Tomcat 7 and invalid keystore format

问题:

I'm trying to connect to Tomcat through https on a remote server; I've found many answers, but no one has worked for me; I'm using Apache, Tomcat 7 on Ubuntu Server 14.04.

First, I created the certificate keystore writing:

keytool -genkey -alias tomcat -keyalg RSA 

after I' ve edited "/etc/tomcat7/server.xml" to use ssl on port 8443:

<Connector port="8443" SSLEnabled="true"                 protocol="org.apache.coyote.http11.Http11Protocol"                 keystoreType="JKS"                maxThreads="150" scheme="https" secure="true"                 keystoreFile="/usr/lib/jvm/java-7-openjdk-amd64/bin/keytool"                 keystorePass="***********" keyAlias="tomcat"                clientAuth="false" sslProtocol="TLS"/> 

where ********** is the password; restarting Tomcat through:

sudo service tomcat7 restart 

I'm getting the following error in file "/var/log/tomcat7/catalina.out":

SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]     at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)     at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)     at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)     at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)     at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)     at org.apache.catalina.startup.Catalina.load(Catalina.java:638)     at org.apache.catalina.startup.Catalina.load(Catalina.java:663)     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)     at java.lang.reflect.Method.invoke(Method.java:606)     at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)     at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed     at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)     at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)     ... 12 more Caused by: java.io.IOException: Invalid keystore format     at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)     at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)     at java.security.KeyStore.load(KeyStore.java:1214)     at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:392)     at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:291)     at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:549)     at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:489)     at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:434)     at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:181)     at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:397)     at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)     at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)     at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)     at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)     ... 13 more 

---

The keystore type is JKS, I've verified it through the command:

$JAVA_HOME/bin/keytool -list 

which has returned:

Keystore type: JKS Keystore provider: SUN  Your keystore contains 1 entry  tomcat, 17-Oct-2015, PrivateKeyEntry, Certificate fingerprint (SHA1): 33:14:32:DD:DA:20:BF:CF:70:32:F5:0E:E9:F1:C1:5B:4E:C3:DB:AB 

where $JAVA_HOME is "/usr/lib/jvm/java-7-openjdk-amd64";

So when I try to connect to "https://myServerIp:8443/" or to "https://myDomainName:8443/" I get "Unable to connect" error.

回答1:

just to further support this answer for beginners like me. On Windows OS

1. First go to C:\Program Files\Java\jdk1.8, Press Shift + right-click to open command pront: write this keytool.exe -genkey -alias tomcat -keyalg RSA -keystore /{user.name}/.keystore, A sequence of question will then follow after that you will see a new .keytore generated at the specify path

2. Now you need to go to server.xml and modify this two keystoreFile="${user.home}/.keystore" keystorePass="changeit" with the appropriate one.

回答2:

Now it works correctly, in short:

• I specified the path of the .keystore file
• I configured Tomcat to use this file

---

Thanks to @Titus I've understood where the problem was: when I run the command

keytool -genkey -alias tomcat -keyalg RSA 

or the command

$JAVA_HOME/bin/keytool -genkey -keyalg RSA -alias tomcat 

the program keytool create a file .keystore in a folder of the server; the directory /usr/lib/jvm/java-7-openjdk-amd64/jre/bin contains a file named keystore, but this file is not correct to setup tomcat or for some reason it doesn't work in my case. To specify the path of the file .keystore we can run the command

keytool -genkey -alias tomcat -keyalg RSA -keystore /path/.keystore 

and after that I've configured Tomcat editing the file /etc/tomcat7/server.xml with the file just created:

<Connector port="8443" SSLEnabled="true"                 protocol="org.apache.coyote.http11.Http11Protocol"                 keystoreType="JKS"                maxThreads="150" scheme="https" secure="true"                 keystoreFile="/path/.keystore"                 keystorePass="************" keyAlias="tomcat"                clientAuth="false" sslProtocol="TLS"/> 

文章来源: Tomcat 7 and invalid keystore format