I am running Tomcat 9.0.56 in multiple AWS EC2 instances with Amazon Linux2 in a production environment.  A couple of years ago, we started getting weird errors that the "Crypto Mechanism" failed to initialize.  Through a lot of trial and error, and reasons I don't quite remember, we put a 2-min delay in rc.local before starting Tomcat, and the problem went away.  I'm not a Linux nor a crypto guru.  But we traced it to some crypto file that we assumed was not available until later in the Linux boot sequence.  Anyway, the 2 minute delay made it go away, for over two years.  Then all of a sudden in the last day or so, it's back with a vengeance.  It fails with the same crypto error from 2 years ago in about 50% of the EC2 boot ups.  I tried bumping the wait to 3 min, and no change.

I need help.  Our whole production environment is unstable now since every time an ASG brings a new instance online, I've got a 50-50 chance that tomcat is going to die (and the health check doesn't catch it, but that's a different issue).

There are no errors in the Tomcat boot sequence logs.  But the first time and every subsequent time I try to get a connection from the DataSource pool, I get the stack dump shown below.

I figure it has to be a timing/race condition.  But I have no clue what to do to fix it.  I'm baffled that it worked for two years, and now fails every other time I start an instance.  And every instance is running copies of the exact same Amazon Machine Image.  The same EC2 will come up clean 50% of the time the next time it boots.

Can somebody with Tomcat/Crypto/Linux knowledge unravel what's going on here?  Thx

        at java.base/javax.crypto.Cipher.getInstance(Cipher.java:540)
        at java.base/sun.security.ssl.JsseJce.getCipher(JsseJce.java:190)
        at java.base/sun.security.ssl.SSLCipher.isTransformationAvailable(SSLCipher.java:509)
        at java.base/sun.security.ssl.SSLCipher.<init>(SSLCipher.java:498)
        at java.base/sun.security.ssl.SSLCipher.<clinit>(SSLCipher.java:81)
        at java.base/sun.security.ssl.CipherSuite.<clinit>(CipherSuite.java:65)         at java.base/sun.security.ssl.SSLContextImpl.getApplicableSupportedCipherSuites(SSLContextImpl.java:348)         at java.base/sun.security.ssl.SSLContextImpl$AbstractTLSContext.<clinit>(SSLContextImpl.java:580)
        at java.base/java.lang.Class.forName0(Native Method)
        at java.base/java.lang.Class.forName(Class.java:315)

        at com.mysql.cj.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:948)         at com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:818)
        at com.mysql.cj.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:448)
        at com.mysql.cj.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:241)         at com.mysql.cj.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:198)         at org.apache.tomcat.dbcp.dbcp2.DriverConnectionFactory.createConnection(DriverConnectionFactory.java:52)         at org.apache.tomcat.dbcp.dbcp2.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:415)         at org.apache.tomcat.dbcp.dbcp2.BasicDataSource.validateConnectionFactory(BasicDataSource.java:111)         at org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:649)         at org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createDataSource(BasicDataSource.java:532)         at org.apache.tomcat.dbcp.dbcp2.BasicDataSource.getConnection(BasicDataSource.java:731)         at jwm.db.DBData.getConnection(DBData.java:506)   //// my call to get a db connection from connection pool ////


Caused by: java.lang.SecurityException: Can not initialize cryptographic mechanism         at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:120) ... 86 mo Caused by: java.lang.SecurityException: Can't read cryptographic policy directory: unlimited         at java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:326)
        at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:111)
        at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:108)
        at java.base/java.security.AccessController.doPrivileged(Native Method)         at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:107)
        ... 86 more

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to