Changing the keystore alias of the _default_ SSLHostConfig while running.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Changing the keystore alias of the _default_ SSLHostConfig while running.

Daniel Skiles
Is it possible to change the keystore alias of the _default_
SSLHostConfig's certificate while tomcat is running?

At present, I'm trying to move the _default_ certificate from one
certificate in my keystore, to another.  I modify the server.xml, then I
call the reloadSslHostConfigs MBean operation.  The operation throws an
error that boils down to a jsse.alias_no_key_entry error that comes back
from the JVM.

Is this a technical limitation on SNI/SSLHostConfig, or am I missing
something here?
Reply | Threaded
Open this post in threaded view
|

Re: Changing the keystore alias of the _default_ SSLHostConfig while running.

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Daniel,

On 9/10/20 09:09, Daniel Skiles wrote:

> Is it possible to change the keystore alias of the _default_
> SSLHostConfig's certificate while tomcat is running?
>
> At present, I'm trying to move the _default_ certificate from one
> certificate in my keystore, to another.  I modify the server.xml,
> then I call the reloadSslHostConfigs MBean operation.  The
> operation throws an error that boils down to a
> jsse.alias_no_key_entry error that comes back from the JVM.
>
> Is this a technical limitation on SNI/SSLHostConfig, or am I
> missing something here?

Did you remove all server certificates from your keystore and then try
to bounce the connector? That's not going to work because the
connector requires a server key and certificate.

Instead of "moving" the cert, consider copying the certificate instead.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9aR2MACgkQHPApP6U8
pFjomg/9FqiIt/N4Ap/2SfpupzkHdzUQGwTvCXEXDZl8Z+jMrr1TaMjUGgIjOgFk
MUbNxrQRxfV0Mc1aipE0doU8/5Ps9rmluceC8SLkrmf7+ir9YnRXYYfYt1EV1Y+o
Bcb1/ZoRXayImZntEH8+J/8qbg58wk/xlLalPsjDgJ3MOJrw/AD7A1caBUuLCnxc
ZZWGCm6skRoCKZuVQWfEVU2c02gv2K2ga7TLQ68MJUv1/qH40escUIGgdTReYYIV
vxZ/3L/Nab9055ZCDriSn3HPTt2CD/4na7fgYVjAP5TntX6nfIiXvAA0h/Tba6KY
iYgPm0tv7M+nXqWDUSpi5IKQ3rSCpHgRhjq9wqii18SvKpYk0JbYxSMZIJtz9PVQ
uBdYUFOZadchcp9KASDEd7WUeKnmxYsX4Qn7NVtVgrrwYewj33ETlUoB5zFzmYMI
8+K0g+b9/AhWtVLOMFcL+kCKWjwpANu9wvHWUnOS7urZVPQ7i/5yCt0N8fNsmCYj
m5SPYXwExOzYBy4esH+3za9qSC//GxB+xW9lJHCZMaZmx4LClq2qC2EXXpSAm/WO
Pz25gGaQog5dNvf0AN/y7u7od3QTQmNqOYS3S6cRPkadlRt25QocgQV4gVulRDY1
kjnJ1Tf5p1v/Y/SqD6k2NOwXeiNUC/AOm/+8LLQgxAjn1zMVJUg=
=MuZ9
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Changing the keystore alias of the _default_ SSLHostConfig while running.

Daniel Skiles
In this case, I didn't remove every certificate, but I did remove the
certificate that was originally being referenced after adding a new
certificate under a new alias.

Original Keystore:
Alias A
Server.xml _default_ SSLHostConfig points to Alias A

After Modification:
Alias B
Server.xml _default_ SSLHostConfig points to Alias B

<Call reloadSslHostConfigs here>
<Receive error>

If that's not supported, I'll see if I can keep the aliases stable
somehow.  If there is a way to do it, I'd be interested in hearing what it
is.

On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz <
[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Daniel,
>
> On 9/10/20 09:09, Daniel Skiles wrote:
> > Is it possible to change the keystore alias of the _default_
> > SSLHostConfig's certificate while tomcat is running?
> >
> > At present, I'm trying to move the _default_ certificate from one
> > certificate in my keystore, to another.  I modify the server.xml,
> > then I call the reloadSslHostConfigs MBean operation.  The
> > operation throws an error that boils down to a
> > jsse.alias_no_key_entry error that comes back from the JVM.
> >
> > Is this a technical limitation on SNI/SSLHostConfig, or am I
> > missing something here?
>
> Did you remove all server certificates from your keystore and then try
> to bounce the connector? That's not going to work because the
> connector requires a server key and certificate.
>
> Instead of "moving" the cert, consider copying the certificate instead.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9aR2MACgkQHPApP6U8
> pFjomg/9FqiIt/N4Ap/2SfpupzkHdzUQGwTvCXEXDZl8Z+jMrr1TaMjUGgIjOgFk
> MUbNxrQRxfV0Mc1aipE0doU8/5Ps9rmluceC8SLkrmf7+ir9YnRXYYfYt1EV1Y+o
> Bcb1/ZoRXayImZntEH8+J/8qbg58wk/xlLalPsjDgJ3MOJrw/AD7A1caBUuLCnxc
> ZZWGCm6skRoCKZuVQWfEVU2c02gv2K2ga7TLQ68MJUv1/qH40escUIGgdTReYYIV
> vxZ/3L/Nab9055ZCDriSn3HPTt2CD/4na7fgYVjAP5TntX6nfIiXvAA0h/Tba6KY
> iYgPm0tv7M+nXqWDUSpi5IKQ3rSCpHgRhjq9wqii18SvKpYk0JbYxSMZIJtz9PVQ
> uBdYUFOZadchcp9KASDEd7WUeKnmxYsX4Qn7NVtVgrrwYewj33ETlUoB5zFzmYMI
> 8+K0g+b9/AhWtVLOMFcL+kCKWjwpANu9wvHWUnOS7urZVPQ7i/5yCt0N8fNsmCYj
> m5SPYXwExOzYBy4esH+3za9qSC//GxB+xW9lJHCZMaZmx4LClq2qC2EXXpSAm/WO
> Pz25gGaQog5dNvf0AN/y7u7od3QTQmNqOYS3S6cRPkadlRt25QocgQV4gVulRDY1
> kjnJ1Tf5p1v/Y/SqD6k2NOwXeiNUC/AOm/+8LLQgxAjn1zMVJUg=
> =MuZ9
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Changing the keystore alias of the _default_ SSLHostConfig while running.

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Daniel,

On 9/10/20 13:33, Daniel Skiles wrote:

> In this case, I didn't remove every certificate, but I did remove
> the certificate that was originally being referenced after adding a
> new certificate under a new alias.
>
> Original Keystore: Alias A Server.xml _default_ SSLHostConfig
> points to Alias A
>
> After Modification: Alias B Server.xml _default_ SSLHostConfig
> points to Alias B
>
> <Call reloadSslHostConfigs here> <Receive error>
>
> If that's not supported, I'll see if I can keep the aliases stable
> somehow.  If there is a way to do it, I'd be interested in hearing
what it
> is.

What are the real alias names? If you don't specify the key alias,
Tomcat will use the first private key it finds in the file (which is
essentially random, as Java keystores do not guarantee any kind of
read-ordering).

What does your <Certificate> look like in server.xml?

Can you also post the actual error and complete stack trace you get?

If you change the key's alias, you'll need to change the alias listed
in the <Certificate> unless you are using the default first-key behavior
.

Also note that calling reloadSslHostConfigs does NOT re-read
server.xml. It re-initializes the existing in-memory configuration. If
you want to e.g. change the key alias, you'll have to make a JMX call
to update the alias and THEN call reloadSslHostConfigs.

- -chris

> On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz <
> [hidden email]> wrote:
>
> Daniel,
>
> On 9/10/20 09:09, Daniel Skiles wrote:
>>>> Is it possible to change the keystore alias of the _default_
>>>> SSLHostConfig's certificate while tomcat is running?
>>>>
>>>> At present, I'm trying to move the _default_ certificate from
>>>> one certificate in my keystore, to another.  I modify the
>>>> server.xml, then I call the reloadSslHostConfigs MBean
>>>> operation.  The operation throws an error that boils down to
>>>> a jsse.alias_no_key_entry error that comes back from the
>>>> JVM.
>>>>
>>>> Is this a technical limitation on SNI/SSLHostConfig, or am I
>>>> missing something here?
>
> Did you remove all server certificates from your keystore and then
> try to bounce the connector? That's not going to work because the
> connector requires a server key and certificate.
>
> Instead of "moving" the cert, consider copying the certificate
> instead.
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9ahc4ACgkQHPApP6U8
pFi2eRAAjhoX34ml8l52UTxCc0TdjcX9trDPqKLqceFLmaMLvW58F8xmDVcLCMtS
qJTbHeQZepnDq4H/knG5YqYvI10zVshdY94vb2QdPEp6bS8zXpFYPZ96/E1T8CKA
bMvhmITskOdeIVeV4dZbSDM/JvrUtoPe4cfWzzP8QLTXOfN2DgdH3wYmuivZjQXR
b86fTfzB4jwF96uDANV6TMmw5q7TNgvxwBllVnCuuv1Scoqdy3cNt10N6X2zCSPc
+cA5VETPeAwl8q+j9UPJr21kDzcny0nUhC1s+mkuiSAdMEiPaByeV2VbuqYhD3/7
2df/f7ssMaGP6XT76LqjpINmxuTEXngRl+FPXwE76+Q/PqBpkZnaqq8d2koRGum+
scTK9sQkwzZzaLKtTH+9gMgozEup6SmowHKIcqifE+2IUcoH03bwbv16ulwQkqHZ
XidNj370sJkFVQpm8DUsMhUvL2s+znWusyZza7KWzgWvZdO0XVFn/1dvxB/NGB8E
3wiRs6TVWyndZYV91k++mp3iYigDSmIwljd2gzLrZUJ1S5m7+NWT1hkpY7vxYWZ5
6l9hWmy6r3iVSnP4Oy+OedPC6RA08mXPhNAZEfyBNq/cfrfrXJLPaXItxS6dRPWv
81J6z7r7RFJeeJLgqa0yTj9zasHZ6acgswWOg2I6/B6gVsJ5SVY=
=Uu1T
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Changing the keystore alias of the _default_ SSLHostConfig while running.

