OneClick SSL webpage is not displayed
Article ID: 143250
Updated On:
Products
Issue/Introduction
OneClick configured for SSL displays an error message (this website cannot be reached). I have uncommented the connector section in the server.xml located
under $SPECROOT/tomcat/conf (connector section) and restarted tomcat.
Environment
Release: Any Version
Component : Spectrum OneClick
Cause
Check tomcat log for the following error:
SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:979)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1060)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:588)
at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Alias name [null] does not identify a key entry
The imported certificate was using the wrong key entry for the tomcatssl alias.
The keystore does not have a private key and the imported certificate is a TrustedCertEntry instead of PrivateKeyEntry.
To verify this run the keytool command and list the certificates:
keytool -list -v -keystore mykeystore.jks -alias tomcat
Enter keystore password:
Alias name: tomcat
Creation date: December 22, 2019
Entry type: trustedCertEntry
Ensure the certificates are imported as PrivateKeyEntry and not a trustedCertEntry
Note:
No 'Certificate chain length' means that the required intermediate certificates are not imported
'Entry type' is 'trustedCertEntry' means that the Private key is not added to the certificate.
Here is an example of the expected entries:
$ keytool -v -list -keystore ../../custom/keystore/cacerts -alias tomcatssl
Enter keystore password:
Alias name: tomcatssl
Creation date: Aug 6, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 3
Notice the Entry type is PrivateKeyEntry and the Certificate Chain length is greater than 1.
Resolution
Depending on the Certificate Authority from which you obtained the signed certificate, you may also need to import the intermediate certificate.
Your certificate must be imported last.
Here is an example:
./keytool -import -alias root -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file root_chain_certificate_filename
./keytool -import -alias intermediate -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file intermediate_certificate_filename
./keytool -import -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file your_certificate_filename
Another scenario: Import the Private Key as a keypair.
a) Run this command line to list the content of the file:
keytool -list -keystore <PFX_file_here>
b) Restore the OOB (Out Of the Box) cacerts file (if needed).
1. Rename cacerts file under $SPECROOT/custom/keystore to cacerts.orig
2. Copy the cacerts file from $SPECROOT/Java/jre/lib/security to $SPECROOT/custom/keystore directory
c) Import the CA-signed certificate:
keytool -v -importkeystore -srckeystore <PFX_file_here> -srcstoretype PKCS12 -destkeystore $SPECROOT/custom/keystore/cacerts -deststoretype JKS
If the alias of the imported CA-signed certificate is 1 (or something else), change it.
d) Change the alias from 1 to tomcatssl.
keytool -changealias -alias 1 -destalias tomcatssl -keystore <PFX_File_Here>
e) Confirm the certificate was successfully imported:
keytool -list -keystore $SPECROOT/custom/keystore/cacerts -alias tomcatssl
keytool -list -keystore $SPECROOT/custom/keystore/cacerts | grep PrivateKeyEntry
f) Then import the Root certificate:
keytool -import -alias root -keystore $SPECROOT/custom/keystore/cacerts -trustcaderts -file <Root_File_Here>
g) Stop/start the Spectrum Tomcat service.
Additional Information
If the alias being used is not tomcat or tomcatssl add the following parameters to the server.xml:
<Connector
port="8443"
enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true"
acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
keystoreFile="C:/win32app/Spectrum/custom/keystore/cacerts"
keystorePass="changeit"
keyAlias="<alias-name>" keyPass="<password>">
</Connector>
Feedback
