OneClick configured for SSL displays an error message (this website cannot be reached). I have uncommented the connector section in the server.xml located
under $SPECROOT/tomcat/conf (connector section) and restarted tomcat.
Release: 20.2, 21.2
Component : Spectrum OneClick
Check tomcat log for the following error:
SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:979)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1060)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:588)
at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Alias name [null] does not identify a key entry
The certificate imported is using the wrong key entry for the tomcatssl alias.
The keystore is missing private key and the certificate imported is a trustedCertEntry instead of PrivateKeyEntry
To verify this run the keytool command and list the certificates:
keytool -list -v -keystore mykeystore.jks -alias tomcat
Enter keystore password:
Alias name: tomcat
Creation date: December 22, 2019
Entry type: trustedCertEntry
Ensure the certificates are imported as PrivateKeyEntry and not a trustedCertEntry
Note:
No 'Certificate chain length' means that the required intermediate certificates are not imported
'Entry type' is 'trustedCertEntry' means that the Private key is not added to the certificate.
Here an example of the expected entries:
$ keytool -v -list -keystore ../../custom/keystore/cacerts -alias tomcatssl
Enter keystore password:
Alias name: tomcatssl
Creation date: Aug 6, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 3
Notice the Entry type is PrivateKeyEntry and the Certificate Chain length is greater than 1.
Depending on the Certificate Authority from which you obtained the signed certificate, you may also need to import the intermediate certificate.
Your certificate must be imported last.
Here an example:
./keytool -import -alias root -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file root_chain_certificate_filename
./keytool -import -alias intermediate -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file intermediate_certificate_filename
./keytool -import -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file your_certificate_filename
If the alias being used is not tomcat or tomcatssl add the following parameters to the server.xml:
<Connector
port="8443"
enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true"
acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
keystoreFile="C:/win32app/Spectrum/custom/keystore/cacerts"
keystorePass="changeit"
keyAlias="<alias-name>" keyPass="<password>">
</Connector>