Daniel Skiles
>  Also note that calling reloadSslHostConfigs does NOT re-read server.xml.
It re-initializes the existing in-memory configuration. If you want to e.g.
change the key alias, you'll have to make a JMX call to update the alias
and THEN call reloadSslHostConfigs.

*THAT *is probably my problem.  Do you know which MBean and operation that
is?

On Thu, Sep 10, 2020 at 4:00 PM Christopher Schultz <
[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Daniel,
>
> On 9/10/20 13:33, Daniel Skiles wrote:
> > In this case, I didn't remove every certificate, but I did remove
> > the certificate that was originally being referenced after adding a
> > new certificate under a new alias.
> >
> > Original Keystore: Alias A Server.xml _default_ SSLHostConfig
> > points to Alias A
> >
> > After Modification: Alias B Server.xml _default_ SSLHostConfig
> > points to Alias B
> >
> > <Call reloadSslHostConfigs here> <Receive error>
> >
> > If that's not supported, I'll see if I can keep the aliases stable
> > somehow.  If there is a way to do it, I'd be interested in hearing
> what it
> > is.
>
> What are the real alias names? If you don't specify the key alias,
> Tomcat will use the first private key it finds in the file (which is
> essentially random, as Java keystores do not guarantee any kind of
> read-ordering).
>
> What does your <Certificate> look like in server.xml?
>
> Can you also post the actual error and complete stack trace you get?
>
> If you change the key's alias, you'll need to change the alias listed
> in the <Certificate> unless you are using the default first-key behavior
> .
>
> Also note that calling reloadSslHostConfigs does NOT re-read
> server.xml. It re-initializes the existing in-memory configuration. If
> you want to e.g. change the key alias, you'll have to make a JMX call
> to update the alias and THEN call reloadSslHostConfigs.
>
> - -chris
>
> > On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz <
> > [hidden email]> wrote:
> >
> > Daniel,
> >
> > On 9/10/20 09:09, Daniel Skiles wrote:
> >>>> Is it possible to change the keystore alias of the _default_
> >>>> SSLHostConfig's certificate while tomcat is running?
> >>>>
> >>>> At present, I'm trying to move the _default_ certificate from
> >>>> one certificate in my keystore, to another.  I modify the
> >>>> server.xml, then I call the reloadSslHostConfigs MBean
> >>>> operation.  The operation throws an error that boils down to
> >>>> a jsse.alias_no_key_entry error that comes back from the
> >>>> JVM.
> >>>>
> >>>> Is this a technical limitation on SNI/SSLHostConfig, or am I
> >>>> missing something here?
> >
> > Did you remove all server certificates from your keystore and then
> > try to bounce the connector? That's not going to work because the
> > connector requires a server key and certificate.
> >
> > Instead of "moving" the cert, consider copying the certificate
> > instead.
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: [hidden email]
> >> For additional commands, e-mail: [hidden email]
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9ahc4ACgkQHPApP6U8
> pFi2eRAAjhoX34ml8l52UTxCc0TdjcX9trDPqKLqceFLmaMLvW58F8xmDVcLCMtS
> qJTbHeQZepnDq4H/knG5YqYvI10zVshdY94vb2QdPEp6bS8zXpFYPZ96/E1T8CKA
> bMvhmITskOdeIVeV4dZbSDM/JvrUtoPe4cfWzzP8QLTXOfN2DgdH3wYmuivZjQXR
> b86fTfzB4jwF96uDANV6TMmw5q7TNgvxwBllVnCuuv1Scoqdy3cNt10N6X2zCSPc
> +cA5VETPeAwl8q+j9UPJr21kDzcny0nUhC1s+mkuiSAdMEiPaByeV2VbuqYhD3/7
> 2df/f7ssMaGP6XT76LqjpINmxuTEXngRl+FPXwE76+Q/PqBpkZnaqq8d2koRGum+
> scTK9sQkwzZzaLKtTH+9gMgozEup6SmowHKIcqifE+2IUcoH03bwbv16ulwQkqHZ
> XidNj370sJkFVQpm8DUsMhUvL2s+znWusyZza7KWzgWvZdO0XVFn/1dvxB/NGB8E
> 3wiRs6TVWyndZYV91k++mp3iYigDSmIwljd2gzLrZUJ1S5m7+NWT1hkpY7vxYWZ5
> 6l9hWmy6r3iVSnP4Oy+OedPC6RA08mXPhNAZEfyBNq/cfrfrXJLPaXItxS6dRPWv
> 81J6z7r7RFJeeJLgqa0yTj9zasHZ6acgswWOg2I6/B6gVsJ5SVY=
> =Uu1T
> -----END PGP SIGNATURE-----
>
Reply | Threaded
Open this post in threaded view
|

Re: Changing the keystore alias of the _default_ SSLHostConfig while running.

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Daniel,

On 9/10/20 16:39, Daniel Skiles wrote:
>> Also note that calling reloadSslHostConfigs does NOT re-read
>> server.xml. It re-initializes the existing in-memory
>> configuration. If you want to e.g. change the key alias, you'll
>> have to make a JMX call to update the alias and THEN call
>> reloadSslHostConfigs.>
> *THAT *is probably my problem.

Perhaps that method could have a better name, like
reinitializeSSLHostConfigs. "reload" implies that it re-reads the
server.xml which is not the case. At least the documentation should
probabyl be better.

In your case, where did you rediscover reloadSslHostConfigs?

> Do you know which MBean and operation that is?

It's this (you'll have to interpolate a bit of this to fir your
environment):

Catalina:type=SSLHostConfigCertificate,ThreadPool="https-[cryptoimpl]-[i
oimpl]-[addr]-[port]",Host="[host]",name=[cert-type]

My test one was:
Catalina:type=SSLHostConfigCertificate,ThreadPool="https-jsse-nio-127.0.
0.1-12345",Host="_default_",name=EC

Attach to Tomcat using VisualVM or your JMX browser of choice and have
a look at what's there. You'll want to "set" the value of the
attribute "certificateKeyAlias", then call reloadSslHostConfigs.

- -chris

> On Thu, Sep 10, 2020 at 4:00 PM Christopher Schultz <
> [hidden email]> wrote:
>
> Daniel,
>
> On 9/10/20 13:33, Daniel Skiles wrote:
>>>> In this case, I didn't remove every certificate, but I did
>>>> remove the certificate that was originally being referenced
>>>> after adding a new certificate under a new alias.
>>>>
>>>> Original Keystore: Alias A Server.xml _default_
>>>> SSLHostConfig points to Alias A
>>>>
>>>> After Modification: Alias B Server.xml _default_
>>>> SSLHostConfig points to Alias B
>>>>
>>>> <Call reloadSslHostConfigs here> <Receive error>
>>>>
>>>> If that's not supported, I'll see if I can keep the aliases
>>>> stable somehow.  If there is a way to do it, I'd be
>>>> interested in hearing
> what it
>>>> is.
>
> What are the real alias names? If you don't specify the key alias,
> Tomcat will use the first private key it finds in the file (which
> is essentially random, as Java keystores do not guarantee any kind
> of read-ordering).
>
> What does your <Certificate> look like in server.xml?
>
> Can you also post the actual error and complete stack trace you
> get?
>
> If you change the key's alias, you'll need to change the alias
> listed in the <Certificate> unless you are using the default
> first-key behavior .
>
> Also note that calling reloadSslHostConfigs does NOT re-read
> server.xml. It re-initializes the existing in-memory configuration.
> If you want to e.g. change the key alias, you'll have to make a JMX
> call to update the alias and THEN call reloadSslHostConfigs.
>
> -chris
>
>>>> On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz <
>>>> [hidden email]> wrote:
>>>>
>>>> Daniel,
>>>>
>>>> On 9/10/20 09:09, Daniel Skiles wrote:
>>>>>>> Is it possible to change the keystore alias of the
>>>>>>> _default_ SSLHostConfig's certificate while tomcat is
>>>>>>> running?
>>>>>>>
>>>>>>> At present, I'm trying to move the _default_
>>>>>>> certificate from one certificate in my keystore, to
>>>>>>> another.  I modify the server.xml, then I call the
>>>>>>> reloadSslHostConfigs MBean operation.  The operation
>>>>>>> throws an error that boils down to a
>>>>>>> jsse.alias_no_key_entry error that comes back from the
>>>>>>> JVM.
>>>>>>>
>>>>>>> Is this a technical limitation on SNI/SSLHostConfig, or
>>>>>>> am I missing something here?
>>>>
>>>> Did you remove all server certificates from your keystore and
>>>> then try to bounce the connector? That's not going to work
>>>> because the connector requires a server key and certificate.
>>>>
>>>> Instead of "moving" the cert, consider copying the
>>>> certificate instead.
>>>>
>>>> -chris
>>>>>
>>>>> ------------------------------------------------------------------
- ---
>>>>>
>>>>>
>
>>>>>
To unsubscribe, e-mail: [hidden email]
>>>>> For additional commands, e-mail:
>>>>> [hidden email]
>>>>>
>>>>>
>>>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9bfz0ACgkQHPApP6U8
pFje3BAAkkX+/VQU+RA2s5OxiOYDSvOe1ewDsRj3VeXoRHr1aDbEp7PxNVVnmF1s
/d/pHFOScrVksGy/hR3nbTZ7kk8NcXNsD2Vi0+YDejv9UuEB6GQw8ppjVMkPx6ei
QjQYg+CQxybBbIeo5JlCIQy6I3+bRra3VJYrFzglRvKvl5/IxRIx4w1K35vyUcaq
iyH7VynAP8O4VgV42ntJ+2gIq8Q+AE/2lEMKczK2ZblwbklJc+EYUZRRiuUIXHtH
0YoQWKa7914OJK/dR7ZdQWtj4JQX4djvnSXd055eeASNe6BPlXDkM4jNTcas64BA
zqSZAv+SZIC/ttHL3t0dedmcbQ5T1ALV4cr9L2cWvInnCz76MB9qUd94PRehEOzm
VCI9A/e2jN+6wCUy00jixBBgOEbj1s3NQSxgO+uP21QYhLPf0AoAgbNXLMKMvLmg
1TwOU3mXdxPq7KPR4aFIIvzpgWWo2SeY2uzjjwVVkjYq0psVAMFFM/cgfkmkF8Mk
q7Q8p3um7q1K086/+MnhKI4254Z9O8zKuYAVdVmODrtlPAdikUQ58DqHd3Ug2sQZ
aQcpgxTXUWqvSgr/mqAfQCDKhW5aJH/wmnaKse6p2uRjOOujMSg7S1x+KrPK4IMN
Uj4+TRUDGGYM4o/izTTwEGCj2AnpoigyZTtr3fszDKN7f3Gs9oc=
=U1rB
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Changing the keystore alias of the _default_ SSLHostConfig while running.

