Bug 37530

Summary: IOException on startup when a "keyAlias" attribute is specified
Product: Tomcat 5 Reporter: Jerry Busser <jbusser>
Component: Connector:HTTPAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal Keywords: ErrorMessage
Priority: P3    
Version: 5.5.9   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Jerry Busser 2005-11-16 19:16:40 UTC
Using this connector definition

    <!-- Define a SSL HTTP/1.1 Connector on port 7403 -->
    <Connector port="7403" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS" keystoreFile="conf/keystore" 
               keystorePass="XXXXXX" truststoreFile="conf/keystore" 
               keyAlias="certificate.qa" />

Tomcat throws this exception upon startup.

Nov 16, 2005 9:07:18 AM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start: 
LifecycleException:  Protocol handler start failed: java.io.IOException: Alias n
ame certificate.qa does not identify a key entry
        at org.apache.catalina.connector.Connector.start(Connector.java:1003)
        at org.apache.catalina.core.StandardService.start(StandardService.java:4
59)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:683
)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:537)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)
        
Yet a keytool -list shows that the alias specified is, indeed, valid

Keystore type: jks
Keystore provider: SUN

Your keystore contains 6 entries

   certificate, Nov 1, 2005, keyEntry,
   Certificate fingerprint (MD5): 65:5B:79:54:E5:83:D0:81:9D:AD:F9:C1:5C:65:BF:3D
   ipgrootca, Nov 1, 2005, trustedCertEntry,
   Certificate fingerprint (MD5): 49:5A:FC:06:6B:04:7C:F7:96:6F:90:1C:E1:91:79:77
   certificate.prod, Nov 11, 2005, keyEntry,
   Certificate fingerprint (MD5): 3C:9E:3D:30:B0:7E:65:B1:A2:0E:8C:0A:22:E4:FA:69
   certificate.dev, Nov 1, 2005, keyEntry,
   Certificate fingerprint (MD5): 84:31:D2:DF:1C:28:D6:81:43:1A:D9:57:47:6E:67:AB
   zap2itlabsca, Nov 1, 2005, trustedCertEntry,
   Certificate fingerprint (MD5): C3:E3:EE:9D:6C:5C:DF:E3:F9:94:8B:9B:5E:C5:58:16
>> certificate.qa, Nov 11, 2005, keyEntry,
>> Certificate fingerprint (MD5): 8A:EF:CF:2C:B6:D8:B5:4D:AB:40:0A:C6:9B:9F:E6:FC


The problem is at line 142 of the file JSSE14SocketFactory.java:

        if (keyAlias != null && !ks.isKeyEntry(keyAlias)) {
            throw new IOException(sm.getString("jsse.alias_no_key_entry", keyAlias));
        }

I don't believe that isKeyEntry() is correct test in this case. I changed line 142 to read

        if (keyAlias != null && !ks.containsAlias(keyAlias)) {
            throw new IOException(sm.getString("jsse.alias_no_key_entry", keyAlias));
        }

And compiled a new tomcat-util.jar. My tomcat instance started and selected the proper
certificate.
Comment 1 Jerry Busser 2005-11-17 18:30:00 UTC
Sorry for the trouble. The problem must have been with my keystore. I have tested this again and could 
not replicate it.