3 Replies Latest reply on Mar 21, 2008 1:09 PM by asoldano

    SSL and native libraries

    fastbob Mar 5, 2008 1:14 AM

      Hopefully I have the correct forum section. While I've researched the issue a bit, I can't claim to fully understand what's going on.

      On Windows XP, using JBoss 4.2.2 (no modifications) and Sun jdk 1.6, we enabled SSL by uncommenting the SSL connector in service.xml:

      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
 address="${jboss.bind.address}" maxThreads="100"
 scheme="https" secure="true" clientAuth="false"
 keystoreFile="${jboss.server.home.dir}/conf/my.keystore"
 keystorePass="something" sslProtocol = "TLS" />

      This seemed to be handled fine during startup - no native library found but startup continued and SSL worked: 
      05:47:06,150 INFO [NativeServerConfig] JBoss Web Services - Native
05:47:06,150 INFO [NativeServerConfig] jbossws-native-2.0.1.SP2 (build=200710210837)
05:47:06,941 INFO [Embedded] Catalina naming disabled
05:47:07,281 INFO [AprLifecycleListener] The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Java\jdk1.6.0\bin;.;C:\WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\Java\jdk1.6.0\bin;C:\Java\apache-ant-1.7.0\bin;C:\Java\jikes_1.22\bin;C:\Java\maven-2.0.7\bin;c:\tools\cygwin\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\cvsnt;C:\Program Files\MySQL\MySQL Server 5.0\bin;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\QuickTime\QTSystem\
05:47:07,352 INFO [Http11Protocol] Initializing Coyote HTTP/1.1 on http-0.0.0.0-8080
05:47:08,083 INFO [Http11Protocol] Initializing Coyote HTTP/1.1 on http-0.0.0.0-8443
05:47:08,093 INFO [AjpProtocol] Initializing Coyote AJP/1.3 on ajp-0.0.0.0-8009


      On Fedora8 Linux, we copied the same JBoss directory to the system (same Sun jdk 1.6). However, the log showed the following during startup: 
      03:22:19,508 INFO [NativeServerConfig] JBoss Web Services - Native
03:22:19,508 INFO [NativeServerConfig] jbossws-native-2.0.1.SP2 (build=200710210837)
03:22:20,310 INFO [Embedded] Catalina naming disabled
03:22:20,462 WARN [Connector] Property debug not found on the protocol handler.
03:22:20,466 WARN [Connector] Property clientAuth not found on the protocol handler.
03:22:20,466 WARN [Connector] Property keystoreFile not found on the protocol handler.
03:22:20,467 WARN [Connector] Property keystorePass not found on the protocol handler.
03:22:20,747 INFO [AprLifecycleListener] Loaded Apache Tomcat Native library 1.1.10.
03:22:20,751 INFO [AprLifecycleListener] APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
03:22:21,092 INFO [Http11AprProtocol] Initializing Coyote HTTP/1.1 on http-0.0.0.0-8080
03:22:21,094 ERROR [Http11AprProtocol] Error initializing endpoint
java.lang.Exception: No Certificate file specified
 at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
 at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:683)
...

      So it appears that on Fedora the native library was loaded, but then the properties of the SSL connector were not loaded. Startup eventually failed due to the port being in use: 
      03:23:12,305 INFO [Http11AprProtocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8080
03:23:12,383 ERROR [Http11AprProtocol] Error starting endpoint
java.lang.Exception: Socket bind failed: [98] Address already in use
 at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:611)
 at org.apache.tomcat.util.net.AprEndpoint.start(AprEndpoint.java:716)
 at org.apache.coyote.http11.Http11AprProtocol.start(Http11AprProtocol.java:137)

      I'm not clear what we need to change in the configuration to get things working on Linux. It seems like removing the native library would work against better performance. Any pointers would be appreciated. Thanks.

      Bob

      • 3849 Views
      • Tags:
        • 1. Re: SSL and native libraries
          fastbob Mar 6, 2008 2:20 AM (in response to fastbob)

          I tried an experiment. I commented out the SSL connector and things worked (except for SSL, of course).

          But I found the cause of the problem. I took a closer look at the installed packages on fedora. Tomcat was installed as part of the system packages (probably by me), and as soon as I removed the tomcat-native package, the native library was not loaded. SSL started working.

          Bob

            • Actions
          • 2. Re: SSL and native libraries
            squ1rr3l Mar 6, 2008 10:42 AM (in response to fastbob)

             

            "fastbob" wrote:
            I tried an experiment. I commented out the SSL connector and things worked (except for SSL, of course).

            But I found the cause of the problem. I took a closer look at the installed packages on fedora. Tomcat was installed as part of the system packages (probably by me), and as soon as I removed the tomcat-native package, the native library was not loaded. SSL started working.

            Bob


            Same thing here. Apparently, there is a problem with the native libraries. I have had a lot of problems getting SSL enabled for any Win32 apr-based libraries.

            In this case, I had everything working on a Windows 2003 server. Then I applied the native libraries (from http://labs.jboss.org/jbossweb/downloads/jboss-native/?action=a&windowstate=maximized), and SSL died. Same errors that you specified: 
            10:23:42,564 WARN [Connector] Property strategy not found on the protocol handler.
10:23:42,580 WARN [Connector] Property clientAuth not found on the protocol handler.
10:23:42,580 WARN [Connector] Property keystoreFile not found on the protocol handler.
10:23:42,580 WARN [Connector] Property keystorePass not found on the protocol handler.
10:23:42,752 INFO [AprLifecycleListener] Loaded Apache Tomcat Native library 1.1.12.
10:23:42,845 INFO [AprLifecycleListener] APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
10:23:44,408 INFO [Http11AprProtocol] Initializing Coyote HTTP/1.1 on http-172.25.141.151-8080
10:23:44,424 ERROR [Http11AprProtocol] Error initializing endpoint
java.lang.Exception: No Certificate file specified
 at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
 at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:683)
 at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:107)
 at org.apache.catalina.connector.Connector.initialize(Connector.java:1073)
....


            I have had similar issues trying to get LDAP over SSL working in Windows using the Apache ldap modules, which also rely on APR and APRUtils Win32 binaries. I've posted messages to the APR-dev mailing list, but they sent me to the Apache-dev list, and the issue was pretty much just ignored there.

            I imagine there is somebody that knows what's going on with this, but I can't figure it out.

              • Actions
            • 3. Re: SSL and native libraries
              asoldano
              asoldano Mar 21, 2008 1:09 PM (in response to fastbob)

              Did you already try posting here? http://www.jboss.com/index.html?module=bb&op=viewforum&f=50

                • Actions