Ice.SecurityException IceSSL: handshake error

in Help Center
Hi
I am trying to integrate Ice (using Ice3.2) from Tomcat and https but when I create a proxy I get below errors.
I am able to do https://localhost:8443 but when I create a IceProxy Tomcat crashes and stops fails.This works very well from java application outside tomcat.I have all the certificates at the right path.
This is my connector string for https
and this is how i call NetServicesProxy =
IceProxyFactory.getNetServicesProxy(communicator);
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150"
keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\bng.ads.my.net.p12"
keystorePass="ererer!"
keystoreType="PKCS12"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
/>
These are the errors.
![CDATA[Could not create the net services proxy: Ice.SecurityException
reason = "IceSSL: handshake error"]]></log4j:message>
<log4j:throwable><![CDATA[Ice.SecurityException
reason = "IceSSL: handshake error"
at IceSSL.Instance.createSSLEngine(Instance.java:484)
at IceSSL.ConnectorI.connect(ConnectorI.java:40)
at IceInternal.OutgoingConnectionFactory.create(OutgoingConnectionFactory.java:323)
at IceInternal.RoutableReference.createConnection(RoutableReference.java:433)
at IceInternal.IndirectReference.getConnection(IndirectReference.java:181)
at Ice._ObjectDelM.setup(_ObjectDelM.java:258)
at Ice.ObjectPrxHelperBase.__getDelegate(ObjectPrxHelperBase.java:1050)
at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:85)
at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:61)
at com.hp.halo.HaloICE.DatabaseServicesPrxHelper.checkedCast(Unknown Source)
at com.hp.halo.util.factory.IceProxyFactory._getDatabaseServicesProxy(IceProxyFactory.java:196)
at com.hp.halo.util.factory.IceProxyFactory.getDatabaseServicesProxy(IceProxyFactory.java:116)
at com.polycom.halo.rmx.util.RMXUtil.getDatabaseProxy(RMXUtil.java:386)
at com.polycom.halo.rmx.util.RMXUtil.startCommunicator(RMXUtil.java:414)
at com.polycom.halo.rmx.util.RMXUtil.<init>(RMXUtil.java:48)
at com.polycom.service.DatabaseService.getNodeStatusFromCp(DatabaseService.java:87)
at com.polycom.service.DatabaseService.getAllStudios(DatabaseService.java:260)
at com.polycom.controller.DirectoryServiceController.getAllStudios(DirectoryServiceController.java:165)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:212)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:126)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:96)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:617)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:578)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:900)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:827)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol
at sun.security.ssl.Handshaker.activate(Unknown Source)
at sun.security.ssl.SSLEngineImpl.kickstartHandshake(Unknown Source)
at sun.security.ssl.SSLEngineImpl.beginHandshake(Unknown Source)
at IceSSL.Instance.createSSLEngine(Instance.java:480)
... 49 more
I am trying to integrate Ice (using Ice3.2) from Tomcat and https but when I create a proxy I get below errors.
I am able to do https://localhost:8443 but when I create a IceProxy Tomcat crashes and stops fails.This works very well from java application outside tomcat.I have all the certificates at the right path.
This is my connector string for https
and this is how i call NetServicesProxy =
IceProxyFactory.getNetServicesProxy(communicator);
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150"
keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\bng.ads.my.net.p12"
keystorePass="ererer!"
keystoreType="PKCS12"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
/>
These are the errors.
