I'm trying to use HTTPS with APR on debian (amd64/wheezy).
I successfully tested my keyfiles with openssl client and server.
Now, I struggling to make it work on tomEE.
My configuration is:
INFO: Server version: Apache Tomcat (TomEE)/7.0.62 (1.7.2)
INFO: JVM Version: 1.6.0_36-b36
INFO: Loaded APR based Apache Tomcat Native library 1.1.33 using APR
version 1.4.6.
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
The relevant sections of server.xml are:
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" SSLRandomSeed="/dev/urandom"/>
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https"
secure="true" SSLEnabled="true"
SSLCertificateFile="test_cert.crt"
SSLCertificateKeyFile="test_key.pem"
SSLPassword="secret"
SSLDisableCompression="true"
SSLCipherSuite="kEECDH+ECDSA kEECDH kEDH HIGH +SHA +RC4 RC4 !3DES
!aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !IDEA !SEED"
SSLHonorCipherOrder="true"
SSLVerifyClient="optional"
SSLProtocol="TLSv1.2"/>
The server is unable to start using:
./startup.sh -security -Djava.security.debug=all
The errors are:
12-Nov-2015 16:05:30 org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
12-Nov-2015 16:05:30 org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
java.lang.ExceptionInInitializerError
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:534)
at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
at java.security.AccessController.doPrivileged(Native Method)
at
sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
at sun.security.jca.ProviderList.loadAll(ProviderList.java:281)
at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298)
at sun.security.jca.Providers.getFullProviderList(Providers.java:170)
at java.security.Security.getProviders(Security.java:457)
at
org.apache.catalina.core.JreMemoryLeakPreventionListener.lifecycleEvent(JreMemoryLeakPreventionListener.java:407)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.start(Catalina.java:677)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:622)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:321)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
Caused by: java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackage.sun.security.util)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:399)
at
java.security.AccessController.checkPermission(AccessController.java:557)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1525)
at java.lang.ClassLoader$1.run(ClassLoader.java:354)
at java.security.AccessController.doPrivileged(Native Method)
at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:352)
at sun.security.pkcs11.SunPKCS11.<clinit>(SunPKCS11.java:63)
... 26 more
Did I forget something ?
Any hint to debug this ?
--
Fabien
