This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1008456 - java.security.ProviderException: Could not initialize NSS on EWS2
java.security.ProviderException: Could not initialize NSS on EWS2
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss (Show other bugs)
6.5
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Elio Maldonado Batiz
BaseOS QE Security Team
:
Depends On:
Blocks: 1022950
  Show dependency treegraph
 
Reported: 2013-09-16 07:44 EDT by Michal Haško
Modified: 2015-03-01 23:01 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1022950 (view as bug list)
Environment:
Last Closed: 2013-09-17 04:44:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Haško 2013-09-16 07:44:35 EDT
Description of problem:
When trying to configure SSL support for tomcat7 from EWS2, the following error was encountered:


Version-Release number of selected component (if applicable):
Tomcat7 from EWS-2.0.1 GA


How reproducible:
100%


Steps to Reproduce:
1. make sure JDK7 is used (java -version)
2. generate the java keystore file:
   # /usr/lib/jvm/java/bin/keytool -genkey -alias tomcat -keyalg RSA \
     -keystore /root/keystore.jks
3. add ssl connector to tomcat7/conf/server.xml:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
               keystoreFile="/root/keystore.jks" keystorePass="tomcat"
               clientAuth="false" sslProtocol="TLS" />
4. start tomcat:
   # tomcat7/bin/startup.sh


Actual results:
The following exception is observed in catalina.out:
Sep 16, 2013 7:26:09 AM org.apache.catalina.core.AprLifecycleListener initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.0-fips 29 Mar 2010)
java.security.ProviderException: Could not initialize NSS
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:223)
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
	at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
	at sun.security.jca.ProviderList.loadAll(ProviderList.java:281)
	at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298)
	at sun.security.jca.Providers.getFullProviderList(Providers.java:176)
	at java.security.Security.getProviders(Security.java:458)
	at org.apache.catalina.core.JreMemoryLeakPreventionListener.lifecycleEvent(JreMemoryLeakPreventionListener.java:382)
	at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
	at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
	at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:658)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
Caused by: java.io.IOException: NSS initialization failed
	at sun.security.pkcs11.Secmod.initialize(Secmod.java:223)
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:218)
	... 27 more


Expected results:
curl -k https://localhost:8443/ should return a tomcat welcome page


Additional info:
This is *only* reproducible on Tomcat7 *and* JDK7 (no Tomcat6 or JDK6)
Comment 2 Michal Haško 2013-09-16 10:53:21 EDT
OK, the errors produced in catalina.out was probably caused by OpenJDK1.7. I managed to get the org.apache.coyote.http11.Http11NioProtocol connector working with OracleJDK1.7.

But there is still something fishy going on with tomcat/ssl:

# wget -O - https://localhost:8443/
--2013-09-16 10:52:44--  https://localhost:8443/
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:8443... connected.
OpenSSL: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group
OpenSSL: error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib
Unable to establish SSL connection.
Comment 3 Elio Maldonado Batiz 2013-09-16 11:15:53 EDT
What were the versions of nss, nss-softokn, nss-util installed?
Comment 4 Jean-frederic Clere 2013-09-17 03:52:05 EDT
That looks like a configuration error protocol="org.apache.coyote.http11.Http11NioProtocol" doesn't need native so you need to comment out the:
<Listener className="org.apache.catalina.core.AprLifecycleListener"/>
is you are not using native for another connector you need to configure the listener correctly.
Comment 5 Jean-frederic Clere 2013-09-17 04:09:01 EDT
the wget error looks like a problem in the box doing the wget, could you try with a browser and/or from another box?
Comment 6 Michal Haško 2013-09-17 04:44:49 EDT
As Jean-Frédéric pointed out, this is not a problem with the tomcat. Wget from a different box works just fine.

I am closing this bug for the sake of the original issue.

Note You need to log in before you can comment on or make changes to this bug.