Topic
  • 31 replies
  • Latest Post - ‏2004-05-31T16:21:37Z by SystemAdmin
SystemAdmin
SystemAdmin
2262 Posts

Pinned topic SSL - Tomcat 4.1.18

‏2003-10-10T07:07:31Z |
Hello averyone,
i have a problem , with Tomcat 4.1.18 and jvm IBMJava2-141.
I opnend connector https, but during startup processing i have this exception:

java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:41)
at java.lang.reflect.Method.invoke(Method.java:371)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:203)
Caused by: java.lang.NoClassDefFoundError: sun/security/provider/Sun
at org.apache.tomcat.util.net.jsse.JSSEImplementation.getServerSocketFactory(JSSEImplementation.java:90)
at org.apache.coyote.http11.Http11Protocol.checkSocketFactory(Http11Protocol.java:452)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:133)
at org.apache.coyote.tomcat4.CoyoteConnector.initialize(CoyoteConnector.java:1032)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:579)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:2245)
at org.apache.catalina.startup.Catalina.start(Catalina.java:511)
at org.apache.catalina.startup.Catalina.execute(Catalina.java:400)
at org.apache.catalina.startup.Catalina.process(Catalina.java:180)

How can i resolve this problem?

Thanks.
Updated on 2004-05-31T16:21:37Z at 2004-05-31T16:21:37Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2003-10-15T08:36:33Z  
    Mmm, this looks like a bug/limitation in Tomcat, it is trying to reference the Sun provider class which IBM does not ship with there JVMs.
    Where did you get Tomcat from, and is there a later version?
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2003-10-15T11:51:10Z  
    Mmm, this looks like a bug/limitation in Tomcat, it is trying to reference the Sun provider class which IBM does not ship with there JVMs.
    Where did you get Tomcat from, and is there a later version?
    Thanks paul,
    i used jvm Sun and the problem didn't occur there, but my client wants use jvm IBM... any ideas?

    bye base.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2003-10-21T22:24:19Z  
    Thanks paul,
    i used jvm Sun and the problem didn't occur there, but my client wants use jvm IBM... any ideas?

    bye base.
    The problem is that the System property java.protocol.handler.pkgs is being explicity set in one of the Tomcat classes. This effectively overrides the JVM's default provider for SSL sockets.

    There is hope. Tomcat is "nice" in the way it overrides the property, in that if it is already set, it appends the Sun providers to the list. Since the first provider in the list wins, the solution is to set the property before Tomcat gets a chance to change it. This can be done with a command line flag (-Djava.protocol.handler.pkgs=[i]IBM providers[/i]) in the command line that invokes Tomcat.

    Unfortunately, I'm not familiar enough with the IBM JDK to know what the correct value should be, but there's probably some doco somewhere (or else someone on this board who knows).
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2003-10-22T08:21:07Z  
    The problem is that the System property java.protocol.handler.pkgs is being explicity set in one of the Tomcat classes. This effectively overrides the JVM's default provider for SSL sockets.

    There is hope. Tomcat is "nice" in the way it overrides the property, in that if it is already set, it appends the Sun providers to the list. Since the first provider in the list wins, the solution is to set the property before Tomcat gets a chance to change it. This can be done with a command line flag (-Djava.protocol.handler.pkgs=[i]IBM providers[/i]) in the command line that invokes Tomcat.

    Unfortunately, I'm not familiar enough with the IBM JDK to know what the correct value should be, but there's probably some doco somewhere (or else someone on this board who knows).
    Mmm, I would be suprised if that was the problem, not least for the fact that the property "java.protocol.handler.pkgs" contains the Java package of the handler class and not the provider name.

    The correct value for this property is "com.ibm.net.ssl.www.protocol", and it should be being set inside the JVM by the URL class.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2003-10-22T13:50:16Z  
    Mmm, I would be suprised if that was the problem, not least for the fact that the property "java.protocol.handler.pkgs" contains the Java package of the handler class and not the provider name.

    The correct value for this property is "com.ibm.net.ssl.www.protocol", and it should be being set inside the JVM by the URL class.
    After rereading the OP, you have convinced me that you are correct. The problem does lie elsewhere. I misread the post.
    Apologies to the group.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2003-11-18T16:23:10Z  
    The problem is that the System property java.protocol.handler.pkgs is being explicity set in one of the Tomcat classes. This effectively overrides the JVM's default provider for SSL sockets.

    There is hope. Tomcat is "nice" in the way it overrides the property, in that if it is already set, it appends the Sun providers to the list. Since the first provider in the list wins, the solution is to set the property before Tomcat gets a chance to change it. This can be done with a command line flag (-Djava.protocol.handler.pkgs=[i]IBM providers[/i]) in the command line that invokes Tomcat.

    Unfortunately, I'm not familiar enough with the IBM JDK to know what the correct value should be, but there's probably some doco somewhere (or else someone on this board who knows).
    I don't know about Tomcat 4.1, but in 3.2 they explicitly instantiate a sun.security.provider.Sun when they add it to the provider list. This is done in org.apache.tomcat.net.SSLSocketFactory. Kind of defeats the purpose of java.protocol.handler.pkgs.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2003-11-19T09:20:56Z  
    I don't know about Tomcat 4.1, but in 3.2 they explicitly instantiate a sun.security.provider.Sun when they add it to the provider list. This is done in org.apache.tomcat.net.SSLSocketFactory. Kind of defeats the purpose of java.protocol.handler.pkgs.
    And it means it will only work with a Sun (or referece) JVM.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2003-11-19T15:39:54Z  
    And it means it will only work with a Sun (or referece) JVM.
    Interestingly, IBM's 1.4 JRE/JDK included sun.security.provider.Sun in core.jar. That class is not included, however, in 1.4.1.2.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2003-11-19T15:51:44Z  
    Interestingly, IBM's 1.4 JRE/JDK included sun.security.provider.Sun in core.jar. That class is not included, however, in 1.4.1.2.
    Only because we didn't have time to remove it before GA of 1.4, the class was present but untested. For 1.4.1 the code was cleanedup and a number of redendent classes were removed, Sun being one of them.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2003-11-21T00:48:38Z  
    Is there a solution to the "java.lang.NoClassDefFoundError: sun/security/provider/Sun"? I am in a similar situation with a client running Sun's JVM (using the sun.security.* classes) attempting to talk to IBM's JVM for AIX. I am not seeing this particular error, but other sun.security (DSA/Keypairs) ClassNotFoundException which terminate the rmi connection.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2004-02-01T20:28:53Z  
    Good Day -
    I also am having the same problems as listed here -
    Im using Tomcat-4 attempting to active SSL on z/Series Linux SUSE when using:

