Why is tomcat having trouble loading a self signed SSL certificate? - ssl

I'm having trouble getting tomcat to load a self signed certificate. I followed the instructions at this site to the letter, modified my connectors in the server.xml file, added the security constraint to my tomcat.conf file. The following is an out put of my catalina.out:
Using CATALINA_BASE: /usr/share/tomcat5
Using CATALINA_HOME: /usr/share/tomcat5
Using CATALINA_TMPDIR: /usr/share/tomcat5/temp
Using JRE_HOME: /usr/lib/jvm/jre
Created MBeanServer with ID: -hnoxxr:gj0olj3z.0:s15425714.domainepardefaut.fr:1
17-Jan-11 2:13:25 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/lib64/gcj-4.1.2
17-Jan-11 2:13:25 AM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8081
17-Jan-11 2:13:26 AM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SEVERE: Exception trying to load keystore /usr/share/tomcat5/webapps/.keystore
java.security.KeyStoreException: JKS
at java.security.KeyStore.getInstance(libgcj.so.7rh)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(tomcat-util-5.5.23.jar.so)
at org.apache.coyote.http11.Http11BaseProtocol.init(tomcat-http-5.5.23.jar.so)
at org.apache.catalina.connector.Connector.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.load(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.load(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.load(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:26 AM org.apache.coyote.http11.Http11BaseProtocol init
SEVERE: Error initializing endpoint
java.io.IOException: Exception trying to load keystore /usr/share/tomcat5/webapps/.keystore: JKS
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(tomcat-util-5.5.23.jar.so)
at org.apache.coyote.http11.Http11BaseProtocol.init(tomcat-http-5.5.23.jar.so)
at org.apache.catalina.connector.Connector.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.load(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.load(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.load(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:26 AM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException: Protocol handler initialization failed: java.io.IOException: Exception trying to load keystore /usr/share/tomcat5/webapps/.keystore: JKS
at org.apache.catalina.connector.Connector.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.load(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.load(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.load(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:26 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 744 ms
17-Jan-11 2:13:26 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
17-Jan-11 2:13:26 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.23
17-Jan-11 2:13:26 AM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
17-Jan-11 2:13:26 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive myapp.war
17-Jan-11 2:13:26 AM org.apache.catalina.loader.WebappClassLoader validateJarFile
INFO: validateJarFile(/usr/share/tomcat5/webapps/myapp/WEB-INF/lib/servlet.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class
log4j:WARN No appenders could be found for logger (org.apache.commons.digester.Digester.sax).
log4j:WARN Please initialize the log4j system properly.
17-Jan-11 2:13:27 AM org.apache.catalina.startup.TldConfig lifecycleEvent
SEVERE: Error processing TLD files for context path /myapp
javax.servlet.ServletException: Exception processing TLD at resource path /WEB-INF/struts-tiles.tld in context /myapp
at org.apache.catalina.startup.TldConfig.tldScanTld(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.TldConfig.execute(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.TldConfig.lifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardContext.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.addChildInternal(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.addChild(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardHost.addChild(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.deployWAR(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.deployWARs(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.deployApps(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.start(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardHost.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardEngine.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.start(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.start(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.start(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:29 AM org.apache.catalina.loader.WebappClassLoader validateJarFile
INFO: validateJarFile(/usr/share/tomcat5/webapps/ROOT/WEB-INF/lib/servlet.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class
log4j:WARN No appenders could be found for logger (org.apache.commons.digester.Digester.sax).
log4j:WARN Please initialize the log4j system properly.
17-Jan-11 2:13:29 AM org.apache.catalina.startup.TldConfig lifecycleEvent
SEVERE: Error processing TLD files for context path
javax.servlet.ServletException: Exception processing TLD at resource path /WEB-INF/struts-tiles.tld in context
at org.apache.catalina.startup.TldConfig.tldScanTld(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.TldConfig.execute(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.TldConfig.lifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardContext.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.addChildInternal(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.addChild(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardHost.addChild(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.deployDirectory(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.deployDirectories(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.deployApps(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.start(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardHost.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardEngine.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.start(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.start(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.start(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:31 AM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8081
17-Jan-11 2:13:31 AM org.apache.catalina.connector.MapperListener init
INFO: Registering Hosts
17-Jan-11 2:13:31 AM org.apache.catalina.connector.MapperListener init
INFO: Registering WebModule Contexts
17-Jan-11 2:13:31 AM org.apache.catalina.connector.MapperListener init
INFO: Registering Servlets
17-Jan-11 2:13:31 AM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SEVERE: Exception trying to load keystore /usr/share/tomcat5/webapps/.keystore
java.security.KeyStoreException: JKS
at java.security.KeyStore.getInstance(libgcj.so.7rh)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(tomcat-util-5.5.23.jar.so)
at org.apache.coyote.http11.Http11BaseProtocol.start(tomcat-http-5.5.23.jar.so)
at org.apache.coyote.http11.Http11Protocol.start(tomcat-http-5.5.23.jar.so)
at org.apache.catalina.connector.Connector.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.start(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.start(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.start(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:31 AM org.apache.coyote.http11.Http11BaseProtocol start
SEVERE: Error starting endpoint
java.io.IOException: Exception trying to load keystore /usr/share/tomcat5/webapps/.keystore: JKS
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(tomcat-util-5.5.23.jar.so)
at org.apache.coyote.http11.Http11BaseProtocol.start(tomcat-http-5.5.23.jar.so)
at org.apache.coyote.http11.Http11Protocol.start(tomcat-http-5.5.23.jar.so)
at org.apache.catalina.connector.Connector.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.start(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.start(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.start(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:31 AM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: java.io.IOException: Exception trying to load keystore /usr/share/tomcat5/webapps/.keystore: JKS
at org.apache.catalina.connector.Connector.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.start(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.start(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.start(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:31 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 5535 ms
I did a port scan after I start tomcat. The standard port is up along with 8005 but the SSL port doesn't exist. Am I missing a step somewhere?

