Bug 56021 - SSL connector using windows-my keystore
SSL connector using windows-my keystore
Status: RESOLVED FIXED
Product: Tomcat 7
Classification: Unclassified
Component: Connectors
7.0.50
PC All
: P2 enhancement (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2014-01-16 19:37 UTC by Asanka
Modified: 2014-12-18 11:33 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Asanka 2014-01-16 19:37:09 UTC
Was trying to configure SSL on tomcat 7 to use Windows-MY keystore (provider that wraps the MSCAPI to access certificates in the keystore of Windows cert manager) but didn't get to work. Tomcat startup fails to load the connector since it looks for a empty file for the keystore inside catalina_home directory.

But I got it working with a small code change in org.apache.tomcat.util.net.AbstractEndpoint.adjustRelativePath() method. When Windows-MY keystore is used there is no physical keystore file. To be able to pass in empty value for the keyStoreFile in the connector I added a check for not empty path before adjusting the path.

    public String adjustRelativePath(String path, String relativeTo) {
        String newPath = path;
        if (!"".equalsIgnoreCase(newPath)) { 
            File f = new File(newPath);
            if ( !f.isAbsolute()) {
                newPath = relativeTo + File.separator + newPath;
                f = new File(newPath);
            }
            if (!f.exists()) {
                getLog().warn("configured file:["+newPath+"] does not exist.");
            }
        }
        return newPath;
    }

java version "1.7.0_07"

To reproduce (on windows):
1. Install a cert to the windows cert manager (start run certmgr.msc).
2. Configure the SSL connector with cert alias ('issued to' column value of the cert in the cermgr)
   <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               keyAlias="ssl.cert.alias"
               keystoreFile=""
               keystoreType="Windows-My"
               clientAuth="false" sslProtocol="TLS" />
3. Start tomcat

The fix has been tested on windows 7 and windows server 2012.
Comment 1 Mark Thomas 2014-01-19 20:02:24 UTC
Thanks for the report and the suggested fix.

I applied a slightly different patch that allowed some additional code clean-up.

The patch has been applied to 8.0.x for 8.0.0 onwards and to 7.0.x for 7.0.51 onwards.

Thanks again for your support of the Apache Tomcat community.
Comment 2 joakim_ganse 2014-12-17 13:56:03 UTC
Does this work now? and how do I set it up?

My current setup is on Windows 2012 R2 with Tomcat 7.0.55.
Tomcat is installed as a service.
I have verified that the certificate exists in the windows cert manager.

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               KeyAlias="server.my.domain"
               keystoreFile=""
               keystoreType="Windows-MY"
               
                />

Error:
2014-12-17 14:45:14,306 [main] INFO  org.apache.coyote.http11.Http11Protocol- Initializing ProtocolHandler ["http-bio-8180"]
2014-12-17 14:45:14,322 [main] INFO  org.apache.coyote.http11.Http11NioProtocol- Initializing ProtocolHandler ["http-nio-443"]
2014-12-17 14:45:14,759 [main] ERROR org.apache.coyote.http11.Http11NioProtocol- Failed to initialize end point associated with ProtocolHandler ["http-nio-443"]
java.io.IOException: Alias name server.my.domain does not identify a key entry
Comment 3 Asanka 2014-12-18 11:33:03 UTC
1. Make sure you have the correct keyAlias, following openssl command should show alias as the common name (CN) - openssl pkcs12 -info -in filename.pfx
2. Certificate needs to be installed to the LocalMachine\My store if the tomcat service runs with log on as local system. The CurrentUser\My store is not accessible from other user accounts. You can use powershell to install and verify the cert in the LocalMachine\My store.