Daniel Skiles
> In your case, where did you rediscover reloadSslHostConfigs?

To be honest, I wandered around in the JMX console until I found something
that looked promising.

> You'll want to "set" the value of the attribute "certificateKeyAlias".

Thank you for your help.  I'll give that a try.

On Fri, Sep 11, 2020 at 9:44 AM Christopher Schultz <
[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Daniel,
>
> On 9/10/20 16:39, Daniel Skiles wrote:
> >> Also note that calling reloadSslHostConfigs does NOT re-read
> >> server.xml. It re-initializes the existing in-memory
> >> configuration. If you want to e.g. change the key alias, you'll
> >> have to make a JMX call to update the alias and THEN call
> >> reloadSslHostConfigs.>
> > *THAT *is probably my problem.
>
> Perhaps that method could have a better name, like
> reinitializeSSLHostConfigs. "reload" implies that it re-reads the
> server.xml which is not the case. At least the documentation should
> probabyl be better.
>
> In your case, where did you rediscover reloadSslHostConfigs?
>
> > Do you know which MBean and operation that is?
>
> It's this (you'll have to interpolate a bit of this to fir your
> environment):
>
> Catalina:type=SSLHostConfigCertificate,ThreadPool="https-[cryptoimpl]-[i
> oimpl]-[addr]-[port]",Host="[host]",name=[cert-type]
>
> My test one was:
> Catalina:type=SSLHostConfigCertificate,ThreadPool="https-jsse-nio-127.0.
> 0.1-12345",Host="_default_",name=EC
>
> Attach to Tomcat using VisualVM or your JMX browser of choice and have
> a look at what's there. You'll want to "set" the value of the
> attribute "certificateKeyAlias", then call reloadSslHostConfigs.
>
> - -chris
>
> > On Thu, Sep 10, 2020 at 4:00 PM Christopher Schultz <
> > [hidden email]> wrote:
> >
> > Daniel,
> >
> > On 9/10/20 13:33, Daniel Skiles wrote:
> >>>> In this case, I didn't remove every certificate, but I did
> >>>> remove the certificate that was originally being referenced
> >>>> after adding a new certificate under a new alias.
> >>>>
> >>>> Original Keystore: Alias A Server.xml _default_
> >>>> SSLHostConfig points to Alias A
> >>>>
> >>>> After Modification: Alias B Server.xml _default_
> >>>> SSLHostConfig points to Alias B
> >>>>
> >>>> <Call reloadSslHostConfigs here> <Receive error>
> >>>>
> >>>> If that's not supported, I'll see if I can keep the aliases
> >>>> stable somehow.  If there is a way to do it, I'd be
> >>>> interested in hearing
> > what it
> >>>> is.
> >
> > What are the real alias names? If you don't specify the key alias,
> > Tomcat will use the first private key it finds in the file (which
> > is essentially random, as Java keystores do not guarantee any kind
> > of read-ordering).
> >
> > What does your <Certificate> look like in server.xml?
> >
> > Can you also post the actual error and complete stack trace you
> > get?
> >
> > If you change the key's alias, you'll need to change the alias
> > listed in the <Certificate> unless you are using the default
> > first-key behavior .
> >
> > Also note that calling reloadSslHostConfigs does NOT re-read
> > server.xml. It re-initializes the existing in-memory configuration.
> > If you want to e.g. change the key alias, you'll have to make a JMX
> > call to update the alias and THEN call reloadSslHostConfigs.
> >
> > -chris
> >
> >>>> On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz <
> >>>> [hidden email]> wrote:
> >>>>
> >>>> Daniel,
> >>>>
> >>>> On 9/10/20 09:09, Daniel Skiles wrote:
> >>>>>>> Is it possible to change the keystore alias of the
> >>>>>>> _default_ SSLHostConfig's certificate while tomcat is
> >>>>>>> running?
> >>>>>>>
> >>>>>>> At present, I'm trying to move the _default_
> >>>>>>> certificate from one certificate in my keystore, to
> >>>>>>> another.  I modify the server.xml, then I call the
> >>>>>>> reloadSslHostConfigs MBean operation.  The operation
> >>>>>>> throws an error that boils down to a
> >>>>>>> jsse.alias_no_key_entry error that comes back from the
> >>>>>>> JVM.
> >>>>>>>
> >>>>>>> Is this a technical limitation on SNI/SSLHostConfig, or
> >>>>>>> am I missing something here?
> >>>>
> >>>> Did you remove all server certificates from your keystore and
> >>>> then try to bounce the connector? That's not going to work
> >>>> because the connector requires a server key and certificate.
> >>>>
> >>>> Instead of "moving" the cert, consider copying the
> >>>> certificate instead.
> >>>>
> >>>> -chris
> >>>>>
> >>>>> ------------------------------------------------------------------
> - ---
> >>>>>
> >>>>>
> >
> >>>>>
> To unsubscribe, e-mail: [hidden email]
> >>>>> For additional commands, e-mail:
> >>>>> [hidden email]
> >>>>>
> >>>>>
> >>>>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9bfz0ACgkQHPApP6U8
> pFje3BAAkkX+/VQU+RA2s5OxiOYDSvOe1ewDsRj3VeXoRHr1aDbEp7PxNVVnmF1s
> /d/pHFOScrVksGy/hR3nbTZ7kk8NcXNsD2Vi0+YDejv9UuEB6GQw8ppjVMkPx6ei
> QjQYg+CQxybBbIeo5JlCIQy6I3+bRra3VJYrFzglRvKvl5/IxRIx4w1K35vyUcaq
> iyH7VynAP8O4VgV42ntJ+2gIq8Q+AE/2lEMKczK2ZblwbklJc+EYUZRRiuUIXHtH
> 0YoQWKa7914OJK/dR7ZdQWtj4JQX4djvnSXd055eeASNe6BPlXDkM4jNTcas64BA
> zqSZAv+SZIC/ttHL3t0dedmcbQ5T1ALV4cr9L2cWvInnCz76MB9qUd94PRehEOzm
> VCI9A/e2jN+6wCUy00jixBBgOEbj1s3NQSxgO+uP21QYhLPf0AoAgbNXLMKMvLmg
> 1TwOU3mXdxPq7KPR4aFIIvzpgWWo2SeY2uzjjwVVkjYq0psVAMFFM/cgfkmkF8Mk
> q7Q8p3um7q1K086/+MnhKI4254Z9O8zKuYAVdVmODrtlPAdikUQ58DqHd3Ug2sQZ
> aQcpgxTXUWqvSgr/mqAfQCDKhW5aJH/wmnaKse6p2uRjOOujMSg7S1x+KrPK4IMN
> Uj4+TRUDGGYM4o/izTTwEGCj2AnpoigyZTtr3fszDKN7f3Gs9oc=
> =U1rB
> -----END PGP SIGNATURE-----
>
Reply | Threaded
Open this post in threaded view
|

Re: Changing the keystore alias of the _default_ SSLHostConfig while running.

Daniel Skiles
I've gotten my _default_ SNI SSLHostConfig working.  Thank you for the help.

>  Perhaps that method could have a better name, like
reinitializeSSLHostConfigs. "reload" implies that it re-reads the
server.xml which is not the case. At least the documentation should
probabyl be better.

If the server.xml isn't actually read during the reloadSslHostConfigs
operation, is there a way to add an SSLHostConfig at runtime?  I see
addSslHostConfig on ProtocolHandler, but I'm not certain that it will do
what I think it will do.

