Hi Thomas,
On 6/13/2023 2:08 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote:
Hello Jerry,
-----Ursprüngliche Nachricht-----
Von: Jerry Malcolm <techst...@malcolms.com>
Gesendet: Dienstag, 13. Juni 2023 08:50
An: users@tomcat.apache.org
Betreff: Crypto Randomly Not Getting Initialized
I am running Tomcat 9.0.56 in multiple AWS EC2 instances with Amazon
Linux2 in a production environment. A couple of years ago, we started
getting weird errors that the "Crypto Mechanism" failed to initialize. Through
a lot of trial and error, and reasons I don't quite remember, we put a 2-min
delay in rc.local before starting Tomcat, and the problem went away. I'm
not a Linux nor a crypto guru. But we traced it to some crypto file that we
assumed was not available until later in the Linux boot sequence. Anyway,
the 2 minute delay made it go away, for over two years. Then all of a sudden
in the last day or so, it's back with a vengeance. It fails with the same
crypto
error from 2 years ago in about 50% of the EC2 boot ups. I tried bumping the
wait to 3 min, and no change.
I need help. Our whole production environment is unstable now since every
time an ASG brings a new instance online, I've got a 50-50 chance that
tomcat is going to die (and the health check doesn't catch it, but that's a
different issue).
There are no errors in the Tomcat boot sequence logs. But the first time and
every subsequent time I try to get a connection from the DataSource pool, I
get the stack dump shown below.
I figure it has to be a timing/race condition. But I have no clue what to do to
fix it. I'm baffled that it worked for two years, and now fails every other
time I start an instance. And every instance is running copies of the exact
same Amazon Machine Image. The same EC2 will come up clean 50% of the
time the next time it boots.
Can somebody with Tomcat/Crypto/Linux knowledge unravel what's going
on here? Thx
java.lang.ExceptionInInitializerError
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:540)
at java.base/sun.security.ssl.JsseJce.getCipher(JsseJce.java:190)
at
java.base/sun.security.ssl.SSLCipher.isTransformationAvailable(SSLCipher.jav
a:509)
at java.base/sun.security.ssl.SSLCipher.<init>(SSLCipher.java:498)
at java.base/sun.security.ssl.SSLCipher.<clinit>(SSLCipher.java:81)
at
java.base/sun.security.ssl.CipherSuite.<clinit>(CipherSuite.java:65)
at
java.base/sun.security.ssl.SSLContextImpl.getApplicableSupportedCipherSuit
es(SSLContextImpl.java:348)
at
java.base/sun.security.ssl.SSLContextImpl$AbstractTLSContext.<clinit>(SSLC
ontextImpl.java:580)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:315)
...
at
com.mysql.cj.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:
948)
at
com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:818)
at com.mysql.cj.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:448)
at
com.mysql.cj.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:241)
at
com.mysql.cj.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:
198)
at
org.apache.tomcat.dbcp.dbcp2.DriverConnectionFactory.createConnection(
DriverConnectionFactory.java:52)
at
org.apache.tomcat.dbcp.dbcp2.PoolableConnectionFactory.makeObject(Po
olableConnectionFactory.java:415)
at
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.validateConnectionFactory
(BasicDataSource.java:111)
at
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createPoolableConnection
Factory(BasicDataSource.java:649)
at
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createDataSource(BasicDa
taSource.java:532)
at
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.getConnection(BasicDataS
ource.java:731)
at jwm.db.DBData.getConnection(DBData.java:506) //// my call to get
a db connection from connection pool ////
...
Caused by: java.lang.SecurityException: Can not initialize cryptographic
mechanism
at
java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:120) ... 86 mo
Caused by: java.lang.SecurityException: Can't read cryptographic policy
directory: unlimited
at
java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:
326)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:111)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:108)
at java.base/java.security.AccessController.doPrivileged(Native
Method)
at
java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:107)
... 86 more
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Could it be this issue?
https://github.com/docker-library/openjdk/issues/101
Maybe you can add information about the used jdk and whether you are using
containers.
Greetings,
Thomas
I'm running Java 11.0.16. No Docker or other containers. Just straight
Tomcat running standalone. The github link refers to a Java 9 / Docker
issue. I guess it could be related. But I'm not sure due to different
environments, and my situation only fails half the time. Thx
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