![CDATA[Could not create the net services proxy: Ice.SecurityException
reason = "IceSSL: handshake error"]]></log4j:message>
<log4j:throwable><![CDATA[Ice.SecurityException
reason = "IceSSL: handshake error"
at IceSSL.Instance.createSSLEngine(Instance.java:484)
at IceSSL.ConnectorI.connect(ConnectorI.java:40)
at IceInternal.OutgoingConnectionFactory.create(OutgoingConnectionFactory.java:323)
at IceInternal.RoutableReference.createConnection(RoutableReference.java:433)
at IceInternal.IndirectReference.getConnection(IndirectReference.java:181)
at Ice._ObjectDelM.setup(_ObjectDelM.java:258)
at Ice.ObjectPrxHelperBase.__getDelegate(ObjectPrxHelperBase.java:1050)
at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:85)
at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:61)
at com.hp.halo.HaloICE.DatabaseServicesPrxHelper.checkedCast(Unknown Source)
at com.hp.halo.util.factory.IceProxyFactory._getDatabaseServicesProxy(IceProxyFactory.java:196)
at com.hp.halo.util.factory.IceProxyFactory.getDatabaseServicesProxy(IceProxyFactory.java:116)
at com.polycom.halo.rmx.util.RMXUtil.getDatabaseProxy(RMXUtil.java:386)
at com.polycom.halo.rmx.util.RMXUtil.startCommunicator(RMXUtil.java:414)
at com.polycom.halo.rmx.util.RMXUtil.<init>(RMXUtil.java:48)
at com.polycom.service.DatabaseService.getNodeStatusFromCp(DatabaseService.java:87)
at com.polycom.service.DatabaseService.getAllStudios(DatabaseService.java:260)
at com.polycom.controller.DirectoryServiceController.getAllStudios(DirectoryServiceController.java:165)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:212)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:126)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:96)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:617)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:578)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:900)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:827)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol
at sun.security.ssl.Handshaker.activate(Unknown Source)
at sun.security.ssl.SSLEngineImpl.kickstartHandshake(Unknown Source)
at sun.security.ssl.SSLEngineImpl.beginHandshake(Unknown Source)
at IceSSL.Instance.createSSLEngine(Instance.java:480)
... 49 more
0
Comments
If I understand things correctly, you are attempting to make an Ice invocation over SSL from within a Tomcat servlet, and the SSL handshake fails with a "No appropriate protocol" message. The most likely reason for this is a configuration problem, either in your servlet or in the remote Ice server. The fact that you're using HTTPS to communicate with the Tomcat server should not have any impact on the Ice activities of your servlet.
If you're still having trouble, please post the IceSSL configuration properties being used by your servlet and the remote server.
Best regards,
Mark
Greetings Mark,
And thanks for your prompt reply.Yes you right I am attempting to make an Ice invocation over SSL from within a Tomcat .Attaching the file from servlet
Ice.Package.HaloICE=com.hp.halo
Ice.StdErr=./logs/IceStdErr.txt
Ice.StdOut=./logs/IceStdOut.txt
# This property is used by the clients to connect to IceStorm, Database
# Services, Event Services, Node Services, etc.
# Note that any proxy definitions which use Grid replica
# groups - e.g. any proxy that has an @ - will be using
# two-way SSL, and thus the box that the client is running
# on will require a certificate.
#
Ice.Default.Locator=HaloIceGrid/Locator:tcp -h cv-tst-ice-04.hp.net -p 10000
#DeviceServices.Proxy=DeviceServices:ssl -h %address% -p 10305
DeviceServices.Proxy=DeviceServices:tcp -h %address% -p 10300
SWAVServices.Proxy=SWAVServices:tcp -p 10110
SWAVCollabServices.Proxy=SWAVServices:tcp -p 10100
[email protected]roup
[email protected]ServiceReplicaGroup
IceStorm.TopicManager.Proxy=HaloCentralIceStorm/[email protected]
NodeServices.Proxy=NodeServices:ssl -h %address% -p 10505
UIServices.Proxy=UIServices:tcp -h %address% -p 10800
MessageCatalogStore.Proxy=UIServices/MessageCatalogStore:tcp -p 10800
[email protected]
#
# SSL Configuration
#
Ice.Plugin.IceSSL=IceSSL.PluginFactory
Ice.Plugin.CertVerifier=com.hp.halo.ssl.CertVerifierPluginFactory
Ice.PluginLoadOrder=IceSSL,CertVerifier
IceSSL.DefaultDir=C:\Program Files\Hewlett-Packard\Certificates