I guess you are using tomcat 5.5 compiled with gcj, on some linux distribution (debian or ubuntu?) with java-1.5.0-gcj. You can find some on topic help here:
https://bugzilla.redhat.com/show_bug.cgi?id=238613
Check if the keystore indicated in the exception message is actually present, and that it is in JKS format. Or point the keystoreFile attribute in your server.xml to the cacerts file provided with your JVM (if my guess was right should be /usr/lib/jvm/java-1.5.0-gcj-4.3-1.5.0.0/jre/lib/security/cacerts ) and import there your self-signed certificate.
Stock cacerts file has default password = changeit
However i suggest you to use the sun-jvm or a openjdk-1.6.0 that comes from your distro, in order to avoid a lot of hassle, in particular if it is one of your first ssl deploys.
Edit:
Let me append here my working configuration:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/pki/java/cacerts"
keystorePass="changeit" keystoreType="JKS"
keyAlias="tomcat"
/>
In the /etc/pki/java/cacerts keystore, i generated a keypair with:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/pki/java/cacerts
Note: if you dont specify the key alias in server.xml, the first keypair found in the keystore is used.
Important note: the keystore password MUST be the same as the private key password!

You are trying to use a JKS format key store. This format was defined by Sun, and is not supported by GNU Classpath.
GNU Classpath might support a "PKCS12" key store (because it is a standard, unlike JKS). A new command in the keytool utility from a Java 6 runtime will allow you to "import" an existing JKS key store into a new PKCS #12 key store. Of course, GNU Classpath can't perform this conversion either, but if you use an OpenJDK product to do the conversion, the resulting store might work with GNU Classpath at run time.

You are running GNU CLASSPATH, not Java. Remove it and install a JDK.

If you are using the GNU jvm and keytool, you can add the following options to the Tomcat connector in server.xml in order to get it to work:
keystoreType="gkr"
algorithm="JessieX509"
The algorithm is mentioned at http://developer.classpath.org/doc/javax/net/ssl/KeyManagerFactory.html#getDefaultAlgorithm:

Related

Kafka broker client on Websphere unable to access JKS file

I am trying to run Kafka producer client to publish some message to kafka broker. I have given the path to Keystore/Trust store along with Password. I was able to send the message to the broker when i deployed this on Apache tomcat. However when i tried to deploy the same application on websphere, i get error "Failed to load SSL keystore". I have given those directories read/write/execute permission. Is there something with websphere that needs different configuration / settings ?
Caused by: org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /home/avaya/tcr/uc-ivr-nar-dev.dbplatform.portal.com.jks of type JKS
at org.apache.kafka.common.security.ssl.SslEngineBuilder.createSSLContext(SslEngineBuilder.java:160)
at org.apache.kafka.common.security.ssl.SslEngineBuilder.<init>(SslEngineBuilder.java:102)
at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:93)
at org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:71)
... 37 more
Caused by: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /home/avaya/tcr/uc-ivr-nar-dev.dbplatform.portal.com.jks of type JKS
at org.apache.kafka.common.security.ssl.SslEngineBuilder$SecurityStore.load(SslEngineBuilder.java:289)
at org.apache.kafka.common.security.ssl.SslEngineBuilder.createSSLContext(SslEngineBuilder.java:142)
... 40 more
Caused by: java.nio.file.AccessDeniedException: /home/avaya/tcr/uc-ivr-nar-dev.dbplatform.portal.com.jks
at sun.nio.fs.UnixException.translateToIOException(UnixException.java:96)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:114)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:119)
at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:226)
at java.nio.file.Files.newByteChannel(Files.java:372)
at java.nio.file.Files.newByteChannel(Files.java:418)
at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:395)
at java.nio.file.Files.newInputStream(Files.java:163)
at org.apache.kafka.common.security.ssl.SslEngineBuilder$SecurityStore.load(SslEngineBuilder.java:282)
... 41 more
Open JDK for some reason does not like JKS keystore files. Converted to PCKS12 format and it worked. Nothing to do with websphere container.

Cannot acces to localhost:8443/ejbca

I'm new in ejbca and i have to install it on a virtual machine for job
Ubuntu 20.04
ejbca_7_4_3_2
wildfly-18.0.0.Final
mariadb-server version: 10.3.32-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
openjdk version "1.8.0_312"
Apache Ant(TM) version 1.10.7 compiled on October 24 2019
After a few try's(and a lot of virtual machines cloned and deleted), i finally get the "build successfully" message with the commands ant runinstall and ant deploy-keystore
But when i try to use the URL https://localhost:8443/ejbca/ (the certificate SuperAdmin.p12 is installed) my browser(firefox 96.0 64bits) give the message
An error occurred during a connection to localhost:8443. Cannot communicate securely with peer: no common encryption algorithm(s).
Error code: SSL_ERROR_NO_CYPHER_OVERLAP
i have this errors on my log file, the first one related with ant -q clean deployear
and the last, appear every time i try to access via URL https://localhost:8443/ejbca/
ERROR [org.jboss.as.jsf] (MSC service thread 1-1) WFLYJSF0002: Could not load JSF managed bean class: org.ejbca.ui.web.admin.peerconnector.PeerConnectorMBean
ERROR [io.undertow.request] (default I/O-2) Closing SSLConduit after exception on handshake: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
at sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(ServerHello.java:461)
at sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(ServerHello.java:296)
at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421)
at sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1020)
at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:727)
at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:693)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915)
at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1072)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.lang.Thread.run(Thread.java:748)
ERROR [io.undertow.request] (default I/O-2) Closing SSLConduit after exception
Sounds like a TLS configuration issue. You will find the TLS configuration you did when configuring WildFly in the commands you ran like:
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/server-ssl-context=httpspriv:add(key-manager=httpsKM,protocols=["TLSv1.2"],use-cipher-suites-order=false,cipher-suite-filter="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",trust-manager=httpsTM,need-client-auth=true)'
The result is somewhere in standalone.xml in WildFly, and you can modify it directly in WildFly. For example if you have EC keys in the server certificate while using the above RSA algorithm selection.
In server.log you should also see when WildFly starts up if there are any error in parsing the values, or keystores.
Make sure that you server and client certificates have keys and algorithms that match the TLS algorithm settings, otherwise WildFly will remove those algortihms.

