Tomcat 8.5.x/Openssl with custom keystore

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Tomcat 8.5.x/Openssl with custom keystore

Dave Neuman
Hey all,
I was wondering if anyone has had any luck or could provide some guidance
on using a custom keystore with tomcat 8.5.x and openssl?

I am in the process of upgrading from tomcat 6.0.x using JSSE to tomcat
8.5.x using Openssl. As part of the upgrade process, I need to re-implement
our custom keystore. The keystore was implemented in 6.0.x by extending
JSSEImplementation and JSSESocketFactory which has since been removed from
the code. I was able to work through that and I had my custom keystore
working use JSSE, but when I attempt to switch to using OpenSSL and start
my application, I get an error like:

Exception in thread "Thread-3" java.lang.UnsatisfiedLinkError:
org.apache.tomcat.jni.Pool.create(J)J at
org.apache.tomcat.jni.Pool.create(Native Method) at
org.apache.tomcat.util.net.openssl.OpenSSLEngine.<clinit>(OpenSSLEngine.java:72)
at
com.comcast.cdn.traffic_control.traffic_router.protocol.RouterSslUtil.getImplementedProtocols(RouterSslUtil.java:65)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:53) at
com.comcast.cdn.traffic_control.traffic_router.protocol.RouterSslUtil.<init>(RouterSslUtil.java:54)
at
com.comcast.cdn.traffic_control.traffic_router.protocol.RouterSslImplementation.getSSLUtil(RouterSslImplementation.java:34)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:102)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225) at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:970)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:613) at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
at
com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol.init(LanguidNioProtocol.java:63)
at
com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidPoller.run(LanguidPoller.java:58)

It seems that this is because I don’t have a keystore configured in my
server.xml, so tomcat tries to use the default ~/.keystore which causes
issues at about the time it tries to get the IMPLEMENTED_PROTOCOLS_SET in
OpenSSLUtil. Like I said earlier if I switch to JSSEUtil, things work as
expected.

Any thoughts?

Thanks,
Dave

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 8.5.x/Openssl with custom keystore

Dave Neuman
Actually, it looks like the error I pasted above was actually my embedded
tomcat not being able to find tc-native.
Sorry for the noise, I will respond if/when I run into a different/"real"
problem.
--Dave

On Tue, Jun 6, 2017 at 2:41 PM, Dave Neuman <[hidden email]> wrote:

> Hey all,
> I was wondering if anyone has had any luck or could provide some guidance
> on using a custom keystore with tomcat 8.5.x and openssl?
>
> I am in the process of upgrading from tomcat 6.0.x using JSSE to tomcat
> 8.5.x using Openssl. As part of the upgrade process, I need to re-implement
> our custom keystore. The keystore was implemented in 6.0.x by extending
> JSSEImplementation and JSSESocketFactory which has since been removed from
> the code. I was able to work through that and I had my custom keystore
> working use JSSE, but when I attempt to switch to using OpenSSL and start
> my application, I get an error like:
>
> Exception in thread "Thread-3" java.lang.UnsatisfiedLinkError:
> org.apache.tomcat.jni.Pool.create(J)J at org.apache.tomcat.jni.Pool.create(Native
> Method) at org.apache.tomcat.util.net.openssl.OpenSSLEngine.<clinit>(OpenSSLEngine.java:72)
> at com.comcast.cdn.traffic_control.traffic_router.protocol.RouterSslUtil.
> getImplementedProtocols(RouterSslUtil.java:65) at
> org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:53) at
> com.comcast.cdn.traffic_control.traffic_router.
> protocol.RouterSslUtil.<init>(RouterSslUtil.java:54) at
> com.comcast.cdn.traffic_control.traffic_router.protocol.
> RouterSslImplementation.getSSLUtil(RouterSslImplementation.java:34) at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:102)
> at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225) at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:970)
> at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:613) at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(
> AbstractHttp11Protocol.java:66) at com.comcast.cdn.traffic_
> control.traffic_router.protocol.LanguidNioProtocol.
> init(LanguidNioProtocol.java:63) at com.comcast.cdn.traffic_
> control.traffic_router.protocol.LanguidPoller.run(LanguidPoller.java:58)
>
> It seems that this is because I don’t have a keystore configured in my
> server.xml, so tomcat tries to use the default ~/.keystore which causes
> issues at about the time it tries to get the IMPLEMENTED_PROTOCOLS_SET in
> OpenSSLUtil. Like I said earlier if I switch to JSSEUtil, things work as
> expected.
>
> Any thoughts?
>
> Thanks,
> Dave
> ​
>