    IBMJSDK 1.4.1 Get NoClassDefFundError: sun/security/provider/Sun

    with
    IBMJSDK 1.3 get NoClassDefFundError: com/sun/net/ssl/internal/ssl/Provider

    Both have idential java.security pertaining to security.providers

    Thanks,
    Gerard
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2004-02-02T15:05:19Z  
    Try using a more recent version of tomcat, 4.1.29 or 5.0 (http://jakarta.apache.org/tomcat/)
    Hmm. That is too bad. Is there any way of determining that the new version has resolved this issue?

    Gerard
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2004-02-02T15:08:37Z  
    Try using a more recent version of tomcat, 4.1.29 or 5.0 (http://jakarta.apache.org/tomcat/)
    Updated on 2004-02-02T15:08:37Z at 2004-02-02T15:08:37Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2004-02-02T15:15:22Z  
    Hmm. That is too bad. Is there any way of determining that the new version has resolved this issue?

    Gerard
    Have you looked at the Jakarta bug DB for tomcat 4.1?
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2004-02-02T16:50:24Z  
    I did not see it on bugzilla. - Installing 4.1.29
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2004-02-03T13:55:57Z  
    I've installed Tomcat 4.1.29 - new error is
    java.io.IOException: Algorithm SunX509 not available
    I'm using 1.4.1 JSDK-IBM
    Does this stuff work at all with IBM java?

    Thanks,
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2004-02-03T16:04:07Z  
    I've installed Tomcat 4.1.29 - new error is
    java.io.IOException: Algorithm SunX509 not available
    I'm using 1.4.1 JSDK-IBM
    Does this stuff work at all with IBM java?

    Thanks,
    That looks like the SSL trustmanager/keymanager algorithm name. In IBM's JDKs it should be IbmX509.

    It doesn't look like anyone has tested Tomcat with an IBM JDK.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2004-02-03T16:35:39Z  
    That looks like the SSL trustmanager/keymanager algorithm name. In IBM's JDKs it should be IbmX509.

    It doesn't look like anyone has tested Tomcat with an IBM JDK.
    Paul, I will be the first. Any work arounds to configure this properly?

    Thanks,
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2004-02-03T18:29:58Z  
    Paul, I will be the first. Any work arounds to configure this properly?

    Thanks,
    I guessing that Tomcat has been hard coded to use the SunX509 algorithm. This is normally configured in java.security file shipped with the JDK (unless Tomcat is using its own).

    If it is hardcoded you could find out where by starting the JDK with the command line option "-Djava.security.debug=algorithm:stack". This will show the java call stack all algortihm requests.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2004-02-03T19:49:09Z  
    Paul,
    Could I send you an email directly. The output is rather large?

    Thanks,
    Gerard
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2004-02-04T10:41:44Z  
    Paul,
    Could I send you an email directly. The output is rather large?

    Thanks,
    Gerard
    Ok send to pabbott@hursley.ibm.com

    Put an eye-catcher in the subject, so that I spot it - I get a lot of junk mail on this account.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2004-02-04T12:27:23Z  
    Ok send to pabbott@hursley.ibm.com

    Put an eye-catcher in the subject, so that I spot it - I get a lot of junk mail on this account.
    Tomcat 4.1.29 JSDK 1.4.1 on LINUX z/Series

    Was the eye catcher
    THANKS -!
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2004-02-04T14:31:22Z  
    Tomcat 4.1.29 JSDK 1.4.1 on LINUX z/Series

    Was the eye catcher
    THANKS -!
    Well the trace didn't tell me what I had hoped !

    But it did give me a clue and after a bit of searching I found the following.

    There appears to be a configuration option you can set in server.xml. This will tell the Coyote connector which algorithm to use for SSL connections.

    Have a look at the SSL Support section in the following page -> http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/coyote.html
    You will need to add a <Factory> to the <Connector> in server.xml and set the "algorithm" attribute to "IbmX509"
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL - Tomcat 4.1.18

    ‏2004-02-04T15:30:50Z  
    Well the trace didn't tell me what I had hoped !

    But it did give me a clue and after a bit of searching I found the following.

    There appears to be a configuration option you can set in server.xml. This will tell the Coyote connector which algorithm to use for SSL connections.

    Have a look at the SSL Support section in the following page -> http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/coyote.html
    You will need to add a <Factory> to the <Connector> in server.xml and set the "algorithm" attribute to "IbmX509"
    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
    port="8443" minProcessors="5" maxProcessors="75"
    enableLookups="true" algorithm="ibmX509"
    acceptCount="100" debug="0" scheme="https" secure="true"
    useURIValidationHack="false" disableUploadTimeout="true">
    <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
    clientAuth="false" protocol="TLS" />
    </Connector>

    Is that lower of uppercase ?