Apache Kafka doens't start after SSL configuration

I have a Apache Kafka (v. 2.13-3.0.0) installed on a remote Ubuntu server.
I follow this tutorial to secure my cluster:
https://medium.com/egen/securing-kafka-cluster-using-sasl-acl-and-ssl-dec15b439f9d
but when I try to start Kafka with jaas conf file with the commands:
export KAFKA_OPTS=-Djava.security.auth.login.config=<kafka-binary-
dir>/config/kafka_server_jaas.conf
./bin/kafka-server-start.sh ./config/server.properties
I receive the error:
[2021-11-12 10:30:47,864] INFO Registered kafka:type=kafka.Log4jController MBean (kafka.utils.Log4jControllerRegistration$)
[2021-11-12 10:30:48,089] INFO Setting -D jdk.tls.rejectClientInitiatedRenegotiation=true to disable client-initiated TLS renegotiation (org.apache.zookeeper.common.X509Util)
[2021-11-12 10:30:48,099] ERROR Exiting Kafka due to fatal exception (kafka.Kafka$)
java.lang.ClassNotFoundException: kafka.security.auth.SimpleAclAuthorizer
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:398)
at org.apache.kafka.common.utils.Utils.loadClass(Utils.java:417)
at org.apache.kafka.common.utils.Utils.newInstance(Utils.java:406)
at kafka.security.authorizer.AuthorizerUtils$.createAuthorizer(AuthorizerUtils.scala:31)
at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:1583)
at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:1394)
at kafka.Kafka$.buildServer(Kafka.scala:67)
at kafka.Kafka$.main(Kafka.scala:87)
at kafka.Kafka.main(Kafka.scala)
These are the SSL config in server.properties file:
########### SECURITY using SCRAM-SHA-512 and SSL
listeners=PLAINTEXT://localhost:9092,SASL_PLAINTEXT://localhost:9093,SASL_SSL://localhost:9094
advertised.listeners=PLAINTEXT://localhost:9092,SASL_PLAINTEXT://localhost:9093,SASL_SSL://localhost:9094
security.inter.broker.protocol=SASL_SSL
ssl.endpoint.identification.algorithm=
ssl.client.auth=required
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512
sasl.enabled.mechanisms=SCRAM-SHA-512
# Broker security settings
ssl.truststore.location=/home/kafka/Downloads/kafka_2.13-3.0.0/config/truststore/kafka.truststore.jks
ssl.truststore.password=giuseppe
ssl.keystore.location=/home/kafka/Downloads/kafka_2.13-3.0.0/config/keystore/kafka.keystore.jks
ssl.keystore.password=giuseppe
ssl.key.password=giuseppe
# ACLs
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:admin
#zookeeper SASL
zookeeper.set.acl=false
########### SECURITY using SCRAM-SHA-512 and SSL
If I try to comment the 2 rows of ACL I receive the error:
[2021-11-12 11:05:29,301] INFO [ThrottledChannelReaper-
ControllerMutation]: Starting
(kafka.server.ClientQuotaManager$ThrottledChannelReaper)
[2021-11-12 11:05:29,331] ERROR [KafkaServer id=0] Fatal error
during KafkaServer startup. Prepare to shutdown
(kafka.server.KafkaServer)
org.apache.kafka.common.KafkaException: Failed to acquire lock on
file .lock in /tmp/kafka-logs. A Kafka instance in another process
or thread is using this directory.
at kafka.log.LogManager.$anonfun$lockLogDirs$1(LogManager.scala:241)
at scala.collection.StrictOptimizedIterableOps.flatMap(StrictOptimizedIterableOps.scala:117)
at scala.collection.StrictOptimizedIterableOps.flatMap$(StrictOptimizedIterableOps.scala:104)
at scala.collection.mutable.ArraySeq.flatMap(ArraySeq.scala:37)
at kafka.log.LogManager.lockLogDirs(LogManager.scala:236)
at kafka.log.LogManager.<init>(LogManager.scala:112)
at kafka.log.LogManager$.apply(LogManager.scala:1283)
at kafka.server.KafkaServer.startup(KafkaServer.scala:254)
at kafka.Kafka$.main(Kafka.scala:109)
at kafka.Kafka.main(Kafka.scala)
What is the cause? May it be a wrong configuration?
Thanks.
Update:
Changing the row in:
# ACLs authorizer.class.name=org.apache.kafka.server.authorizer.Authorizer
there is this error: org.apache.kafka.common.KafkaException: Could not find
a public no-argument constructor for
org.apache.kafka.server.authorizer.Authorizer at org.apache.kafka.common.utils.Utils.newInstance(Utils.java:392)
I receive this new error:
[2021-11-12 16:51:57,613] ERROR Exiting Kafka due to fatal exception
(kafka.Kafka$)
org.apache.kafka.common.KafkaException: Could not find a public no-argument
constructor for org.apache.kafka.server.authorizer.Authorizer at org.apache.kafka.common.utils.Utils.newInstance(Utils.java:392)
at org.apache.kafka.common.utils.Utils.newInstance(Utils.java:406)
at kafka.security.authorizer.AuthorizerUtils$.createAuthorizer(AuthorizerUtils.scala:31)
at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:1583)
at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:1394)
at kafka.Kafka$.buildServer(Kafka.scala:67)
at kafka.Kafka$.main(Kafka.scala:87)
at kafka.Kafka.main(Kafka.scala)
Caused by: java.lang.NoSuchMethodException:
org.apache.kafka.server.authorizer.Authorizer.<init>()
at java.base/java.lang.Class.getConstructor0(Class.java:3508)
at java.base/java.lang.Class.getDeclaredConstructor(Class.java:2711)
at org.apache.kafka.common.utils.Utils.newInstance(Utils.java:390)
... 7 more
It just seems that if you change the
kafka.security.auth.SimpleAclAuthorizer
to
kafka.security.authorizer.AclAuthorizer
It should work; it worked for me.
Kafka 3.0 removed SimpleAclAuthorizer
Pull request - https://github.com/apache/kafka/commit/976e78e405d57943b989ac487b7f49119b0f4af4#diff-e0ccf1b5c964d2c303b6a69a8b8b67df5a6bfbae8aa514f580d353c4c6bf8e36
The blog seems to be using version 2.2.0.