IceSSL.Truststore=HPHaloServicesCA.jks
IceSSL.KeystoreType=PKCS12
IceSSL.Ciphers=NONE (RSA.*AES_256) !(EXPORT)
IceSSL.CheckCertName=1
IceSSL.Trace.Security=1
SslVerifier.CRL_URL=http://vmhost-prod00.ads.hhven.net/crl/LatestCRL.crl
SslVerifier.CRL=LatestCRL.crl
SslVerifier.OnlyLogCRLViolations=true
# Delay at start time for the first CRL download, in seconds
SslVerifier.CRLDownloadDelayAtStart=60
# Time between CRL downloads, in minutes
SslVerifier.TimeBetweenCRLDownloads=240
#
# Connection Timeout Global Maximum
#
Ice.Override.ConnectTimeout=2000
#
# Warn about connection exceptions
#
Ice.Warn.Connections=2
#
# Network Tracing
#
# 0 = no network tracing
# 1 = trace connection establishment and closure
# 2 = like 1, but more detailed
# 3 = like 2, but also trace data transfer
#
Ice.Trace.Network=0
#
# Protocol Tracing
#
# 0 = no protocol tracing
# 1 = trace protocol messages
#
Ice.Trace.Protocol=0
#
# Security Tracing
#
# 0 = no security tracing
# 1 = trace warning messages
# 2 = config file parsing warnings
#
IceSSL.Trace.Security=0
#
# Controls the maximum size of messages that can be read or written. This value
# corresponds to the size of the data sent in the getScreenImages method.
# Note that the server ice configuration file also needs to have this parameter set
# and should match what is specified here.
#
Ice.MessageSizeMax=5000
########################################################################
# Device Manager properties
########################################################################
# Device Services Configuration
#DeviceLib.DeviceServiceType=server
#DeviceLib.DeviceServiceType=client
DeviceLib.cachingEnabled=false
########################################################################
# ClientUtil properties
########################################################################
ClientUtil.NodeObserver.Endpoints=ssl
ClientUtil.NodeObserver.StartPort=10550
ClientUtil.NodeObserver.PortCount=20
ClientUtil.MeetingObserver.Endpoints=ssl
ClientUtil.MeetingObserver.StartPort=10450
ClientUtil.MeetingObserver.PortCount=20
Ice.Trace.Network=3
Ice.Trace.Protocol=1
Run your servlet again, capture the log file output, and attach it here. My goal is to find out which endpoint the servlet is attempting to use.
Regards,
Mark
Thanks Mark.
Added the Trace and Network as requested by you and attaching the log IceStdError.log with Traces and RMXUtil.log for further Analysis.
IceStdError.log
[ 11/1/12 22:54:35:785 Network: trying to establish tcp connection to 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:785 Network: tcp connection established
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:816 Network: received 14 of 14 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:816 Protocol: received validate connection
message type = 3 (validate connection)
compression status = 0 (not compressed; do not compress response, if any)
message size = 14 ]
[ 11/1/12 22:54:35:816 Protocol: sending request
message type = 0 (request)
compression status = 0 (not compressed; do not compress response, if any)
message size = 92
request id = 1
identity = HaloIceGrid/Locator
facet =
operation = findAdapterById
mode = 1 (nonmutating)
context = ]
[ 11/1/12 22:54:35:816 Network: sent 92 of 92 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:832 Network: received 14 of 14 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:832 Network: received 157 of 157 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:832 Protocol: received reply
message type = 2 (reply)
compression status = 0 (not compressed; do not compress response, if any)
message size = 171
request id = 1
reply status = 0 (ok) ]
[ 11/1/12 22:54:35:832 Network: trying to establish ssl connection to 141.124.212.104:10205 ]
[ 11/1/12 22:54:35:832 Network: trying to establish ssl connection to 141.124.212.105:10205 ]
[ 11/1/12 22:54:35:832 Network: trying to establish ssl connection to 141.124.212.106:10205 ]
[ 11/1/12 22:54:35:848 Protocol: sending request
message type = 0 (request)
compression status = 0 (not compressed; do not compress response, if any)
message size = 92
request id = 2
identity = HaloIceGrid/Locator
facet =
operation = findAdapterById
mode = 1 (nonmutating)
context = ]
