Alas, No extra debugging information appeared for me with the -Djavax.net.debug=ssl:handshake.
I still get WARN http-8443-Processor25 gov.sensornet.security.X509Realm - Check OCSP Credentials: CertPathValidatorException: java.security.cert.CertPathValidatorException: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty What I am trying to do is to create a custom Realm that checks a user's PKI certificate for revocation. I have looked at the Tomcat (5.5) source, and so far as I can tell, Tomcat's certificate realms only check that the certificate was signed by a trusted CA and is valid today. With some code from Sun, I can properly check OCSP revocation in a servlet filter. But when I try to move the same code to a custom Realm, I get the above error. The code is as follows: // --------------------------------------------------------------------- // METHOD: enableOSCP() - /*************************************************************************** * Enable OCSP certificate checking. This initializes the appropriate * parameters to enable OCSP. */ private void enableOCSP() { TrustAnchor caAnchor = new TrustAnchor(CACert, null); Set<TrustAnchor> trustedCertsSet = new HashSet<TrustAnchor>(); trustedCertsSet.add(caAnchor); // init cert store Set<X509Certificate> certSet = new HashSet<X509Certificate>(); certSet.add(OCSPCert); try { CertStoreParameters storeParams = new CollectionCertStoreParameters( certSet); CertStore store = CertStore.getInstance("Collection", storeParams); // init PKIX parameters params = new PKIXParameters(trustedCertsSet); params.addCertStore(store); params.setRevocationEnabled(true); System.setProperty("javax.net.ssl.trustStoreType", "JKS"); System.setProperty("javax.net.ssl.trustStore", "/usr/share/jboss/Certificates/cacerts"); System.setProperty("javax.net.ssl.trustStorePassword","mypassword"); // enable OCSP java.security.Security.setProperty("ocsp.enable", "true"); java.security.Security.setProperty("ocsp.responderURL", OCSPURL); java.security.Security.setProperty("ocsp.responderCertSubjectName", OCSPCert.getSubjectX500Principal().getName()); log.debug("ocsp.responder=" + java.security.Security.getProperty("ocsp.responderCertSubjectName")); } catch (Exception ex) { log.warn("Error enabling OCSP: " + ex); } } Then in X509Realm.authenticate(), I do: // --------------------------------------------------------- Public Methods /** * Return the Principal associated with the specified chain of X509 * client certificates. If there is none, return <code>null</code>. * * @param certs Array of client certificates, with the first one in * the array being the certificate of the client itself. */ public Principal authenticate(X509Certificate certs[]) { System.out.println("In Certificate authenticate"); log.debug("In authenticate"); if ((certs == null) || (certs.length < 1)) return (null); // Check the validity of each certificate in the chain if (log.isDebugEnabled()) log.debug("Authenticating client certificate chain"); if (validate) { for (int i = 0; i < certs.length; i++) { if (log.isDebugEnabled()) log.debug(" Checking validity for '" + certs[i].getSubjectDN().getName() + "'"); try { certs[i].checkValidity(); } catch (CertificateExpiredException cee) { log.warn(STATUS_EXPIRED); return (null); } catch (CertificateNotYetValidException cnyve) { log.warn(STATUS_NOT_YET_VALID); return (null); } } // Verify that we signed the presented certificate // log.debug(CAPubKey.toString()); log.debug("UserDN=" + certs[0].getSubjectDN()); try { certs[0].verify(CAPubKey); } catch (CertificateException ce) { log.warn(STATUS_BAD_ENCODING); return (null); } catch (NoSuchAlgorithmException nsa) { log.warn(STATUS_NSA); return (null); } catch (InvalidKeyException ivk) { log.warn(STATUS_INVALID_KEY); return (null); } catch (NoSuchProviderException nsp) { log.warn(STATUS_NSP); return (null); } catch (SignatureException se) { log.warn(STATUS_BAD_SIGNATURE); return (null); } // Passed verification test. // Now check to see if it was revoked // Check the OCSP server for revocation enableOCSP(); log.debug("ocsp.responderURL=" + Security.getProperty("ocsp.responderURL")); log.debug("ocsp.responderCertSubjectName=" + Security.getProperty("ocsp.responderCertSubjectName")); log.debug("Start params " + this.toString() +"\n" +params.toString()); log.debug("End params"); try { CertPath cp = null; Vector<X509Certificate> vcerts = new Vector<X509Certificate>(); vcerts.add(certs[0]); // init cert path CertificateFactory cf = CertificateFactory.getInstance("X509"); cp = (CertPath) cf.generateCertPath(vcerts); log.debug("CertPath=" + cp.toString()); log.debug(params.getTrustAnchors().toString()); Iterator it = params.getCertStores().iterator(); while(it.hasNext()) { log.debug("CertStore=" + it.next().toString()); } CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXCertPathValidatorResult cpv_result = (PKIXCertPathValidatorResult) cpv.validate(cp, params); log.debug("cpv_result=" + cpv_result.toString()); X509Certificate trustedCert = (X509Certificate) cpv_result .getTrustAnchor().getTrustedCert(); if (trustedCert == null) { log.warn("Trusted Cert = NULL"); } } catch (CertPathValidatorException e) { CertPath cp = e.getCertPath(); int ind = e.getIndex(); log.warn("Check OCSP Credentials: CertPathValidatorException: " + e); log.warn("Cert Path=" + cp.toString() + " index=" + ind); return (null); } catch (CertificateException e) { log.warn("CertificateException: " + e); return (null); } catch (NoSuchAlgorithmException e) { log.warn("NoSuchAlgorithmException: " + e); return (null); } catch (InvalidAlgorithmParameterException e) { log.warn("InvalidAlgorithmParameterException: " + e); return (null); } } // End of validate // Check the existence of the client Principal in our database Principal subject = certs[0].getSubjectDN(); return (subject); } I print out the PKIX parameters, and my CA certufucate is in there. So what can be different about running this in a Tomcat Realm vs a Tomcat filter? Thanks, Jim ------------------------------ You want to put this in the Java tab under Java Options. Best regards Robert. -----Original Message----- From: James Rome [mailto:[EMAIL PROTECTED] Sent: 17 October 2005 16:00 To: tomcat-user@jakarta.apache.org Subject: SSL Error : Please HELP I tried putting start -Djavax.net.debug=ssl:handshake in the Windows 5.5 GUI startup tab under arguments and Tomcat will not start How does one get this to work? Jim --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]