Keycloak does not work on https after setting up SSL

I have a problem where I don´t know why it happens.
I have LetsEncrypt Certificates which I use to create a .pfx file.
openssl pkcs12 -export -out /tmp/certificate.pfx -inkey /etc/letsencrypt/live/ds-gym.de/privkey.pem -in /etc/letsencrypt/live/ds-gym.de/cert.pem -certfile /etc/letsencrypt/live/ds-gym.de/chain.pem
I set up keycloak 8.0.1. as service by following this tutorial (https://medium.com/#hasnat.saeed/setup-keycloak-server-on-ubuntu-18-04-ed8c7c79a2d9) and it worked fine. Keycloak seems to set up a self-signed certificate which is not what I want. First I set up Keycloak for SSL.
With the JBoss-cli.sh file I do the following (described here: https://www.keycloak.org/docs/latest/server_installation/#setting-up-https-ssl)
/core-service=management/security-realm=UndertowRealm:add()
/core-service=management/security-realm=UndertowRealm/server-identity=ssl:add(keystore-path=keycloak.jks, keystore-relative-to=jboss.server.config.dir, keystore-password=secret)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=security-realm, value=UndertowRealm)
Not my security tealm looks like this:
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret"/>
</ssl>
</server-identities>
</security-realm>
I import the certificate now:
keytool -importkeystore -srckeystore /tmp/certificate.pfx -srcstoretype pkcs12 -destkeystore /opt/keycloak/standalone/configuration/keycloak.jks -deststoretype JKS
Then I restart keycloak:
systemctl restart keycloak
Now I get the following error:
HTTP ERROR 502
You can also check the network tab of my website if that helps.
The keycloak service is up and running, however it seems it does not work on port 8443 anymore.
Listener look like this:
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
Any idea why this happens? Are my certificates wrong? I´m quite desperate with Keycloak already :-(
Edit:
This is my logged Error:
]) - failure description: {"WFLYCTL0080: Failed services" =>
{"org.wildfly.core.management.security.realm.UndertowRealm.key-manager"
=> "WFLYDM0018: Unable to start service
Caused by: java.security.UnrecoverableKeyException: Cannot recover key"}} 2019-12-23 19:12:57,421 INFO [org.jboss.as.server]
(ServerService Thread Pool -- 43) WFLYSRV0010: Deployed
"keycloak-server.war" (runtime-name : "keycloak-server.war")
2019-12-23 19:12:57,423 INFO [org.jboss.as.controller] (Controller
Boot Thread) WFLYCTL0183: Service status report WFLYCTL0186:
Services which failed to start: service
org.wildfly.core.management.security.realm.UndertowRealm.key-manager:
WFLYDM0018: Unable to start service WFLYCTL0448: 2 additional services
are down due to their dependencies being missing or failed 2019-12-23
19:12:57,569 INFO [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0212: Resuming server 2019-12-23 19:12:57,578 INFO
[org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management
interface listening on http://127.0.0.1:9990/management 2019-12-23
19:12:57,579 INFO [org.jboss.as] (Controller Boot Thread)
WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
2019-12-23 19:12:57,580 ERROR [org.jboss.as] (Controller Boot Thread)
WFLYSRV0026: Keycloak 8.0.1 (WildFly Core 10.0.3.Final) started (with
errors) in 41093ms - Started 586 of 888 services (4 services failed or
missing dependencies, 604 services are lazy, passive or on-demand)
It looks like the keystore is incorrectly generated. Check that:
You set the value of keystore-password to match actual keystore password.
You set alias root for root certificate.
You set alias yourdomain.com for the domain certificate.
Try to follow the steps exactly as described in the documentation.

