[PJUG Javamail] Having security (SSL) issues moving tomcat from one host computer to another
bill.jackson at oracle.com
Tue Sep 11 22:55:42 UTC 2007
What is the JDK/JRE version you're using on the new system? Looking
at the stack trace below, Signature.getInstance (which even has a
special case for NONEwithRSA) should be finding
sun.security.rsa.RSASignature, which is in jre/lib/rt.jar. This
suggests that the provider is just not being registered; can you paste
the "security.provider" property list from
jre/lib/security/java.security? One of the providers should be
"sun.security.rsa.SunRsaSign". You could also diff that file between
the two systems...
Joe Hoffman wrote:
> Good point, I agree, you would expect the client to simply be prompted
> to accept the non-matching cert.
> Idea #2: The server.xml file was changed. Did you diff them?
> Idea #3: You had something running on the other box which provided an
> RSA Private key impl, which was being used by Tomcat.
> Sorry, I"m out of ideas.
> </bad ideas>
> On Sep 11, 2007, at 3:09 PM, Rob Tanner wrote:
>> The issue with the host names should be a non-issue with regard to
>> the problem I'm currently having. I've dealt with that issue a
>> number of times when moving system around and all that happens is
>> that the browser brings up a dialog box with an option to accept the
>> non-matching certificate either for the single session of permanently.
>> I to set the log level to debug in log4j.properties and now I
>> actually have an error log to share. But, it makes no sense to me
>> because I am using (as far as I can tell) an identical runtime on
>> both the original host machine and the machine I'm moving over to.
>> And the key file is one both machines is identical (did an md5hash
>> just to make sure). Unfortunately, I'm dealing here in an area
>> outside of my expertise and so I have no idea what the real problem
>> might be.
>> Do these stack traces ring any bells?
>> DEBUG http-10.171.255.17-443-Processor25
>> org.apache.tomcat.util.net.PoolTcpEndpoint - Handshake failed
>> javax.net.ssl.SSLException: Error generating DH server key exchange
>> at java.lang.Thread.run(Thread.java:595)
>> Caused by: java.security.InvalidKeyException: No installed provider
>> supports this key: sun.security.rsa.RSAPrivateCrtKeyImpl
>> at java.security.Signature.initSign(Signature.java:503)
>> ... 11 more
>> Caused by: java.security.NoSuchAlgorithmException: NONEwithRSA
>> Signature not available
>> at java.security.Signature.getInstance(Signature.java:208)
>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>> at java.lang.Class.newInstance0(Class.java:350)
>> at java.lang.Class.newInstance(Class.java:303)
>> at java.security.Provider$Service.newInstance(Provider.java:1075)
>> ... 15 more
>> Joe Hoffman said the following on 09/11/2007 11:05 AM:
>>> I assume your SSL certs are for a specific host. If self generated,
>>> just generate them again. If they are real certs (From a CA), then
>>> you'll have to have them generated again for the new hostname.
>>> On Sep 11, 2007, at 10:51 AM, Rob Tanner wrote:
>>>> I'm wondering if any has ever seen this and how did they fix it. I
>>>> have a production tomcat server (v5.5.23) that I need to move to
>>>> another host system. I copied over the full installation and made
>>>> sure I was using the same version of the runtime (jdk1.5.0_03).
>>>> But when I try to access a secured page on the new host I get the
>>>> following error:
>>>> >> Firefox can’t connect securely to <sitename> because the site
>>>> uses a security protocol which isn’t enabled.
>>>> All of the jar files I use are in jre/lib/ext and they are the same
>>>> between both servers. Any ideas?
>>>> -- Rob
>>>> Web Site - http://www.pjug.org/
>>>> Javamail mailing list
>>>> Javamail at pjug.org <mailto:Javamail at pjug.org>
> Web Site - http://www.pjug.org/
> Javamail mailing list
> Javamail at pjug.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Javamail