[PJUG Javamail] Having security (SSL) issues moving tomcat from one host computer to another

Bill Jackson bill.jackson at oracle.com
Tue Sep 11 22:55:42 UTC 2007 

Hi Rob,

    What is the JDK/JRE version you're using on the new system?  Looking 
at the stack trace below, Signature.getInstance (which even has a 
special case for NONEwithRSA) should be finding 
sun.security.rsa.RSASignature, which is in jre/lib/rt.jar.  This 
suggests that the provider is just not being registered; can you paste 
the "security.provider" property list from 
jre/lib/security/java.security?  One of the providers should be 
"sun.security.rsa.SunRsaSign".  You could also diff that file between 
the two systems...

Cheers,
-Bill


Joe Hoffman wrote:
> Rob,
>
> Good point, I agree, you would expect the client to simply be prompted 
> to accept the non-matching cert.
>
> Idea #2:  The server.xml file was changed.  Did you diff them?
>
> Idea #3: You had something running on the other box which provided an 
> RSA Private key impl, which was being  used by Tomcat.
>
> Sorry, I"m out of ideas.
>
> </bad ideas>
>
> joe
>
>
> On Sep 11, 2007, at 3:09 PM, Rob Tanner wrote:
>
>> Joe,
>>
>> The issue with the host names should be a non-issue with regard to 
>> the problem I'm currently having.  I've dealt with that issue a 
>> number of times when moving system around and all that happens is 
>> that the browser brings up a dialog box with an option to accept the 
>> non-matching certificate either for the single session of permanently.
>>
>> I to set the log level to debug in log4j.properties and now I 
>> actually have an error log to share.  But, it makes no sense to me 
>> because I am using (as far as I can tell) an identical runtime on 
>> both the original host machine and the machine I'm moving over to.  
>> And the key file is one both machines is identical (did an md5hash 
>> just to make sure).  Unfortunately, I'm dealing here in an area 
>> outside of my expertise and so I have no idea what the real problem 
>> might be. 
>>
>> Do these stack traces ring any bells?
>>
>>
>> DEBUG http-10.171.255.17-443-Processor25 
>> org.apache.tomcat.util.net.PoolTcpEndpoint - Handshake failed
>> javax.net.ssl.SSLException: Error generating DH server key exchange
>>         at 
>> com.sun.net.ssl.internal.ssl.Handshaker.throwSSLException(Handshaker.java:907)
>>         at 
>> com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:556)
>>         at 
>> com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
>>         at 
>> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
>>         at 
>> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
>>         at 
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
>>         at 
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
>>         at 
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
>>         at 
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:120)
>>         at 
>> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:521)
>>         at 
>> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
>>         at 
>> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
>>         at java.lang.Thread.run(Thread.java:595)
>> Caused by: java.security.InvalidKeyException: No installed provider 
>> supports this key: sun.security.rsa.RSAPrivateCrtKeyImpl
>>         at 
>> java.security.Signature$Delegate.chooseProvider(Signature.java:1059)
>>         at 
>> java.security.Signature$Delegate.engineInitSign(Signature.java:1109)
>>         at java.security.Signature.initSign(Signature.java:503)
>>         at 
>> com.sun.net.ssl.internal.ssl.HandshakeMessage$DH_ServerKeyExchange.<init>(HandshakeMessage.java:671)
>>         at 
>> com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:550)
>>         ... 11 more
>> Caused by: java.security.NoSuchAlgorithmException: NONEwithRSA 
>> Signature not available
>>         at java.security.Signature.getInstance(Signature.java:208)
>>         at 
>> com.sun.net.ssl.internal.ssl.JsseJce.getSignature(JsseJce.java:104)
>>         at 
>> com.sun.net.ssl.internal.ssl.RSASignature.<init>(RSASignature.java:45)
>>         at 
>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>         at 
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
>>         at 
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
>>         at 
>> java.lang.reflect.Constructor.newInstance(Constructor.java:494)
>>         at java.lang.Class.newInstance0(Class.java:350)
>>         at java.lang.Class.newInstance(Class.java:303)
>>         at java.security.Provider$Service.newInstance(Provider.java:1075)
>>         at 
>> java.security.Signature$Delegate.newInstance(Signature.java:941)
>>         at 
>> java.security.Signature$Delegate.chooseProvider(Signature.java:1035)
>>         ... 15 more
>>
>>
>>
>> Joe Hoffman said the following on 09/11/2007 11:05 AM:
>>> Rob,
>>>
>>> I assume your SSL certs are for a specific host.  If self generated, 
>>> just generate them again.  If they are real certs (From a CA), then 
>>> you'll have to have them generated again for the new hostname.
>>>
>>> </guess>
>>>
>>> joe
>>>
>>> On Sep 11, 2007, at 10:51 AM, Rob Tanner wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm wondering if any has ever seen this and how did they fix it.  I 
>>>> have a production tomcat server (v5.5.23) that I need to move to 
>>>> another host system.  I copied over the full installation and made 
>>>> sure I was using the same version of the runtime (jdk1.5.0_03).  
>>>> But when I try to access a secured page on the new host I get the 
>>>> following error:
>>>>
>>>>  >> Firefox can’t connect securely to <sitename> because the site 
>>>> uses a security protocol which isn’t enabled.
>>>>
>>>> All of the jar files I use are in jre/lib/ext and they are the same 
>>>> between both servers.  Any ideas?
>>>>
>>>> -- Rob
>>>>
>>>>
>>>> _______________________________________________
>>>> Web Site - http://www.pjug.org/
>>>> Javamail mailing list
>>>> Javamail at pjug.org <mailto:Javamail at pjug.org>
>>>> http://www.pjug.org/mailman/listinfo/javamail
>>>
>>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Web Site - http://www.pjug.org/
> Javamail mailing list
> Javamail at pjug.org
> http://www.pjug.org/mailman/listinfo/javamail
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://javac.com/pipermail/javamail/attachments/20070911/5de49cfe/attachment-0002.html>

More information about the Javamail mailing list