8

Trying to setup SSL in Tomcat 9 using JDK10 in Windows 10. When I follow an online tutorial to create a Java keystore using the default password of 'changeit' everything works fine and Tomcat starts with no errors. But if I create a keystore using a different keystore password other than 'changeit', tomcat throws this error:

Caused by: java.lang.IllegalArgumentException: keystore password was incorrect

This is the command to create a keystore:

keytool -genkey -alias tomcat -keyalg RSA -keystore c:\certificates\tomcatkeystore

This is the SSL connector that works.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="C:/certificates/tomcatkeystore"
                     type="RSA" clientAuth="false" sslProtocol="TLS" keystorePass="changeit" />
    </SSLHostConfig>
</Connector>

SSL connector that does not work.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="C:/certificates/tomcatkeystore"
                     type="RSA" clientAuth="false" sslProtocol="TLS" keystorePass="testing" />
    </SSLHostConfig>
</Connector>

Why if I follow the exactly the same steps as above but changing to a different keystore password and specifying this in the server.xml generate the above Tomcat error?

NOTE: one thing I noticed in both cases is that the keytool command never prompts me for the 'key password' like many online examples show. Is there a different keytool command I need when using other than the default 'changeit' password?

Thanks.

Marquinio
  • 4,601
  • 13
  • 45
  • 68
  • 1
    (1) if you use a different password consistently on creation and in the config it should work; does `keytool -list -keystore $file` with that password work? (2) until recently Java defaulted to JKS format which uses separate 'keystore' and 'key' passwords, but Java9 and 10 default to PKCS12 format which (as implemented) does not, so now you are not prompted for the 'key' password unless you specify `-storetype JKS` or JCEKS, or BKS using BC provider, and then you'll get a warning that you should upgrade to PKCS12(!) – dave_thompson_085 Aug 04 '18 at 00:36
  • Yeah -list works fine after creating the keystore. I also tried changing the keystore password but still same problem and -list just to make sure but still Tomcat throws same error. – Marquinio Aug 05 '18 at 17:58

1 Answers1

11

OK I was able to solve this. My problem was that I was using the wrong connector attribute to specify the keystore password. On my example I was using "keystorepass" and correct one should be "certificateKeystorePassword". Maybe I missed it in the logs, but Tomcat didn't seem to be throwing an appropriate error like 'bad attribute for connector', which would have been useful.

Seems like Tomcat has different connectors, so have to use the correct ones:

https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support

svarog
  • 9,477
  • 4
  • 61
  • 77
Marquinio
  • 4,601
  • 13
  • 45
  • 68
  • Thanks for sharing this. Such a simple thing but I was also stuck because of that. Honestly too much of variants of documentation lying around so its easy to misplace or confuse the attributes. – will824 Jan 09 '20 at 19:43
  • I got an error saying that the password for the file named '.keystore' was invalid. Clearly only an idiot like me would think that "keystorePass" was the correct XML attribute to use in specifying the password to a file by default named '.keystore'! Especially there is countless documentation for my version of Tomcat (9) saying this is *exactly what it is for* – user1445967 Jan 14 '20 at 17:43
  • A warning with content `Match [] failed to set property [] to []` is sent **before** the entries generated by the `VersionLoggerListener`, so it is easy to miss. – Piotr P. Karwasz Apr 29 '21 at 08:51