[CentOS] CentOS 5 (beta): tomcat/keystore issue
heinlein at madboa.com
Wed Mar 21 18:45:10 UTC 2007
I (somewhat sadly, imo) need to run Tomcat/SSL on a public-facing
machine at work. I was really, really hoping I could use the
GCJ-compiled version of Tomcat supplied in the base repository.
I can't get Tomcat to read a Java keystore created with the keytool
utility provided (in java-1.4.2-gcj-compat-184.108.40.206-40jpp.110).
The Sun and GNU keytools produce different keystores. I'll use the
Tomcat nomenclature to describe the differences. Obviously, I'm
looking for the correct "algorithm" (i.e., certificate signing
Toolset keystoreType algorithm
------- ------------ ---------
Sun JKS SunX509
GNU GKR ???
The Tomcat that ships with CentOS 4.92 defaults to assuming
keystoreType="JKS" and algorithm="SunX509" so that in
/etc/tomcat5/server.xml the Connector tag will assume those values,
<Connector port="8443" maxHttpHeaderSize="8192" [....]
scheme="https" secure="true" sslProtocol="TLS"
keystoreType="JKS" algorithm="SunX509" />
With those settings -- either implicitly (since they're the default)
or explicitly -- Tomcat fails to start an SSL listener. The
catalina.out log reports:
SEVERE: Exception trying to load keystore /path/to/keystore
If I set keystoreType="gkr", the error changes:
SEVERE: Error initializing endpoint
I've taken some wild stabs at guessing the algorithm string ("X.509",
"X509", "GnuX509", "GNU-CRYPTOX509", and some others), to no avail.
My keystore seems to be valid, since "keytool -list" run against it
produces the expected output.
My google-foo has failed me completely. Help, anyone?
Paul Heinlein <> heinlein at madboa.com <> www.madboa.com
More information about the CentOS