See https://bugs.openjdk.java.net/browse/JDK-8157404 If key store is loaded non-locally, it is possible that initialisation fails with "not all indef len BER resolved". This is due to a limitation in openjdk where the whole contents need to be available in the stream when it is passed to the jdk keystore. Current workaround is to load the stream yourself into a bytearraystream and pass it through as an inputstream. Tested with tomcat 8.0.54, but the code is the same on 9.0.x Stack trace: stack trace for apache bug reporting Faragó, Tamás to me 0 minutes agoDetails Caused by: java.io.IOException: not all indef len BER resolved at sun.security.util.DerIndefLenConverter.convert(DerIndefLenConverter.java:340) at sun.security.util.DerValue.init(DerValue.java:402) at sun.security.util.DerValue.<init>(DerValue.java:332) at sun.security.util.DerValue.<init>(DerValue.java:345) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1938) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:159) at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204) at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:184) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113) ... 65 common frames omitted
While we generally don't work-around JVM bugs, this one was reported back in 2016 and doesn't look like there is much likleihood that it will be fixed.
Hmm. It is a ~two line patch for us which we'd need to apply in 3 places (or provide a utility function which might even be more code). I'll ping our Oracle contacts and see if we can get a fix for this bumped up the priority list. I'll look into a patch
Fixed in: - trunk for 9.0.17 onwards - 8.5.x for 8.5.39 onwards - 7.0.x for 7.0.94 onwards
Note: The Java fix is in JDK13 EA15 which means Tomcat will need a minimum Java version of 13 before this workaround can be removed.
We are running Tomcat 8.5.38 on z/OS 2.3. Trying to update to Tomcat 8.5.42 leads to an error when starting up Tomcat. Usage of RACF Keyrings as Key- and Trusstore is to be broken. Seems to me that this workaround could be the reason. Could you please help. Thx in advance. Stack Trace: [main] org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore type [JCERACFKS] with path [safkeyring://ESRV01/ESRV01Keyring] due to [Array index out of range: 52954] java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 52954 at java.lang.System.arraycopy(Native Method) at com.ibm.crypto.provider.RACFInputStream.read(Unknown Source) at com.ibm.crypto.provider.RACFInputStream.read(Unknown Source) at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:61) at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217) at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:206) at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:280) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1118) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) at org.apache.catalina.connector.Connector.initInternal(Connector.java:993) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:639) at org.apache.catalina.startup.Catalina.load(Catalina.java:662) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) at java.lang.reflect.Method.invoke(Method.java:508) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Given the initial bug only affected PKCS12 keystores, we should be able to limit the work-around to those keystores. Are you able to build Tomcat from source to test a fix?
Regression fixed in: - master for 9.0.22 onwards - 8.5.x for 8.5.43 onwards - 7.0.x for 7.0.95 onwards
Sorry, haven't noticed your comment Mark because i waited for a notification from Bugzilla. Next time I'll do it better. Tested now with 8.5.47 and it works again using RACF Keyrings. Thank you very much. That's great, thank you.