[ 11/1/12 22:54:35:848 Network: sent 92 of 92 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:848 Network: received 14 of 14 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:848 Network: received 157 of 157 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:848 Protocol: received reply
message type = 2 (reply)
compression status = 0 (not compressed; do not compress response, if any)
message size = 171
request id = 2
reply status = 0 (ok) ]
[ 11/1/12 22:54:35:848 Network: trying to establish ssl connection to 141.124.212.104:10205 ]
[ 11/1/12 22:54:35:848 Network: trying to establish ssl connection to 141.124.212.105:10205 ]
[ 11/1/12 22:54:35:848 Network: trying to establish ssl connection to 141.124.212.106:10205 ]
[ 11/1/12 22:54:35:863 Protocol: sending request
message type = 0 (request)
compression status = 0 (not compressed; do not compress response, if any)
message size = 92
request id = 3
identity = HaloIceGrid/Locator
facet =
operation = findAdapterById
mode = 1 (nonmutating)
context = ]
[ 11/1/12 22:54:35:863 Network: sent 92 of 92 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:863 Network: received 14 of 14 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:863 Network: received 157 of 157 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:863 Protocol: received reply
message type = 2 (reply)
compression status = 0 (not compressed; do not compress response, if any)
message size = 171
request id = 3
reply status = 0 (ok) ]
[ 11/1/12 22:54:35:863 Network: trying to establish ssl connection to 141.124.212.105:10205 ]
[ 11/1/12 22:54:35:863 Network: trying to establish ssl connection to 141.124.212.104:10205 ]
[ 11/1/12 22:54:35:879 Network: trying to establish ssl connection to 141.124.212.106:10205 ]
[ 11/1/12 22:54:35:879 Protocol: sending request
message type = 0 (request)
compression status = 0 (not compressed; do not compress response, if any)
message size = 92
request id = 4
identity = HaloIceGrid/Locator
facet =
operation = findAdapterById
mode = 1 (nonmutating)
context = ]
[ 11/1/12 22:54:35:879 Network: sent 92 of 92 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:879 Network: received 14 of 14 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:879 Network: received 157 of 157 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:879 Protocol: received reply
message type = 2 (reply)
compression status = 0 (not compressed; do not compress response, if any)
message size = 171
request id = 4
reply status = 0 (ok) ]
[ 11/1/12 22:54:35:879 Network: trying to establish ssl connection to 141.124.212.106:10205 ]
[ 11/1/12 22:54:35:879 Network: trying to establish ssl connection to 141.124.212.105:10205 ]
[ 11/1/12 22:54:35:894 Network: trying to establish ssl connection to 141.124.212.104:10205 ]
[ 11/1/12 22:54:35:894 Protocol: sending close connection
message type = 4 (close connection)
compression status = 0 (not compressed; do not compress response, if any)
message size = 14 ]
[ 11/1/12 22:54:35:894 Network: sent 14 of 14 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:894 Network: shutting down tcp connection for writing
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:894 Network: closing tcp connection
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
Thanks for posting the log information.
My first suggestion is to verify that the servers shown in these endpoints are in fact using SSL (and not TCP):
[Network: trying to establish ssl connection to 141.124.212.106:10205 ]
[Network: trying to establish ssl connection to 141.124.212.105:10205 ]
[Network: trying to establish ssl connection to 141.124.212.104:10205 ]
Note that the endpoint settings for these servers is probably stored in IceGrid.
Second, since you stated in your original message that a standalone (non-Tomcat) application works correctly, the goal should be to discover what the differences are between the standalone and servlet cases. For example, are you absolutely sure that the servlet is using the configuration properties in the file that you attached? One way to verify this is to add the following diagnostic code to your servlet: This code simply dumps the contents of the communicator's properties. Once you have this output, I would compare it against the properties (especially the IceSSL properties) that you expect it to be using.