On Fri, Sep 11, 2020 at 9:52 AM Daniel Skiles <[hidden email]> wrote:

> > In your case, where did you rediscover reloadSslHostConfigs?
>
> To be honest, I wandered around in the JMX console until I found something
> that looked promising.
>
> > You'll want to "set" the value of the attribute "certificateKeyAlias".
>
> Thank you for your help.  I'll give that a try.
>
> On Fri, Sep 11, 2020 at 9:44 AM Christopher Schultz <
> [hidden email]> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Daniel,
>>
>> On 9/10/20 16:39, Daniel Skiles wrote:
>> >> Also note that calling reloadSslHostConfigs does NOT re-read
>> >> server.xml. It re-initializes the existing in-memory
>> >> configuration. If you want to e.g. change the key alias, you'll
>> >> have to make a JMX call to update the alias and THEN call
>> >> reloadSslHostConfigs.>
>> > *THAT *is probably my problem.
>>
>> Perhaps that method could have a better name, like
>> reinitializeSSLHostConfigs. "reload" implies that it re-reads the
>> server.xml which is not the case. At least the documentation should
>> probabyl be better.
>>
>> In your case, where did you rediscover reloadSslHostConfigs?
>>
>> > Do you know which MBean and operation that is?
>>
>> It's this (you'll have to interpolate a bit of this to fir your
>> environment):
>>
>> Catalina:type=SSLHostConfigCertificate,ThreadPool="https-[cryptoimpl]-[i
>> oimpl]-[addr]-[port]",Host="[host]",name=[cert-type]
>>
>> My test one was:
>> Catalina:type=SSLHostConfigCertificate,ThreadPool="https-jsse-nio-127.0.
>> 0.1-12345",Host="_default_",name=EC
>>
>> Attach to Tomcat using VisualVM or your JMX browser of choice and have
>> a look at what's there. You'll want to "set" the value of the
>> attribute "certificateKeyAlias", then call reloadSslHostConfigs.
>>
>> - -chris
>>
>> > On Thu, Sep 10, 2020 at 4:00 PM Christopher Schultz <
>> > [hidden email]> wrote:
>> >
>> > Daniel,
>> >
>> > On 9/10/20 13:33, Daniel Skiles wrote:
>> >>>> In this case, I didn't remove every certificate, but I did
>> >>>> remove the certificate that was originally being referenced
>> >>>> after adding a new certificate under a new alias.
>> >>>>
>> >>>> Original Keystore: Alias A Server.xml _default_
>> >>>> SSLHostConfig points to Alias A
>> >>>>
>> >>>> After Modification: Alias B Server.xml _default_
>> >>>> SSLHostConfig points to Alias B
>> >>>>
>> >>>> <Call reloadSslHostConfigs here> <Receive error>
>> >>>>
>> >>>> If that's not supported, I'll see if I can keep the aliases
>> >>>> stable somehow.  If there is a way to do it, I'd be
>> >>>> interested in hearing
>> > what it
>> >>>> is.
>> >
>> > What are the real alias names? If you don't specify the key alias,
>> > Tomcat will use the first private key it finds in the file (which
>> > is essentially random, as Java keystores do not guarantee any kind
>> > of read-ordering).
>> >
>> > What does your <Certificate> look like in server.xml?
>> >
>> > Can you also post the actual error and complete stack trace you
>> > get?
>> >
>> > If you change the key's alias, you'll need to change the alias
>> > listed in the <Certificate> unless you are using the default
>> > first-key behavior .
>> >
>> > Also note that calling reloadSslHostConfigs does NOT re-read
>> > server.xml. It re-initializes the existing in-memory configuration.
>> > If you want to e.g. change the key alias, you'll have to make a JMX
>> > call to update the alias and THEN call reloadSslHostConfigs.
>> >
>> > -chris
>> >
>> >>>> On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz <
>> >>>> [hidden email]> wrote:
>> >>>>
>> >>>> Daniel,
>> >>>>
>> >>>> On 9/10/20 09:09, Daniel Skiles wrote:
>> >>>>>>> Is it possible to change the keystore alias of the
>> >>>>>>> _default_ SSLHostConfig's certificate while tomcat is
>> >>>>>>> running?
>> >>>>>>>
>> >>>>>>> At present, I'm trying to move the _default_
>> >>>>>>> certificate from one certificate in my keystore, to
>> >>>>>>> another.  I modify the server.xml, then I call the
>> >>>>>>> reloadSslHostConfigs MBean operation.  The operation
>> >>>>>>> throws an error that boils down to a
>> >>>>>>> jsse.alias_no_key_entry error that comes back from the
>> >>>>>>> JVM.
>> >>>>>>>
>> >>>>>>> Is this a technical limitation on SNI/SSLHostConfig, or
>> >>>>>>> am I missing something here?
>> >>>>
>> >>>> Did you remove all server certificates from your keystore and
>> >>>> then try to bounce the connector? That's not going to work
>> >>>> because the connector requires a server key and certificate.
>> >>>>
>> >>>> Instead of "moving" the cert, consider copying the
>> >>>> certificate instead.
>> >>>>
>> >>>> -chris
>> >>>>>
>> >>>>> ------------------------------------------------------------------
>> - ---
>> >>>>>
>> >>>>>
>> >
>> >>>>>
>> To unsubscribe, e-mail: [hidden email]
>> >>>>> For additional commands, e-mail:
>> >>>>> [hidden email]
>> >>>>>
>> >>>>>
>> >>>>
>> >>
>> >
>> -----BEGIN PGP SIGNATURE-----
>> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>>
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9bfz0ACgkQHPApP6U8
>> pFje3BAAkkX+/VQU+RA2s5OxiOYDSvOe1ewDsRj3VeXoRHr1aDbEp7PxNVVnmF1s
>> /d/pHFOScrVksGy/hR3nbTZ7kk8NcXNsD2Vi0+YDejv9UuEB6GQw8ppjVMkPx6ei
>> QjQYg+CQxybBbIeo5JlCIQy6I3+bRra3VJYrFzglRvKvl5/IxRIx4w1K35vyUcaq
>> iyH7VynAP8O4VgV42ntJ+2gIq8Q+AE/2lEMKczK2ZblwbklJc+EYUZRRiuUIXHtH
>> 0YoQWKa7914OJK/dR7ZdQWtj4JQX4djvnSXd055eeASNe6BPlXDkM4jNTcas64BA
>> zqSZAv+SZIC/ttHL3t0dedmcbQ5T1ALV4cr9L2cWvInnCz76MB9qUd94PRehEOzm
>> VCI9A/e2jN+6wCUy00jixBBgOEbj1s3NQSxgO+uP21QYhLPf0AoAgbNXLMKMvLmg
>> 1TwOU3mXdxPq7KPR4aFIIvzpgWWo2SeY2uzjjwVVkjYq0psVAMFFM/cgfkmkF8Mk
>> q7Q8p3um7q1K086/+MnhKI4254Z9O8zKuYAVdVmODrtlPAdikUQ58DqHd3Ug2sQZ
>> aQcpgxTXUWqvSgr/mqAfQCDKhW5aJH/wmnaKse6p2uRjOOujMSg7S1x+KrPK4IMN
>> Uj4+TRUDGGYM4o/izTTwEGCj2AnpoigyZTtr3fszDKN7f3Gs9oc=
>> =U1rB
>> -----END PGP SIGNATURE-----
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Changing the keystore alias of the _default_ SSLHostConfig while running.

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Daniel,

On 9/11/20 17:06, Daniel Skiles wrote:
> I've gotten my _default_ SNI SSLHostConfig working.  Thank you for
> the help.

Excellent.

>> Perhaps that method could have a better name, like
>> reinitializeSSLHostConfigs. "reload" implies that it re-reads the
>>  server.xml which is not the case. At least the documentation
>> should probably be better.
>
> If the server.xml isn't actually read during the
> reloadSslHostConfigs operation, is there a way to add an
> SSLHostConfig at runtime?  I see addSslHostConfig on
> ProtocolHandler, but I'm not certain that it will do what I think
> it will do.
Did you try it?