Setting up secure cassandra cluster (java.lang.RuntimeException: Failed to setup secure pipeline at )

I have followed the steps mentioned on https://github.com/PatrickCallaghan/datastax-ssl-secure-cluster/blob/master/README.md for setting up a secure SSL cassandra cluster. I receive the same error as you "Failed to setup secure pipeline". I overrode my cassandra.yaml cipher suites as mentioned by the website and I still get the same error.
My cassandra.yaml looks like this:
client_encryption_options:
enabled: true
# If enabled and optional is set to true encrypted and unencrypted connections are handled.
optional: false
keystore: ***/ssl/cassandra3_keystore.jks
keystore_password: ****
# require_client_auth: false
# Set trustore and truststore_password if require_client_auth is true
# truststore: conf/.truststore
# truststore_password: cassandra
# More advanced defaults below:
# protocol: TLS
# algorithm: SunX509
# store_type: JKS
cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
Could someone guide me on what I could do?
Here is the full error trace:
Exception (java.lang.RuntimeException) encountered during startup: Failed to setup secure pipeline
java.lang.RuntimeException: Failed to setup secure pipeline
at org.apache.cassandra.transport.Server$AbstractSecureIntializer.<init>(Server.java:354)
at org.apache.cassandra.transport.Server$SecureInitializer.<init>(Server.java:411)
at org.apache.cassandra.transport.Server.start(Server.java:152)
at org.apache.cassandra.service.NativeTransportService$$Lambda$203.0000000040E88830.accept(Unknown Source)
at java.util.Collections$SingletonSet.forEach(Collections.java:4778)
at org.apache.cassandra.service.NativeTransportService.start(NativeTransportService.java:128)
at org.apache.cassandra.service.CassandraDaemon.startNativeTransport(CassandraDaemon.java:633)
at org.apache.cassandra.service.CassandraDaemon.start(CassandraDaemon.java:495)
at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:600)
at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:714)
Caused by: java.io.IOException: Error creating the initializing the SSL Context
at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:170)
at org.apache.cassandra.transport.Server$AbstractSecureIntializer.<init>(Server.java:350)
... 9 more
Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:171)
at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:12)
at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:146)
... 10 more
ERROR 15:36:01 Exception encountered during startup
java.lang.RuntimeException: Failed to setup secure pipeline
at org.apache.cassandra.transport.Server$AbstractSecureIntializer.<init>(Server.java:354) ~[apache-cassandra-3.7.jar:3.7]
at org.apache.cassandra.transport.Server$SecureInitializer.<init>(Server.java:411) ~[apache-cassandra-3.7.jar:3.7]
at org.apache.cassandra.transport.Server.start(Server.java:152) ~[apache-cassandra-3.7.jar:3.7]
at org.apache.cassandra.service.NativeTransportService$$Lambda$203.0000000040E88830.accept(Unknown Source) ~[na:na]
at java.util.Collections$SingletonSet.forEach(Collections.java:4778) ~[na:1.8.0-internal]
at org.apache.cassandra.service.NativeTransportService.start(NativeTransportService.java:128) ~[apache-cassandra-3.7.jar:3.7]
at org.apache.cassandra.service.CassandraDaemon.startNativeTransport(CassandraDaemon.java:633) [apache-cassandra-3.7.jar:3.7]
at org.apache.cassandra.service.CassandraDaemon.start(CassandraDaemon.java:495) [apache-cassandra-3.7.jar:3.7]
at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:600) [apache-cassandra-3.7.jar:3.7]
at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:714) [apache-cassandra-3.7.jar:3.7]
Caused by: java.io.IOException: Error creating the initializing the SSL Context
at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:170) ~[apache-cassandra-3.7.jar:3.7]
at org.apache.cassandra.transport.Server$AbstractSecureIntializer.<init>(Server.java:350) ~[apache-cassandra-3.7.jar:3.7]
... 9 common frames omitted
Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:171) ~[na:1.8.0-internal]
at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:12) ~[na:8.0 build_20150122]
at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:146) ~[apache-cassandra-3.7.jar:3.7]
... 10 common frames omitted
You can get round it by overriding the cipher suites for both node-to-node and client-node properties e.g.
cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
This is because of the following problem in Oracle Java. http://www.pathin.org/tutorials/java-cassandra-cannot-support-tls_rsa_with_aes_256_cbc_sha-with-currently-installed-providers/
Once downloaded you can copy the files to the correct library on your server.
e.g.
scp * root#server:/usr/lib/jvm/java-7-oracle/jre/lib/security/