Regards,
Mark
Thanks Mark.
Yes I am using an IceGrid and I have jar file which I call outside tomcat and inside tomcat.And all configurations are same.Only thing outside Tomcat it works.
I have made the changes you mentioned and attaching the logs from IceStdErrorOutsideTomcat and
IceStdErrorFromServletTomcat
Also Attaching the file which I am using for Testing
Thanks,
Mark
Another suggestion: run the standalone program with the JVM option -Djavax.net.debug=all, and then run Tomcat with the same option. This will probably generate a lot of output, especially for Tomcat, but it should provide some useful information about the protocols and ciphersuites that the JVM is using.
Mark
Hi Mark
I switched to https when I had the same handshake issue with http .Anyway I have switched over to http based on your request.
I see that after adding debug -Djavax.net.debug=all outside and inside(tomcat).
My jvm is 1.6.024 for both outside and Inside tomcat. And I am running Tomcat_6 Apache Tomcat 6.0.18 Server - Apache Tomcat - Welcome!
Anyway attaching all the files for your clarity
The IceStdout is the one which gives the certifcate output.
Attaching Inside_Tomcat_IceStdOut and OutSide-Tomcat and also http_Tomcat_Std_out for reference
Yes outside Tomcat the IceStdOut output produced is more as it works there.
Thanks
Shrinivas
Based on some findings I also tried changing in jre/lib/java.security by adding these lines but that to had no effect
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
I restarted tomcat after the above.
I would like to know if we need any modifications in Ice code for this
I set up a Tomcat server using the following environment:
* Windows 7 (32-bit)
* apache-tomcat-6.0.36
* jdk1.6.0_25
I created a simple servlet version of the client from the Ice "hello" demo:
The config.client file contains:
I deployed the webapp, started the Ice "hello" server, and used the browser to access the servlet. The servlet successfully connected to the server via SSL and invoked the sayHello operation without problems.
I can provide an archive of the servlet files if you'd like to see them.
My first suggestion is to try your servlet without defining the IceSSL.Ciphers property, just to see if that makes a difference.
My second suggestion would be to start over with a simple servlet example like mine and slowly modify it to more closely resemble your final version. If you can provide me with a small (but complete) example that reproduces the problem, I'd be happy to take a look at it.
Regards,
Mark
You are very much right.Disabling the IceSSL.CIPHERS resolves the issue.I am able to invoke it perfecly now.
Thanks again
Shrinivas
Glad to hear that it's working for you now.
I suspect what's happening is that Tomcat (somehow) is limiting the available ciphers, or perhaps using an entirely different set of ciphers, than what you get outside of Tomcat. If you run your standalone client and your servlet with IceSSL.Trace.Security=1, Ice will log the list of available ciphers. Your setting for IceSSL.Ciphers was apparently too restrictive in Tomcat and eliminated all possibilities. Once you know what ciphers are available, you can enable IceSSL.Ciphers with an appropriate value.
Regards,
Mark
Well I see that TLS_RSA_WITH_AES_256 Cipher suite or any other Cipher suite is not diplayed from Tomcat IceStdout but gets displayed outside tomcat.
Looks like disabling it makes a possible workaround.
Also
openssl ciphers -v 'ALL:!ADH:@STRENGTH' doesnot indicate the above SSL and so bypassing it makes sense.
Glad to hear that it's working for you now.
I suspect what's happening is that Tomcat (somehow) is limiting the available ciphers, or perhaps using an entirely different set of ciphers, than what you get outside of Tomcat. If you run your standalone client and your servlet with IceSSL.Trace.Security=1, Ice will log the list of available ciphers. Your setting for IceSSL.Ciphers was apparently too restrictive in Tomcat and eliminated all possibilities. Once you know what ciphers are available, you can enable IceSSL.Ciphers with an appropriate value.
Regards,
Mark[/QUOTE]