- -chris

> On Fri, Sep 11, 2020 at 9:52 AM Daniel Skiles
<[hidden email]> wrote:
>
>>> In your case, where did you rediscover reloadSslHostConfigs?
>>
>> To be honest, I wandered around in the JMX console until I found
something

>> that looked promising.
>>
>>> You'll want to "set" the value of the attribute
>>> "certificateKeyAlias".
>>
>> Thank you for your help.  I'll give that a try.
>>
>> On Fri, Sep 11, 2020 at 9:44 AM Christopher Schultz <
>> [hidden email]> wrote:
>>
> Daniel,
>
> On 9/10/20 16:39, Daniel Skiles wrote:
>>>>>> Also note that calling reloadSslHostConfigs does NOT
>>>>>> re-read server.xml. It re-initializes the existing
>>>>>> in-memory configuration. If you want to e.g. change the
>>>>>> key alias, you'll have to make a JMX call to update the
>>>>>> alias and THEN call reloadSslHostConfigs.>
>>>>> *THAT *is probably my problem.
>
> Perhaps that method could have a better name, like
> reinitializeSSLHostConfigs. "reload" implies that it re-reads the
> server.xml which is not the case. At least the documentation
> should probabyl be better.
>
> In your case, where did you rediscover reloadSslHostConfigs?
>
>>>>> Do you know which MBean and operation that is?
>
> It's this (you'll have to interpolate a bit of this to fir your
> environment):
>
> Catalina:type=SSLHostConfigCertificate,ThreadPool="https-[cryptoimpl]-
[i
>
>
oimpl]-[addr]-[port]",Host="[host]",name=[cert-type]
>
> My test one was:
> Catalina:type=SSLHostConfigCertificate,ThreadPool="https-jsse-nio-127.
0.
>
>
0.1-12345",Host="_default_",name=EC

>
> Attach to Tomcat using VisualVM or your JMX browser of choice and
> have a look at what's there. You'll want to "set" the value of the
> attribute "certificateKeyAlias", then call reloadSslHostConfigs.
>
> -chris
>
>>>>> On Thu, Sep 10, 2020 at 4:00 PM Christopher Schultz <
>>>>> [hidden email]> wrote:
>>>>>
>>>>> Daniel,
>>>>>
>>>>> On 9/10/20 13:33, Daniel Skiles wrote:
>>>>>>>> In this case, I didn't remove every certificate, but
>>>>>>>> I did remove the certificate that was originally
>>>>>>>> being referenced after adding a new certificate under
>>>>>>>> a new alias.
>>>>>>>>
>>>>>>>> Original Keystore: Alias A Server.xml _default_
>>>>>>>> SSLHostConfig points to Alias A
>>>>>>>>
>>>>>>>> After Modification: Alias B Server.xml _default_
>>>>>>>> SSLHostConfig points to Alias B
>>>>>>>>
>>>>>>>> <Call reloadSslHostConfigs here> <Receive error>
>>>>>>>>
>>>>>>>> If that's not supported, I'll see if I can keep the
>>>>>>>> aliases stable somehow.  If there is a way to do it,
>>>>>>>> I'd be interested in hearing
>>>>> what it
>>>>>>>> is.
>>>>>
>>>>> What are the real alias names? If you don't specify the key
>>>>> alias, Tomcat will use the first private key it finds in
>>>>> the file (which is essentially random, as Java keystores do
>>>>> not guarantee any kind of read-ordering).
>>>>>
>>>>> What does your <Certificate> look like in server.xml?
>>>>>
>>>>> Can you also post the actual error and complete stack trace
>>>>> you get?
>>>>>
>>>>> If you change the key's alias, you'll need to change the
>>>>> alias listed in the <Certificate> unless you are using the
>>>>> default first-key behavior .
>>>>>
>>>>> Also note that calling reloadSslHostConfigs does NOT
>>>>> re-read server.xml. It re-initializes the existing
>>>>> in-memory configuration. If you want to e.g. change the key
>>>>> alias, you'll have to make a JMX call to update the alias
>>>>> and THEN call reloadSslHostConfigs.
>>>>>
>>>>> -chris
>>>>>
>>>>>>>> On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz
>>>>>>>> < [hidden email]> wrote:
>>>>>>>>
>>>>>>>> Daniel,
>>>>>>>>
>>>>>>>> On 9/10/20 09:09, Daniel Skiles wrote:
>>>>>>>>>>> Is it possible to change the keystore alias of
>>>>>>>>>>> the _default_ SSLHostConfig's certificate while
>>>>>>>>>>> tomcat is running?
>>>>>>>>>>>
>>>>>>>>>>> At present, I'm trying to move the _default_
>>>>>>>>>>> certificate from one certificate in my
>>>>>>>>>>> keystore, to another.  I modify the server.xml,
>>>>>>>>>>> then I call the reloadSslHostConfigs MBean
>>>>>>>>>>> operation.  The operation throws an error that
>>>>>>>>>>> boils down to a jsse.alias_no_key_entry error
>>>>>>>>>>> that comes back from the JVM.
>>>>>>>>>>>
>>>>>>>>>>> Is this a technical limitation on
>>>>>>>>>>> SNI/SSLHostConfig, or am I missing something
>>>>>>>>>>> here?
>>>>>>>>
>>>>>>>> Did you remove all server certificates from your
>>>>>>>> keystore and then try to bounce the connector? That's
>>>>>>>> not going to work because the connector requires a
>>>>>>>> server key and certificate.
>>>>>>>>
>>>>>>>> Instead of "moving" the cert, consider copying the
>>>>>>>> certificate instead.
>>>>>>>>
>>>>>>>> -chris
>>>>>>>>>
>>>>>>>>> --------------------------------------------------------------
- ----
>
>>>>>>>>>
- ---

>>>>>>>>>
>>>>>>>>>
>>>>>
>>>>>>>>>
> To unsubscribe, e-mail: [hidden email]
>>>>>>>>> For additional commands, e-mail:
>>>>>>>>> [hidden email]
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9fayEACgkQHPApP6U8
pFhHmw/+PcFaM5gnubHhY923ZRUNZQ4XUdBBn4SvPbEa4R2vKUrKEAXmcuLweZFb
v2WMNi/IpOp/BldPOlaX9MBNAoImcm3Ku3yuTdN+LsXk0PhGTFb3jYToQ6LtlXnw
emkyp210tQ1kjt4z5pRMgeLwmdlvET1qO79L4QNiyGSe0zUetfNuwjZmsyMeDsOg
VwIaYvhrIi+ofuz2da+YOTyKpQBl2/+WNaJEQx/NdWZlf93Np0konOg3ScoYPVah
Y6tg/GfXksGOWi0m4eGAjcaKVh6nQGlU9qltGY6B9uj+wMFlsZ05zZ070WRUO78b
c8L0Tq59JqtDD/6DI2a5NBhbW8SAx26i4MFUrwJUKCnGBx75uXQzxO8I4E9ALhxO
vUdlbLUndJCFfyXTOdLYLC9TLaQCFapmAdIZYQP0s9U2uruOdtwZboCqxHTR/Xx8
lq2TOgDyXNtU+Jo1h3a18oABXm7gKEi4OQPpzdao4cQNn3kUjkNyQR4PLIdJmgOj
H9d8L4YIx277qEyUUwmiJ+ZAJF4vUyJzqOEWRJ4yP94GeLrdEcTzXHshkDyjmfJn
4tiYB030lklo0GIM490kiMnpaOORVBOSehSGr/dKCOs4vZErxQ23oPjHMUG/owcm
QV3Lmyw8R3dnZ81NTjfIuE93XHBmIV4auWDNhNQI4BHV1kDZDoo=
=6lLd
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Changing the keystore alias of the _default_ SSLHostConfig while running.

Daniel Skiles
> Did you try it?

I've been unable to try it through JConsole or Visual VM.  JConsole throws
an error indicating that it can't load the remote class, and Visual VM
disables the method.  It looks like it takes a complex object, and I do not
have enough experience with Tomcat, or MBeans in general, to even know what
to start googling to find a solution to that.

Is it something I can do programmatically, and pull Tomcat classes onto my
local  classpath to get around that issue?

