This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1008456 - Could not initialize NSS on EWS2 Could not initialize NSS on EWS2
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Elio Maldonado Batiz
BaseOS QE Security Team
Depends On:
Blocks: 1022950
  Show dependency treegraph
Reported: 2013-09-16 07:44 EDT by Michal Haško
Modified: 2015-03-01 23:01 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1022950 (view as bug list)
Last Closed: 2013-09-17 04:44:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michal Haško 2013-09-16 07:44:35 EDT
Description of problem:
When trying to configure SSL support for tomcat7 from EWS2, the following error was encountered:

Version-Release number of selected component (if applicable):
Tomcat7 from EWS-2.0.1 GA

How reproducible:

Steps to Reproduce:
1. make sure JDK7 is used (java -version)
2. generate the java keystore file:
   # /usr/lib/jvm/java/bin/keytool -genkey -alias tomcat -keyalg RSA \
     -keystore /root/keystore.jks
3. add ssl connector to tomcat7/conf/server.xml:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
               keystoreFile="/root/keystore.jks" keystorePass="tomcat"
               clientAuth="false" sslProtocol="TLS" />
4. start tomcat:
   # tomcat7/bin/

Actual results:
The following exception is observed in catalina.out:
Sep 16, 2013 7:26:09 AM org.apache.catalina.core.AprLifecycleListener initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.0-fips 29 Mar 2010) Could not initialize NSS
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
	at java.lang.reflect.Constructor.newInstance(
	at Method)
	at org.apache.catalina.core.JreMemoryLeakPreventionListener.lifecycleEvent(
	at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(
	at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(
	at org.apache.catalina.util.LifecycleBase.setStateInternal(
	at org.apache.catalina.util.LifecycleBase.init(
	at org.apache.catalina.startup.Catalina.load(
	at org.apache.catalina.startup.Catalina.load(
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(
	at java.lang.reflect.Method.invoke(
	at org.apache.catalina.startup.Bootstrap.load(
	at org.apache.catalina.startup.Bootstrap.main(
Caused by: NSS initialization failed
	... 27 more

Expected results:
curl -k https://localhost:8443/ should return a tomcat welcome page

Additional info:
This is *only* reproducible on Tomcat7 *and* JDK7 (no Tomcat6 or JDK6)
Comment 2 Michal Haško 2013-09-16 10:53:21 EDT
OK, the errors produced in catalina.out was probably caused by OpenJDK1.7. I managed to get the org.apache.coyote.http11.Http11NioProtocol connector working with OracleJDK1.7.

But there is still something fishy going on with tomcat/ssl:

# wget -O - https://localhost:8443/
--2013-09-16 10:52:44--  https://localhost:8443/
Resolving localhost... ::1,
Connecting to localhost|::1|:8443... connected.
OpenSSL: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group
OpenSSL: error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib
Unable to establish SSL connection.
Comment 3 Elio Maldonado Batiz 2013-09-16 11:15:53 EDT
What were the versions of nss, nss-softokn, nss-util installed?
Comment 4 Jean-frederic Clere 2013-09-17 03:52:05 EDT
That looks like a configuration error protocol="org.apache.coyote.http11.Http11NioProtocol" doesn't need native so you need to comment out the:
<Listener className="org.apache.catalina.core.AprLifecycleListener"/>
is you are not using native for another connector you need to configure the listener correctly.
Comment 5 Jean-frederic Clere 2013-09-17 04:09:01 EDT
the wget error looks like a problem in the box doing the wget, could you try with a browser and/or from another box?
Comment 6 Michal Haško 2013-09-17 04:44:49 EDT
As Jean-Frédéric pointed out, this is not a problem with the tomcat. Wget from a different box works just fine.

I am closing this bug for the sake of the original issue.

Note You need to log in before you can comment on or make changes to this bug.