Crypto Randomly Not Getting Initialized

Mon, 12 Jun 2023 23:50:12 -0700

I am running Tomcat 9.0.56 in multiple AWS EC2 instances with Amazon Linux2 in a production environment.  A couple of years ago, we started getting weird errors that the "Crypto Mechanism" failed to initialize.  Through a lot of trial and error, and reasons I don't quite remember, we put a 2-min delay in rc.local before starting Tomcat, and the problem went away.  I'm not a Linux nor a crypto guru.  But we traced it to some crypto file that we assumed was not available until later in the Linux boot sequence.  Anyway, the 2 minute delay made it go away, for over two years.  Then all of a sudden in the last day or so, it's back with a vengeance.  It fails with the same crypto error from 2 years ago in about 50% of the EC2 boot ups.  I tried bumping the wait to 3 min, and no change.
I need help.  Our whole production environment is unstable now since every time an ASG brings a new instance online, I've got a 50-50 chance that tomcat is going to die (and the health check doesn't catch it, but that's a different issue). 


There are no errors in the Tomcat boot sequence logs.  But the first 
time and every subsequent time I try to get a connection from the 
DataSource pool, I get the stack dump shown below.



I figure it has to be a timing/race condition.  But I have no clue what 
to do to fix it.  I'm baffled that it worked for two years, and now 
fails every other time I start an instance.  And every instance is 
running copies of the exact same Amazon Machine Image.  The same EC2 
will come up clean 50% of the time the next time it boots.



Can somebody with Tomcat/Crypto/Linux knowledge unravel what's going on 
here?  Thx


java.lang.ExceptionInInitializerError
        at java.base/javax.crypto.Cipher.getInstance(Cipher.java:540)
        at java.base/sun.security.ssl.JsseJce.getCipher(JsseJce.java:190)

        at 
java.base/sun.security.ssl.SSLCipher.isTransformationAvailable(SSLCipher.java:509)

        at java.base/sun.security.ssl.SSLCipher.<init>(SSLCipher.java:498)
        at java.base/sun.security.ssl.SSLCipher.<clinit>(SSLCipher.java:81)

        at 
java.base/sun.security.ssl.CipherSuite.<clinit>(CipherSuite.java:65)
        at 
java.base/sun.security.ssl.SSLContextImpl.getApplicableSupportedCipherSuites(SSLContextImpl.java:348)
        at 
java.base/sun.security.ssl.SSLContextImpl$AbstractTLSContext.<clinit>(SSLContextImpl.java:580)

        at java.base/java.lang.Class.forName0(Native Method)
        at java.base/java.lang.Class.forName(Class.java:315)
...


        at 
com.mysql.cj.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:948)
        at 
com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:818)

        at com.mysql.cj.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:448)

        at 
com.mysql.cj.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:241)
        at 
com.mysql.cj.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:198)
        at 
org.apache.tomcat.dbcp.dbcp2.DriverConnectionFactory.createConnection(DriverConnectionFactory.java:52)
        at 
org.apache.tomcat.dbcp.dbcp2.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:415)
        at 
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.validateConnectionFactory(BasicDataSource.java:111)
        at 
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:649)
        at 
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createDataSource(BasicDataSource.java:532)
        at 
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.getConnection(BasicDataSource.java:731)
        at jwm.db.DBData.getConnection(DBData.java:506)   //// my call 
to get a db connection from connection pool ////


...


Caused by: java.lang.SecurityException: Can not initialize cryptographic 
mechanism
        at 
java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:120) ... 86 mo
Caused by: java.lang.SecurityException: Can't read cryptographic policy 
directory: unlimited
        at 
java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:326)

        at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:111)
        at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:108)

        at java.base/java.security.AccessController.doPrivileged(Native 
Method)
        at 
java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:107)

        ... 86 more


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to