On Mon, Sep 14, 2020 at 9:08 AM Christopher Schultz <
[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Daniel,
>
> On 9/11/20 17:06, Daniel Skiles wrote:
> > I've gotten my _default_ SNI SSLHostConfig working.  Thank you for
> > the help.
>
> Excellent.
>
> >> Perhaps that method could have a better name, like
> >> reinitializeSSLHostConfigs. "reload" implies that it re-reads the
> >>  server.xml which is not the case. At least the documentation
> >> should probably be better.
> >
> > If the server.xml isn't actually read during the
> > reloadSslHostConfigs operation, is there a way to add an
> > SSLHostConfig at runtime?  I see addSslHostConfig on
> > ProtocolHandler, but I'm not certain that it will do what I think
> > it will do.
> Did you try it?
>
> - -chris
>
> > On Fri, Sep 11, 2020 at 9:52 AM Daniel Skiles
> <[hidden email]> wrote:
> >
> >>> In your case, where did you rediscover reloadSslHostConfigs?
> >>
> >> To be honest, I wandered around in the JMX console until I found
> something
> >> that looked promising.
> >>
> >>> You'll want to "set" the value of the attribute
> >>> "certificateKeyAlias".
> >>
> >> Thank you for your help.  I'll give that a try.
> >>
> >> On Fri, Sep 11, 2020 at 9:44 AM Christopher Schultz <
> >> [hidden email]> wrote:
> >>
> > Daniel,
> >
> > On 9/10/20 16:39, Daniel Skiles wrote:
> >>>>>> Also note that calling reloadSslHostConfigs does NOT
> >>>>>> re-read server.xml. It re-initializes the existing
> >>>>>> in-memory configuration. If you want to e.g. change the
> >>>>>> key alias, you'll have to make a JMX call to update the
> >>>>>> alias and THEN call reloadSslHostConfigs.>
> >>>>> *THAT *is probably my problem.
> >
> > Perhaps that method could have a better name, like
> > reinitializeSSLHostConfigs. "reload" implies that it re-reads the
> > server.xml which is not the case. At least the documentation
> > should probabyl be better.
> >
> > In your case, where did you rediscover reloadSslHostConfigs?
> >
> >>>>> Do you know which MBean and operation that is?
> >
> > It's this (you'll have to interpolate a bit of this to fir your
> > environment):
> >
> > Catalina:type=SSLHostConfigCertificate,ThreadPool="https-[cryptoimpl]-
> [i
> >
> >
> oimpl]-[addr]-[port]",Host="[host]",name=[cert-type]
> >
> > My test one was:
> > Catalina:type=SSLHostConfigCertificate,ThreadPool="https-jsse-nio-127.
> 0.
> >
> >
> 0.1-12345",Host="_default_",name=EC
> >
> > Attach to Tomcat using VisualVM or your JMX browser of choice and
> > have a look at what's there. You'll want to "set" the value of the
> > attribute "certificateKeyAlias", then call reloadSslHostConfigs.
> >
> > -chris
> >
> >>>>> On Thu, Sep 10, 2020 at 4:00 PM Christopher Schultz <
> >>>>> [hidden email]> wrote:
> >>>>>
> >>>>> Daniel,
> >>>>>
> >>>>> On 9/10/20 13:33, Daniel Skiles wrote:
> >>>>>>>> In this case, I didn't remove every certificate, but
> >>>>>>>> I did remove the certificate that was originally
> >>>>>>>> being referenced after adding a new certificate under
> >>>>>>>> a new alias.
> >>>>>>>>
> >>>>>>>> Original Keystore: Alias A Server.xml _default_
> >>>>>>>> SSLHostConfig points to Alias A
> >>>>>>>>
> >>>>>>>> After Modification: Alias B Server.xml _default_
> >>>>>>>> SSLHostConfig points to Alias B
> >>>>>>>>
> >>>>>>>> <Call reloadSslHostConfigs here> <Receive error>
> >>>>>>>>
> >>>>>>>> If that's not supported, I'll see if I can keep the
> >>>>>>>> aliases stable somehow.  If there is a way to do it,
> >>>>>>>> I'd be interested in hearing
> >>>>> what it
> >>>>>>>> is.
> >>>>>
> >>>>> What are the real alias names? If you don't specify the key
> >>>>> alias, Tomcat will use the first private key it finds in
> >>>>> the file (which is essentially random, as Java keystores do
> >>>>> not guarantee any kind of read-ordering).
> >>>>>
> >>>>> What does your <Certificate> look like in server.xml?
> >>>>>
> >>>>> Can you also post the actual error and complete stack trace
> >>>>> you get?
> >>>>>
> >>>>> If you change the key's alias, you'll need to change the
> >>>>> alias listed in the <Certificate> unless you are using the
> >>>>> default first-key behavior .
> >>>>>
> >>>>> Also note that calling reloadSslHostConfigs does NOT
> >>>>> re-read server.xml. It re-initializes the existing
> >>>>> in-memory configuration. If you want to e.g. change the key
> >>>>> alias, you'll have to make a JMX call to update the alias
> >>>>> and THEN call reloadSslHostConfigs.
> >>>>>
> >>>>> -chris
> >>>>>
> >>>>>>>> On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz
> >>>>>>>> < [hidden email]> wrote:
> >>>>>>>>
> >>>>>>>> Daniel,
> >>>>>>>>
> >>>>>>>> On 9/10/20 09:09, Daniel Skiles wrote:
> >>>>>>>>>>> Is it possible to change the keystore alias of
> >>>>>>>>>>> the _default_ SSLHostConfig's certificate while
> >>>>>>>>>>> tomcat is running?
> >>>>>>>>>>>
> >>>>>>>>>>> At present, I'm trying to move the _default_
> >>>>>>>>>>> certificate from one certificate in my
> >>>>>>>>>>> keystore, to another.  I modify the server.xml,
> >>>>>>>>>>> then I call the reloadSslHostConfigs MBean
> >>>>>>>>>>> operation.  The operation throws an error that
> >>>>>>>>>>> boils down to a jsse.alias_no_key_entry error
> >>>>>>>>>>> that comes back from the JVM.
> >>>>>>>>>>>
> >>>>>>>>>>> Is this a technical limitation on
> >>>>>>>>>>> SNI/SSLHostConfig, or am I missing something
> >>>>>>>>>>> here?
> >>>>>>>>
> >>>>>>>> Did you remove all server certificates from your
> >>>>>>>> keystore and then try to bounce the connector? That's
> >>>>>>>> not going to work because the connector requires a
> >>>>>>>> server key and certificate.
> >>>>>>>>
> >>>>>>>> Instead of "moving" the cert, consider copying the
> >>>>>>>> certificate instead.
> >>>>>>>>
> >>>>>>>> -chris
> >>>>>>>>>
> >>>>>>>>> --------------------------------------------------------------
> - ----
> >
> >>>>>>>>>
> - ---
> >>>>>>>>>
> >>>>>>>>>
> >>>>>
> >>>>>>>>>
> > To unsubscribe, e-mail: [hidden email]
> >>>>>>>>> For additional commands, e-mail:
> >>>>>>>>> [hidden email]
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>
> >>>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9fayEACgkQHPApP6U8
> pFhHmw/+PcFaM5gnubHhY923ZRUNZQ4XUdBBn4SvPbEa4R2vKUrKEAXmcuLweZFb
> v2WMNi/IpOp/BldPOlaX9MBNAoImcm3Ku3yuTdN+LsXk0PhGTFb3jYToQ6LtlXnw
> emkyp210tQ1kjt4z5pRMgeLwmdlvET1qO79L4QNiyGSe0zUetfNuwjZmsyMeDsOg
> VwIaYvhrIi+ofuz2da+YOTyKpQBl2/+WNaJEQx/NdWZlf93Np0konOg3ScoYPVah
> Y6tg/GfXksGOWi0m4eGAjcaKVh6nQGlU9qltGY6B9uj+wMFlsZ05zZ070WRUO78b
> c8L0Tq59JqtDD/6DI2a5NBhbW8SAx26i4MFUrwJUKCnGBx75uXQzxO8I4E9ALhxO
> vUdlbLUndJCFfyXTOdLYLC9TLaQCFapmAdIZYQP0s9U2uruOdtwZboCqxHTR/Xx8
> lq2TOgDyXNtU+Jo1h3a18oABXm7gKEi4OQPpzdao4cQNn3kUjkNyQR4PLIdJmgOj
> H9d8L4YIx277qEyUUwmiJ+ZAJF4vUyJzqOEWRJ4yP94GeLrdEcTzXHshkDyjmfJn
> 4tiYB030lklo0GIM490kiMnpaOORVBOSehSGr/dKCOs4vZErxQ23oPjHMUG/owcm
> QV3Lmyw8R3dnZ81NTjfIuE93XHBmIV4auWDNhNQI4BHV1kDZDoo=
> =6lLd
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Changing the keystore alias of the _default_ SSLHostConfig while running.

Daniel Skiles
In case anyone finds this thread in a search engine in a few years, I was
able to get this to work.   Here are some notes if you are using JSSE.

* The operation is addSslHostConfig on the ProtocolHandler Mbean.
* You must have org.apache.tomcat:tomcat-coyote on your classpath.
* You must create both an SSLHostConfig and SSLHostConfigCertificate object.
* Use the SSLHostConfigCertificate constructor that takes the SSLHostConfig
as an argument.
* You must call addCertificate(...) on SSLHostConfig after configuring both
objects, before calling the operation.


On Mon, Sep 14, 2020 at 9:22 AM Daniel Skiles <[hidden email]> wrote:

