Bug 1008456
| Summary: | java.security.ProviderException: Could not initialize NSS on EWS2 | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Michal Haško <mhasko> | |
| Component: | nss | Assignee: | Elio Maldonado Batiz <emaldona> | |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 6.5 | CC: | jclere, mharmsen, mhasko, pcheung, pslavice, rrelyea, sforsber, tmraz, weli | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1022950 (view as bug list) | Environment: | ||
| Last Closed: | 2013-09-17 08:44:49 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1022950 | |||
OK, the errors produced in catalina.out was probably caused by OpenJDK1.7. I managed to get the org.apache.coyote.http11.Http11NioProtocol connector working with OracleJDK1.7. But there is still something fishy going on with tomcat/ssl: # wget -O - https://localhost:8443/ --2013-09-16 10:52:44-- https://localhost:8443/ Resolving localhost... ::1, 127.0.0.1 Connecting to localhost|::1|:8443... connected. OpenSSL: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group OpenSSL: error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib Unable to establish SSL connection. What were the versions of nss, nss-softokn, nss-util installed? That looks like a configuration error protocol="org.apache.coyote.http11.Http11NioProtocol" doesn't need native so you need to comment out the: <Listener className="org.apache.catalina.core.AprLifecycleListener"/> is you are not using native for another connector you need to configure the listener correctly. the wget error looks like a problem in the box doing the wget, could you try with a browser and/or from another box? As Jean-Frédéric pointed out, this is not a problem with the tomcat. Wget from a different box works just fine. I am closing this bug for the sake of the original issue. |
Description of problem: When trying to configure SSL support for tomcat7 from EWS2, the following error was encountered: Version-Release number of selected component (if applicable): Tomcat7 from EWS-2.0.1 GA How reproducible: 100% Steps to Reproduce: 1. make sure JDK7 is used (java -version) 2. generate the java keystore file: # /usr/lib/jvm/java/bin/keytool -genkey -alias tomcat -keyalg RSA \ -keystore /root/keystore.jks 3. add ssl connector to tomcat7/conf/server.xml: <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="/root/keystore.jks" keystorePass="tomcat" clientAuth="false" sslProtocol="TLS" /> 4. start tomcat: # tomcat7/bin/startup.sh Actual results: The following exception is observed in catalina.out: Sep 16, 2013 7:26:09 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.0-fips 29 Mar 2010) java.security.ProviderException: Could not initialize NSS at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:223) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:526) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) at sun.security.jca.ProviderList.loadAll(ProviderList.java:281) at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298) at sun.security.jca.Providers.getFullProviderList(Providers.java:176) at java.security.Security.getProviders(Security.java:458) at org.apache.catalina.core.JreMemoryLeakPreventionListener.lifecycleEvent(JreMemoryLeakPreventionListener.java:382) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99) at org.apache.catalina.startup.Catalina.load(Catalina.java:633) at org.apache.catalina.startup.Catalina.load(Catalina.java:658) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455) Caused by: java.io.IOException: NSS initialization failed at sun.security.pkcs11.Secmod.initialize(Secmod.java:223) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:218) ... 27 more Expected results: curl -k https://localhost:8443/ should return a tomcat welcome page Additional info: This is *only* reproducible on Tomcat7 *and* JDK7 (no Tomcat6 or JDK6)