Re: Switch to in-memory key store in tomcat 8.5.23 fails application to load

Thu, 15 Feb 2018 03:01:49 -0800 

On 15/02/18 07:52, Emil John wrote:
> Context
> -----------
> 
> Exact tomcat version, Operating Systems, other configurations-
> 
> Current Tomcat version - 8.5.15
> Operating Systems - Windows/ Linux
> Upgrading to tomcat version - 8.5.23
> Application - Java Application.
> 
> I have an application with tomcat, say fooapp. I also have a custom
> keystore type, say DKS (Java by default has the JKS keystore). During start
> of my application, it loads the DKS keystore to get the certificate for the
> application. This is done using the following changes in server.xml
> 
> <Connector SSLEnabled="true"
> sslImplementationName="com.vmware.identity.tomcat.GKSAwareImpl"
> store="CERT_STORE"
> port="${bio-ssl-localhost.https.port}"
> protocol="com.vmware.identity.tomcat. GKSAwareHttp11NioProtocol"
> redirectPort="${bio-ssl-localhost.https.port}"
> scheme="https"
> secure="true"
> maxHttpHeaderSize="16384">
> <Certificate certificateKeystoreType="GKS"
> 
> 
> Problem
> -----------
> 
> The new version of tomcat has a changed code that is causing my application
> from not able to load the GKS keystore.
> 
> In Tomcat 8.5.15,
> getKeyManagers() method - if ks is not null, it simply proceeds further
> doing the ks.isKeyEntry() etc..
> 
> In Tomcat 8.5.23,
> getKeyManagers() method - if ks is initialized as before and create a new
> reference -
> KeyStore ks = certificate.getCertificateKeystore();
> KeyStore ksUsed = ks;
> 
> After the below code, the ksUsed is getting back to JKS and fails to load
> my custom keystore type "GKS"
> 
> // Switch to in-memory key store String provider =
> certificate.getCertificateKeystoreProvider(); if (provider == null) {
> ksUsed = KeyStore.getInstance(certificate.getCertificateKeystoreType()); }
> else { ksUsed =
> KeyStore.getInstance(certificate.getCertificateKeystoreType(), provider); }
> ksUsed.load(null, null); --> throws unimplmented method
> 
> I am setting the provider type properly in java.security which is also used
> while loading the application.
> 
> Has anybody faced similar problem?

You should try 8.5.24 or later since there was a further change in
8.5.24 in this area.

You might want to talk to VMware support about the unimplemented method
as I'd expect any custom KeyStore to support that usage.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to