> > Did you try it?
>
> I've been unable to try it through JConsole or Visual VM.  JConsole throws
> an error indicating that it can't load the remote class, and Visual VM
> disables the method.  It looks like it takes a complex object, and I do not
> have enough experience with Tomcat, or MBeans in general, to even know what
> to start googling to find a solution to that.
>
> Is it something I can do programmatically, and pull Tomcat classes onto my
> local  classpath to get around that issue?
>
> On Mon, Sep 14, 2020 at 9:08 AM Christopher Schultz <
> [hidden email]> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Daniel,
>>
>> On 9/11/20 17:06, Daniel Skiles wrote:
>> > I've gotten my _default_ SNI SSLHostConfig working.  Thank you for
>> > the help.
>>
>> Excellent.
>>
>> >> Perhaps that method could have a better name, like
>> >> reinitializeSSLHostConfigs. "reload" implies that it re-reads the
>> >>  server.xml which is not the case. At least the documentation
>> >> should probably be better.
>> >
>> > If the server.xml isn't actually read during the
>> > reloadSslHostConfigs operation, is there a way to add an
>> > SSLHostConfig at runtime?  I see addSslHostConfig on
>> > ProtocolHandler, but I'm not certain that it will do what I think
>> > it will do.
>> Did you try it?
>>
>> - -chris
>>
>> > On Fri, Sep 11, 2020 at 9:52 AM Daniel Skiles
>> <[hidden email]> wrote:
>> >
>> >>> In your case, where did you rediscover reloadSslHostConfigs?
>> >>
>> >> To be honest, I wandered around in the JMX console until I found
>> something
>> >> that looked promising.
>> >>
>> >>> You'll want to "set" the value of the attribute
>> >>> "certificateKeyAlias".
>> >>
>> >> Thank you for your help.  I'll give that a try.
>> >>
>> >> On Fri, Sep 11, 2020 at 9:44 AM Christopher Schultz <
>> >> [hidden email]> wrote:
>> >>
>> > Daniel,
>> >
>> > On 9/10/20 16:39, Daniel Skiles wrote:
>> >>>>>> Also note that calling reloadSslHostConfigs does NOT
>> >>>>>> re-read server.xml. It re-initializes the existing
>> >>>>>> in-memory configuration. If you want to e.g. change the
>> >>>>>> key alias, you'll have to make a JMX call to update the
>> >>>>>> alias and THEN call reloadSslHostConfigs.>
>> >>>>> *THAT *is probably my problem.
>> >
>> > Perhaps that method could have a better name, like
>> > reinitializeSSLHostConfigs. "reload" implies that it re-reads the
>> > server.xml which is not the case. At least the documentation
>> > should probabyl be better.
>> >
>> > In your case, where did you rediscover reloadSslHostConfigs?
>> >
>> >>>>> Do you know which MBean and operation that is?
>> >
>> > It's this (you'll have to interpolate a bit of this to fir your
>> > environment):
>> >
>> > Catalina:type=SSLHostConfigCertificate,ThreadPool="https-[cryptoimpl]-
>> [i
>> >
>> >
>> oimpl]-[addr]-[port]",Host="[host]",name=[cert-type]
>> >
>> > My test one was:
>> > Catalina:type=SSLHostConfigCertificate,ThreadPool="https-jsse-nio-127.
>> 0.
>> >
>> >
>> 0.1-12345",Host="_default_",name=EC
>> >
>> > Attach to Tomcat using VisualVM or your JMX browser of choice and
>> > have a look at what's there. You'll want to "set" the value of the
>> > attribute "certificateKeyAlias", then call reloadSslHostConfigs.
>> >
>> > -chris
>> >
>> >>>>> On Thu, Sep 10, 2020 at 4:00 PM Christopher Schultz <
>> >>>>> [hidden email]> wrote:
>> >>>>>
>> >>>>> Daniel,
>> >>>>>
>> >>>>> On 9/10/20 13:33, Daniel Skiles wrote:
>> >>>>>>>> In this case, I didn't remove every certificate, but
>> >>>>>>>> I did remove the certificate that was originally
>> >>>>>>>> being referenced after adding a new certificate under
>> >>>>>>>> a new alias.
>> >>>>>>>>
>> >>>>>>>> Original Keystore: Alias A Server.xml _default_
>> >>>>>>>> SSLHostConfig points to Alias A
>> >>>>>>>>
>> >>>>>>>> After Modification: Alias B Server.xml _default_
>> >>>>>>>> SSLHostConfig points to Alias B
>> >>>>>>>>
>> >>>>>>>> <Call reloadSslHostConfigs here> <Receive error>
>> >>>>>>>>
>> >>>>>>>> If that's not supported, I'll see if I can keep the
>> >>>>>>>> aliases stable somehow.  If there is a way to do it,
>> >>>>>>>> I'd be interested in hearing
>> >>>>> what it
>> >>>>>>>> is.
>> >>>>>
>> >>>>> What are the real alias names? If you don't specify the key
>> >>>>> alias, Tomcat will use the first private key it finds in
>> >>>>> the file (which is essentially random, as Java keystores do
>> >>>>> not guarantee any kind of read-ordering).
>> >>>>>
>> >>>>> What does your <Certificate> look like in server.xml?
>> >>>>>
>> >>>>> Can you also post the actual error and complete stack trace
>> >>>>> you get?
>> >>>>>
>> >>>>> If you change the key's alias, you'll need to change the
>> >>>>> alias listed in the <Certificate> unless you are using the
>> >>>>> default first-key behavior .
>> >>>>>
>> >>>>> Also note that calling reloadSslHostConfigs does NOT
>> >>>>> re-read server.xml. It re-initializes the existing
>> >>>>> in-memory configuration. If you want to e.g. change the key
>> >>>>> alias, you'll have to make a JMX call to update the alias
>> >>>>> and THEN call reloadSslHostConfigs.
>> >>>>>
>> >>>>> -chris
>> >>>>>
>> >>>>>>>> On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz
>> >>>>>>>> < [hidden email]> wrote:
>> >>>>>>>>
>> >>>>>>>> Daniel,
>> >>>>>>>>
>> >>>>>>>> On 9/10/20 09:09, Daniel Skiles wrote:
>> >>>>>>>>>>> Is it possible to change the keystore alias of
>> >>>>>>>>>>> the _default_ SSLHostConfig's certificate while
>> >>>>>>>>>>> tomcat is running?
>> >>>>>>>>>>>
>> >>>>>>>>>>> At present, I'm trying to move the _default_
>> >>>>>>>>>>> certificate from one certificate in my
>> >>>>>>>>>>> keystore, to another.  I modify the server.xml,
>> >>>>>>>>>>> then I call the reloadSslHostConfigs MBean
>> >>>>>>>>>>> operation.  The operation throws an error that
>> >>>>>>>>>>> boils down to a jsse.alias_no_key_entry error
>> >>>>>>>>>>> that comes back from the JVM.
>> >>>>>>>>>>>
>> >>>>>>>>>>> Is this a technical limitation on
>> >>>>>>>>>>> SNI/SSLHostConfig, or am I missing something
>> >>>>>>>>>>> here?
>> >>>>>>>>
>> >>>>>>>> Did you remove all server certificates from your
>> >>>>>>>> keystore and then try to bounce the connector? That's
>> >>>>>>>> not going to work because the connector requires a
>> >>>>>>>> server key and certificate.
>> >>>>>>>>
>> >>>>>>>> Instead of "moving" the cert, consider copying the
>> >>>>>>>> certificate instead.
>> >>>>>>>>
>> >>>>>>>> -chris
>> >>>>>>>>>
>> >>>>>>>>> --------------------------------------------------------------
>> - ----
>> >
>> >>>>>>>>>
>> - ---
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>
>> >>>>>>>>>
>> > To unsubscribe, e-mail: [hidden email]
>> >>>>>>>>> For additional commands, e-mail:
>> >>>>>>>>> [hidden email]
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>
>> >>>>>
>> >>>
>> >>
>> >
>> -----BEGIN PGP SIGNATURE-----
>> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>>
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9fayEACgkQHPApP6U8
>> pFhHmw/+PcFaM5gnubHhY923ZRUNZQ4XUdBBn4SvPbEa4R2vKUrKEAXmcuLweZFb
>> v2WMNi/IpOp/BldPOlaX9MBNAoImcm3Ku3yuTdN+LsXk0PhGTFb3jYToQ6LtlXnw
>> emkyp210tQ1kjt4z5pRMgeLwmdlvET1qO79L4QNiyGSe0zUetfNuwjZmsyMeDsOg
>> VwIaYvhrIi+ofuz2da+YOTyKpQBl2/+WNaJEQx/NdWZlf93Np0konOg3ScoYPVah
>> Y6tg/GfXksGOWi0m4eGAjcaKVh6nQGlU9qltGY6B9uj+wMFlsZ05zZ070WRUO78b
>> c8L0Tq59JqtDD/6DI2a5NBhbW8SAx26i4MFUrwJUKCnGBx75uXQzxO8I4E9ALhxO
>> vUdlbLUndJCFfyXTOdLYLC9TLaQCFapmAdIZYQP0s9U2uruOdtwZboCqxHTR/Xx8
>> lq2TOgDyXNtU+Jo1h3a18oABXm7gKEi4OQPpzdao4cQNn3kUjkNyQR4PLIdJmgOj
>> H9d8L4YIx277qEyUUwmiJ+ZAJF4vUyJzqOEWRJ4yP94GeLrdEcTzXHshkDyjmfJn
>> 4tiYB030lklo0GIM490kiMnpaOORVBOSehSGr/dKCOs4vZErxQ23oPjHMUG/owcm
>> QV3Lmyw8R3dnZ81NTjfIuE93XHBmIV4auWDNhNQI4BHV1kDZDoo=
>> =6lLd
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
Reply | Threaded
Open this post in threaded view
|

Re: Changing the keystore alias of the _default_ SSLHostConfig while running.

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Daniel,

On 9/16/20 09:37, Daniel Skiles wrote:
> In case anyone finds this thread in a search engine in a few
> years,
I was
> able to get this to work.   Here are some notes if you are using
> JSSE.
>
> * The operation is addSslHostConfig on the ProtocolHandler Mbean. *
> You must have org.apache.tomcat:tomcat-coyote on your classpath. *
> You must create both an SSLHostConfig and SSLHostConfigCertificate
object.
> * Use the SSLHostConfigCertificate constructor that takes the
SSLHostConfig
> as an argument. * You must call addCertificate(...) on
> SSLHostConfig after
configuring both
> objects, before calling the operation.

Glad you got it working.

Exposing an addSslHostConfig() method via JMX which takes a large
number of String (or other) values would surely be convenient for you,
but kind of a pain in the neck to support alongside the existing
mechanisms.

