[CentOS] CentOS 5 (beta): tomcat/keystore issue

Wed Mar 21 18:45:10 UTC 2007
Paul Heinlein <heinlein at madboa.com>

I (somewhat sadly, imo) need to run Tomcat/SSL on a public-facing 
machine at work. I was really, really hoping I could use the 
GCJ-compiled version of Tomcat supplied in the base repository.

I can't get Tomcat to read a Java keystore created with the keytool 
utility provided (in java-1.4.2-gcj-compat-1.4.2.0-40jpp.110).

The Sun and GNU keytools produce different keystores. I'll use the 
Tomcat nomenclature to describe the differences. Obviously, I'm 
looking for the correct "algorithm" (i.e., certificate signing 
algorithm) setting:

   Toolset  keystoreType  algorithm
   -------  ------------  ---------
   Sun      JKS           SunX509
   GNU      GKR           ???

The Tomcat that ships with CentOS 4.92 defaults to assuming 
keystoreType="JKS" and algorithm="SunX509" so that in 
/etc/tomcat5/server.xml the Connector tag will assume those values, 
e.g.,

   <Connector port="8443" maxHttpHeaderSize="8192" [....]
              scheme="https" secure="true" sslProtocol="TLS"
              keystoreType="JKS" algorithm="SunX509" />

With those settings -- either implicitly (since they're the default) 
or explicitly -- Tomcat fails to start an SSL listener. The 
catalina.out log reports:

   SEVERE: Exception trying to load keystore /path/to/keystore
   java.security.KeyStoreException: JKS

If I set keystoreType="gkr", the error changes:

   SEVERE: Error initializing endpoint
   java.io.IOException: SunX509

I've taken some wild stabs at guessing the algorithm string ("X.509", 
"X509", "GnuX509", "GNU-CRYPTOX509", and some others), to no avail.

My keystore seems to be valid, since "keytool -list" run against it 
produces the expected output.

My google-foo has failed me completely. Help, anyone?

-- 
Paul Heinlein <> heinlein at madboa.com <> www.madboa.com