I am running Tomcat 9.0.56 in multiple AWS EC2 instances with Amazon
Linux2 in a production environment. A couple of years ago, we started
getting weird errors that the "Crypto Mechanism" failed to initialize.
Through a lot of trial and error, and reasons I don't quite remember, we
put a 2-min delay in rc.local before starting Tomcat, and the problem
went away. I'm not a Linux nor a crypto guru. But we traced it to some
crypto file that we assumed was not available until later in the Linux
boot sequence. Anyway, the 2 minute delay made it go away, for over two
years. Then all of a sudden in the last day or so, it's back with a
vengeance. It fails with the same crypto error from 2 years ago in
about 50% of the EC2 boot ups. I tried bumping the wait to 3 min, and
no change.
I need help. Our whole production environment is unstable now since
every time an ASG brings a new instance online, I've got a 50-50 chance
that tomcat is going to die (and the health check doesn't catch it, but
that's a different issue).
There are no errors in the Tomcat boot sequence logs. But the first
time and every subsequent time I try to get a connection from the
DataSource pool, I get the stack dump shown below.
I figure it has to be a timing/race condition. But I have no clue what
to do to fix it. I'm baffled that it worked for two years, and now
fails every other time I start an instance. And every instance is
running copies of the exact same Amazon Machine Image. The same EC2
will come up clean 50% of the time the next time it boots.
Can somebody with Tomcat/Crypto/Linux knowledge unravel what's going on
here? Thx
java.lang.ExceptionInInitializerError
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:540)
at java.base/sun.security.ssl.JsseJce.getCipher(JsseJce.java:190)
at
java.base/sun.security.ssl.SSLCipher.isTransformationAvailable(SSLCipher.java:509)
at java.base/sun.security.ssl.SSLCipher.<init>(SSLCipher.java:498)
at java.base/sun.security.ssl.SSLCipher.<clinit>(SSLCipher.java:81)
at
java.base/sun.security.ssl.CipherSuite.<clinit>(CipherSuite.java:65)
at
java.base/sun.security.ssl.SSLContextImpl.getApplicableSupportedCipherSuites(SSLContextImpl.java:348)
at
java.base/sun.security.ssl.SSLContextImpl$AbstractTLSContext.<clinit>(SSLContextImpl.java:580)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:315)
...
at
com.mysql.cj.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:948)
at
com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:818)
at com.mysql.cj.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:448)
at
com.mysql.cj.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:241)
at
com.mysql.cj.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:198)
at
org.apache.tomcat.dbcp.dbcp2.DriverConnectionFactory.createConnection(DriverConnectionFactory.java:52)
at
org.apache.tomcat.dbcp.dbcp2.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:415)
at
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.validateConnectionFactory(BasicDataSource.java:111)
at
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:649)
at
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createDataSource(BasicDataSource.java:532)
at
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.getConnection(BasicDataSource.java:731)
at jwm.db.DBData.getConnection(DBData.java:506) //// my call
to get a db connection from connection pool ////
...
Caused by: java.lang.SecurityException: Can not initialize cryptographic
mechanism
at
java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:120) ... 86 mo
Caused by: java.lang.SecurityException: Can't read cryptographic policy
directory: unlimited
at
java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:326)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:111)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:108)
at java.base/java.security.AccessController.doPrivileged(Native
Method)
at
java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:107)
... 86 more
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org