- -chris

> On Mon, Sep 14, 2020 at 9:22 AM Daniel Skiles
<[hidden email]> wrote:
>
>>> Did you try it?
>>
>> I've been unable to try it through JConsole or Visual VM.
>> JConsole
throws
>> an error indicating that it can't load the remote class, and
>> Visual VM disables the method.  It looks like it takes a complex
>> object, and
I do not
>> have enough experience with Tomcat, or MBeans in general, to
>> even
know what
>> to start googling to find a solution to that.
>>
>> Is it something I can do programmatically, and pull Tomcat
>> classes
onto my

>> local  classpath to get around that issue?
>>
>> On Mon, Sep 14, 2020 at 9:08 AM Christopher Schultz <
>> [hidden email]> wrote:
>>
> Daniel,
>
> On 9/11/20 17:06, Daniel Skiles wrote:
>>>>> I've gotten my _default_ SNI SSLHostConfig working.  Thank
>>>>> you for the help.
>
> Excellent.
>
>>>>>> Perhaps that method could have a better name, like
>>>>>> reinitializeSSLHostConfigs. "reload" implies that it
>>>>>> re-reads the server.xml which is not the case. At least
>>>>>> the documentation should probably be better.
>>>>>
>>>>> If the server.xml isn't actually read during the
>>>>> reloadSslHostConfigs operation, is there a way to add an
>>>>> SSLHostConfig at runtime?  I see addSslHostConfig on
>>>>> ProtocolHandler, but I'm not certain that it will do what I
>>>>> think it will do.
> Did you try it?
>
> -chris
>
>>>>> On Fri, Sep 11, 2020 at 9:52 AM Daniel Skiles
> <[hidden email]> wrote:
>>>>>
>>>>>>> In your case, where did you rediscover
>>>>>>> reloadSslHostConfigs?
>>>>>>
>>>>>> To be honest, I wandered around in the JMX console until
>>>>>> I found
> something
>>>>>> that looked promising.
>>>>>>
>>>>>>> You'll want to "set" the value of the attribute
>>>>>>> "certificateKeyAlias".
>>>>>>
>>>>>> Thank you for your help.  I'll give that a try.
>>>>>>
>>>>>> On Fri, Sep 11, 2020 at 9:44 AM Christopher Schultz <
>>>>>> [hidden email]> wrote:
>>>>>>
>>>>> Daniel,
>>>>>
>>>>> On 9/10/20 16:39, Daniel Skiles wrote:
>>>>>>>>>> Also note that calling reloadSslHostConfigs does
>>>>>>>>>> NOT re-read server.xml. It re-initializes the
>>>>>>>>>> existing in-memory configuration. If you want to
>>>>>>>>>> e.g. change the key alias, you'll have to make a
>>>>>>>>>> JMX call to update the alias and THEN call
>>>>>>>>>> reloadSslHostConfigs.>
>>>>>>>>> *THAT *is probably my problem.
>>>>>
>>>>> Perhaps that method could have a better name, like
>>>>> reinitializeSSLHostConfigs. "reload" implies that it
>>>>> re-reads the server.xml which is not the case. At least the
>>>>> documentation should probabyl be better.
>>>>>
>>>>> In your case, where did you rediscover
>>>>> reloadSslHostConfigs?
>>>>>
>>>>>>>>> Do you know which MBean and operation that is?
>>>>>
>>>>> It's this (you'll have to interpolate a bit of this to fir
>>>>> your environment):
>>>>>
>>>>> Catalina:type=SSLHostConfigCertificate,ThreadPool="https-[cryptoim
pl]-
>
>>>>>
[i
>>>>>
>>>>>
> oimpl]-[addr]-[port]",Host="[host]",name=[cert-type]
>>>>>
>>>>> My test one was:
>>>>> Catalina:type=SSLHostConfigCertificate,ThreadPool="https-jsse-nio-
127.
>
>>>>>
0.

>>>>>
>>>>>
> 0.1-12345",Host="_default_",name=EC
>>>>>
>>>>> Attach to Tomcat using VisualVM or your JMX browser of
>>>>> choice and have a look at what's there. You'll want to
>>>>> "set" the value of the attribute "certificateKeyAlias",
>>>>> then call reloadSslHostConfigs.
>>>>>
>>>>> -chris
>>>>>
>>>>>>>>> On Thu, Sep 10, 2020 at 4:00 PM Christopher Schultz
>>>>>>>>> < [hidden email]> wrote:
>>>>>>>>>
>>>>>>>>> Daniel,
>>>>>>>>>
>>>>>>>>> On 9/10/20 13:33, Daniel Skiles wrote:
>>>>>>>>>>>> In this case, I didn't remove every
>>>>>>>>>>>> certificate, but I did remove the certificate
>>>>>>>>>>>> that was originally being referenced after
>>>>>>>>>>>> adding a new certificate under a new alias.
>>>>>>>>>>>>
>>>>>>>>>>>> Original Keystore: Alias A Server.xml
>>>>>>>>>>>> _default_ SSLHostConfig points to Alias A
>>>>>>>>>>>>
>>>>>>>>>>>> After Modification: Alias B Server.xml
>>>>>>>>>>>> _default_ SSLHostConfig points to Alias B
>>>>>>>>>>>>
>>>>>>>>>>>> <Call reloadSslHostConfigs here> <Receive
>>>>>>>>>>>> error>
>>>>>>>>>>>>
>>>>>>>>>>>> If that's not supported, I'll see if I can
>>>>>>>>>>>> keep the aliases stable somehow.  If there is
>>>>>>>>>>>> a way to do it, I'd be interested in hearing
>>>>>>>>> what it
>>>>>>>>>>>> is.
>>>>>>>>>
>>>>>>>>> What are the real alias names? If you don't specify
>>>>>>>>> the key alias, Tomcat will use the first private
>>>>>>>>> key it finds in the file (which is essentially
>>>>>>>>> random, as Java keystores do not guarantee any kind
>>>>>>>>> of read-ordering).
>>>>>>>>>
>>>>>>>>> What does your <Certificate> look like in
>>>>>>>>> server.xml?
>>>>>>>>>
>>>>>>>>> Can you also post the actual error and complete
>>>>>>>>> stack trace you get?
>>>>>>>>>
>>>>>>>>> If you change the key's alias, you'll need to
>>>>>>>>> change the alias listed in the <Certificate> unless
>>>>>>>>> you are using the default first-key behavior .
>>>>>>>>>
>>>>>>>>> Also note that calling reloadSslHostConfigs does
>>>>>>>>> NOT re-read server.xml. It re-initializes the
>>>>>>>>> existing in-memory configuration. If you want to
>>>>>>>>> e.g. change the key alias, you'll have to make a
>>>>>>>>> JMX call to update the alias and THEN call
>>>>>>>>> reloadSslHostConfigs.
>>>>>>>>>
>>>>>>>>> -chris
>>>>>>>>>
>>>>>>>>>>>> On Thu, Sep 10, 2020 at 11:34 AM Christopher
>>>>>>>>>>>> Schultz < [hidden email]>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Daniel,
>>>>>>>>>>>>
>>>>>>>>>>>> On 9/10/20 09:09, Daniel Skiles wrote:
>>>>>>>>>>>>>>> Is it possible to change the keystore
>>>>>>>>>>>>>>> alias of the _default_ SSLHostConfig's
>>>>>>>>>>>>>>> certificate while tomcat is running?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> At present, I'm trying to move the
>>>>>>>>>>>>>>> _default_ certificate from one
>>>>>>>>>>>>>>> certificate in my keystore, to another.
>>>>>>>>>>>>>>> I modify the server.xml, then I call
>>>>>>>>>>>>>>> the reloadSslHostConfigs MBean
>>>>>>>>>>>>>>> operation.  The operation throws an
>>>>>>>>>>>>>>> error that boils down to a
>>>>>>>>>>>>>>> jsse.alias_no_key_entry error that
>>>>>>>>>>>>>>> comes back from the JVM.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Is this a technical limitation on
>>>>>>>>>>>>>>> SNI/SSLHostConfig, or am I missing
>>>>>>>>>>>>>>> something here?
>>>>>>>>>>>>
>>>>>>>>>>>> Did you remove all server certificates from
>>>>>>>>>>>> your keystore and then try to bounce the
>>>>>>>>>>>> connector? That's not going to work because
>>>>>>>>>>>> the connector requires a server key and
>>>>>>>>>>>> certificate.
>>>>>>>>>>>>
>>>>>>>>>>>> Instead of "moving" the cert, consider
>>>>>>>>>>>> copying the certificate instead.
>>>>>>>>>>>>
>>>>>>>>>>>> -chris
>>>>>>>>>>>>>
>>>>>>>>>>>>> ----------------------------------------------------------
- ----
>
>>>>>>>>>>>>>
- ----

>>>>>
>>>>>>>>>>>>>
> ---
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>>>
>>>>> To unsubscribe, e-mail:
>>>>> [hidden email]
>>>>>>>>>>>>> For additional commands, e-mail:
>>>>>>>>>>>>> [hidden email]
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>
>>> --------------------------------------------------------------------
- -
>>>
>>>
To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9ip0AACgkQHPApP6U8
pFjxIw//aitwWLLXvQY9zysoJU1O4pTGWaDJitDStHnXSDsTXfM++oV1m4kU2u06
6zx/7qqCdNyexjO7DuwYaR7SKVC8yTOQCZCRaL2Ic+n2g8/v4vkwf3blpZSzBs/x
F29cus4fl9XvEF3LpeYlEIw9w3RllhVQ0D8D4L2WBTKX3P1ejVNJhiKtjxMpkGN4
Ktmx3foK4yhAGwGSkw46qPkGTNrYZnqpl4x51YWyGhwYto5HoZTMeovyIAKU1zo7
Do6qLyc/d9IK62CcZv1ybiYyObBaQROBhOPkGYxoujCzkfdg+KkBk3jNX/fbKdjU
QhpKt3v+ZbmYhx3sO0UBZt5TGqj7e9CnlDWAAZhM6E1nIYTF+zbhANrQBfcfOzSd
nKjMB0F0xkzrkAE9F6zBM8jb+t7tGLibAr6jchmSwJppECufy/K7Tws7Nj8Z557p
6OXDOwrHsceNSAMqd67p52EWhTLhOkou8FDpgiztIJK19B2IaC9LIZsUBbMyGoRy
a01cNP14yyTWti/Kux2Wa+HWX2H7y4Dnn6YeEqSvoyBcSFgCntk0Xi+k4KeqM8wy
Upg1wh+eKx03mg/9xdOElJZqGy+Zv3nEZU0XMgasmKb6IOsgHc0P3FvfgjVMGZdC
uIC3rZ/gj2DbyLJRF0JnYxgv1asuTiv1APxitJUbqvVE9Bp3tv8=
=PT7U
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]