ... 29 more 16-Nov-2022 14:54:58.860 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [6240] milliseconds I am sure I am using the correct password, having created the keystore moments before this, so I assume the issue is with PBEWithSHA1AndDESede. And now I'm in over my head...any advice? Back in Java 8 days, this was a JVM bug. You'd need to update to a fixed version (https://bugs.openjdk.org/browse/JDK-8266279). But since you are using Java 17... hmm. Are you sure Tomcat is running with your Java 17? Did you build the PKCS12 file using openssl or keytool? IIRC, openssl sometimes does things that are within the spec but aren't handled by Java's implementations of these standards. -chris -Original Message- From: Christopher Schultz Sent: Tuesday, November 15, 2022 21:50 To: users@tomcat.apache.org Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade Angela, On 11/14/22 11:56, Cantor, Angela T. wrote: We just upgraded OpenJDK from 17.0.4.0.8-2.el8_6 to the above version. Now tomcat won't listen on the desired port. Something is wonky with it accessing the keystore. If you all see anything obvious, could you please advise? Especially if it involves switching to a pkcs12 keystore (which I tried but that also failed - I am no expert on setting up either type so maybe I did something wrong.) Nothing other than the OpenJDK version seems to matter - if we downgrade it back to 17.0.4.0.8, tomcat once again works fine. Note that 17.0.4.1.1-2.el8_6 also caused the same problem. > [snip] certificateKeystoreProvider="SunPKCS11-NSS-FIPS" Could this be the problem? Does your new Java version have that security provider available? I have some code which can dump-out the available providers if you aren't sure. certificateKeystoreType="PKCS11" This also looks weird to me: PKCS11 is an API, not a file type. But maybe you have to use this in order to access a keystore via the OpenSSL API? It makes some sense since you haven't specified a filename for the keystore. I don't have any experience with that. :/ -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade
Angela, You might still have a passphrase on the private key that is different from the passphrase on the keystore. I generally do without passwords on the private key, or make sure the key passwords and store passwords are the same. The store password will be tried/used (when needed) on nested passphrases. When it is different, this exception or one similar can be thrown. After that, my next try would be without explicitly setting ciphers. Joey Cochran • Middle Tennessee State University • Information Technology Division • Systems Administrator II • office: (615) 898-2714 -Original Message- From: Cantor, Angela T. Sent: Wednesday, November 16, 2022 7:28 PM To: Tomcat Users List Subject: RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade Thanks to Joey and Chris for responding. Joey had said >Jump through the hoop of rebuilding the keystore with the current java > I believe this is what we did that made the difference I am not > familiar with PKCS11 > we use Http11Nio2Protocol with PKCS12 for complete chain bundling. Chris had some questions about my PKCS11 setup, but I'm taking a left turn and changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 and this community seems to know more about it. So I changed back to using PKCS12. I recreated the keystore from my key and signed cert using openssl and switched to using Http11Nio2Protocol. Now the connector is this: This produced the following error: 16-Nov-2022 14:54:58.858 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11Nio2Protocol-8843]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:1051) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:724) at org.apache.catalina.startup.Catalina.load(Catalina.java:746) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) Caused by: java.lang.IllegalArgumentException: keystore password was incorrect at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:145) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1048) ... 13 more Caused by: java.io.IOException: keystore password was incorrect at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159) at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221) at java.base/java.security.KeyStore.load(KeyStore.java:1473) at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:67) at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217) at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207) at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105) ... 20 more Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.NoSuchAlgorithmException: Cannot find any provider supporting PBEWithS
RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade
And one thing I forgot - yes Chris, could you please provide the code you mentioned in case that is the issue? Thanks, Angela >> certificateKeystoreProvider="SunPKCS11-NSS-FIPS" > >Could this be the problem? Does your new Java version have that security >provider available? I have some code which can dump-out the available >providers if you aren't sure. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade
Thanks to Joey and Chris for responding. Joey had said >Jump through the hoop of rebuilding the keystore with the current java > I believe this is what we did that made the difference I am not > familiar with PKCS11 > we use Http11Nio2Protocol with PKCS12 for complete chain bundling. Chris had some questions about my PKCS11 setup, but I'm taking a left turn and changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 and this community seems to know more about it. So I changed back to using PKCS12. I recreated the keystore from my key and signed cert using openssl and switched to using Http11Nio2Protocol. Now the connector is this: This produced the following error: 16-Nov-2022 14:54:58.858 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11Nio2Protocol-8843]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:1051) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:724) at org.apache.catalina.startup.Catalina.load(Catalina.java:746) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) Caused by: java.lang.IllegalArgumentException: keystore password was incorrect at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:145) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1048) ... 13 more Caused by: java.io.IOException: keystore password was incorrect at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159) at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221) at java.base/java.security.KeyStore.load(KeyStore.java:1473) at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:67) at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217) at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207) at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105) ... 20 more Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.NoSuchAlgorithmException: Cannot find any provider supporting PBEWithSHA1AndDESede ... 29 more 16-Nov-2022 14:54:58.860 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [6240] milliseconds I am sure I am using the correct password, having created the keystore moments before this, so I assume the issue is with PBEWithSHA1AndDESede. And now I'm in over my head...any advice? Thanks so much, Angela -Original Message- From: Christopher Schultz Sent: Tuesday, November 15, 2022 21:50 To: users@tomcat.apache.org Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade Angela, On 11/14/22 11:56, Cantor, Angela T. wrote: > We just upgraded OpenJDK from 17.0.4.0.8-2.el8_6 to the above version. Now > tomcat won't listen on the desired port. Something is wonky with it > accessing the keystore. If you all see anything obvious, could you please > advise? Especially if it involv
Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade
Angela, On 11/14/22 11:56, Cantor, Angela T. wrote: We just upgraded OpenJDK from 17.0.4.0.8-2.el8_6 to the above version. Now tomcat won't listen on the desired port. Something is wonky with it accessing the keystore. If you all see anything obvious, could you please advise? Especially if it involves switching to a pkcs12 keystore (which I tried but that also failed - I am no expert on setting up either type so maybe I did something wrong.) Nothing other than the OpenJDK version seems to matter - if we downgrade it back to 17.0.4.0.8, tomcat once again works fine. Note that 17.0.4.1.1-2.el8_6 also caused the same problem. > [snip] certificateKeystoreProvider="SunPKCS11-NSS-FIPS" Could this be the problem? Does your new Java version have that security provider available? I have some code which can dump-out the available providers if you aren't sure. certificateKeystoreType="PKCS11" This also looks weird to me: PKCS11 is an API, not a file type. But maybe you have to use this in order to access a keystore via the OpenSSL API? It makes some sense since you haven't specified a filename for the keystore. I don't have any experience with that. :/ -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade
Angela,
I have seen this before when changing java sources, in our case 7 to 8.
Jump through the hoop of rebuilding the keystore with the current java
I believe this is what we did that made the difference
I am not familiar with PKCS11
we use Http11Nio2Protocol with PKCS12 for complete chain bundling.
Hope this helps.
-Joey
-Original Message-
From: Cantor, Angela T.
Sent: Monday, November 14, 2022 10:56 AM
To: users@tomcat.apache.org
Subject: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK
upgrade
Hi all,
We have
- tomcat 9.0.68
- RHEL 8.6 with FIPS
- OpenJDK 17.0.5.0.8-2.el8_6
We just upgraded OpenJDK from 17.0.4.0.8-2.el8_6 to the above version. Now
tomcat won't listen on the desired port. Something is wonky with it accessing
the keystore. If you all see anything obvious, could you please advise?
Especially if it involves switching to a pkcs12 keystore (which I tried but
that also failed - I am no expert on setting up either type so maybe I did
something wrong.) Nothing other than the OpenJDK version seems to matter - if
we downgrade it back to 17.0.4.0.8, tomcat once again works fine. Note that
17.0.4.1.1-2.el8_6 also caused the same problem.
Tomcat with this connector worked fine with OpenJDK 17.0.4:
java.security for 17.0.5 has these entries for FIPS:
fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
fips.provider.2=SUN
fips.provider.3=SunEC
fips.provider.4=SunJSSE
fips.provider.5=SunJCE
fips.provider.6=SunRsaSign
...
fips.keystore.type=pkcs12
nss.fips.cfg is this:
name = NSS-FIPS
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
Upon starting tomcat, we get this:
14-Nov-2022 11:24:21.174 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["https-jsse-nio-8843"]
14-Nov-2022 11:24:21.431 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component [Connector[HTTP/1.1-8843]]
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1051)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:235)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1048)
... 13 more
Caused by: java.security.KeyStoreException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
at
jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1113)
at
jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetKeyEntry(P11KeyStore.java:458)
at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1167)
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:366)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
... 20 more
Caused by:
