Tomcat 7 and invalid keystore format

Question

I'm trying to connect to Tomcat through https on a remote server; I've found many answers, but no one has worked for me; I'm using Apache, Tomcat 7 on Ubuntu Server 14.04.

First, I created the certificate keystore writing:

keytool -genkey -alias tomcat -keyalg RSA

after I' ve edited "/etc/tomcat7/server.xml" to use ssl on port 8443:

<Connector port="8443" SSLEnabled="true"
                protocol="org.apache.coyote.http11.Http11Protocol"
                keystoreType="JKS"
               maxThreads="150" scheme="https" secure="true"
                keystoreFile="/usr/lib/jvm/java-7-openjdk-amd64/bin/keytool"
                keystorePass="***********" keyAlias="tomcat"
               clientAuth="false" sslProtocol="TLS"/>

where ********** is the password; restarting Tomcat through:

sudo service tomcat7 restart

I'm getting the following error in file "/var/log/tomcat7/catalina.out":

SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    ... 12 more
Caused by: java.io.IOException: Invalid keystore format
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
    at java.security.KeyStore.load(KeyStore.java:1214)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:392)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:291)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:549)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:489)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:434)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:181)
    at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:397)
    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
    at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
    ... 13 more

The keystore type is JKS, I've verified it through the command:

$JAVA_HOME/bin/keytool -list

which has returned:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, 17-Oct-2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): 33:14:32:DD:DA:20:BF:CF:70:32:F5:0E:E9:F1:C1:5B:4E:C3:DB:AB

where $JAVA_HOME is "/usr/lib/jvm/java-7-openjdk-amd64";

So when I try to connect to "https://myServerIp:8443/" or to "https://myDomainName:8443/" I get "Unable to connect" error.

`keytool` is the program that is used for managing key stores so I guess the path for the key store file (`/usr/lib/jvm/java-7-openjdk-amd64/bin/keytool`) in your tomcat configuration is incorrect. — Titus, Oct 18 '15 at 10:14
@Titus if I run `/usr/lib/jvm/java-7-openjdk-amd64/bin/keytool -list` (which is the same of writing `$JAVA_HOME/bin/keytool -list` ) it gives me the data at the bottom of the question, does it mean that this is a correct keystore file? — Daniele, Oct 18 '15 at 10:32
On Linux system the keystore file is save by default in the user's home folder `/home/userName/.keystore` — Titus, Oct 18 '15 at 10:33
when you call `keytool -list` the `keytool` program will read that file (`.keystore`) — Titus, Oct 18 '15 at 10:35
Now i've tried to specify the path using `keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/lib/jvm/java-7-openjdk-amd64/bin/keytool` but it has returned 'keytool error: java.io.IOException: Invalid keystore format', i've looked for '/home/userName/.keystore' but i haven't this file, in /home/ directory i've only an empty folder "lost+found" — Daniele, Oct 18 '15 at 10:48
`.keystore` starts with `.` so it is a hidden file. The command should be `keytool -genkey -alias tomcat -keyalg RSA -keystore /home/userName/.keystore`. Like I've said, `keytool` is a program (not a key sore) and `.keysotre` is the file that contains the keys (the key store). — Titus, Oct 18 '15 at 11:09

score 1 · Answer 1 · edited Nov 16 '17 at 08:21

enter image description here

just to further support this answer for beginners like me. On Windows OS

First go to C:\Program Files\Java\jdk1.8, Press Shift + right-click to open command pront: write this keytool.exe -genkey -alias tomcat -keyalg RSA -keystore /{user.name}/.keystore, A sequence of question will then follow after that you will see a new .keytore generated at the specify path
Now you need to go to server.xml and modify this two keystoreFile="${user.home}/.keystore" keystorePass="changeit" with the appropriate one.

score 0 · Answer 2 · answered Oct 18 '15 at 12:19

Now it works correctly, in short:

I specified the path of the .keystore file
I configured Tomcat to use this file

Thanks to @Titus I've understood where the problem was: when I run the command

keytool -genkey -alias tomcat -keyalg RSA

or the command

$JAVA_HOME/bin/keytool -genkey -keyalg RSA -alias tomcat

the program keytool create a file .keystore in a folder of the server; the directory /usr/lib/jvm/java-7-openjdk-amd64/jre/bin contains a file named keystore, but this file is not correct to setup tomcat or for some reason it doesn't work in my case. To specify the path of the file .keystore we can run the command

keytool -genkey -alias tomcat -keyalg RSA -keystore /path/.keystore

and after that I've configured Tomcat editing the file /etc/tomcat7/server.xml with the file just created:

<Connector port="8443" SSLEnabled="true"
                protocol="org.apache.coyote.http11.Http11Protocol"
                keystoreType="JKS"
               maxThreads="150" scheme="https" secure="true"
                keystoreFile="/path/.keystore"
                keystorePass="************" keyAlias="tomcat"
               clientAuth="false" sslProtocol="TLS"/>

You still have not understood. The `bin` directory does *not* contain a keystore. It contains an *executable file* called`keytool`, which isn't a keystore. The `.keystore` file *generated by* the keytool is the keystore. — user207421, Jan 27 '18 at 23:26
As commented [here](https://stackoverflow.com/a/26071504) there could be a 'filtering' problem when the keystore is treated as text rather than binary. Set resource's `false` in your `maven-resources-plugin` (see e.g. [here](https://stackoverflow.com/a/19502504)), or use `` rather than `` in your `maven-cargo-plugin` (see https://codehaus-cargo.github.io/cargo/Configuration+files+option.html) — krevelen, Mar 14 '18 at 08:15

Tomcat 7 and invalid keystore format

2 Answers2

Linked