Archived
This forum has been archived. Please start a new discussion on GitHub.
Ice.SecurityException IceSSL: handshake error
Hi
I am trying to integrate Ice (using Ice3.2) from Tomcat and https but when I create a proxy I get below errors.
I am able to do https://localhost:8443 but when I create a IceProxy Tomcat crashes and stops fails.This works very well from java application outside tomcat.I have all the certificates at the right path.
This is my connector string for https
and this is how i call NetServicesProxy =
IceProxyFactory.getNetServicesProxy(communicator);
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150"
keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\bng.ads.my.net.p12"
keystorePass="ererer!"
keystoreType="PKCS12"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
/>
These are the errors.
![CDATA[Could not create the net services proxy: Ice.SecurityException
reason = "IceSSL: handshake error"]]></log4j:message>
<log4j:throwable><![CDATA[Ice.SecurityException
reason = "IceSSL: handshake error"
at IceSSL.Instance.createSSLEngine(Instance.java:484)
at IceSSL.ConnectorI.connect(ConnectorI.java:40)
at IceInternal.OutgoingConnectionFactory.create(OutgoingConnectionFactory.java:323)
at IceInternal.RoutableReference.createConnection(RoutableReference.java:433)
at IceInternal.IndirectReference.getConnection(IndirectReference.java:181)
at Ice._ObjectDelM.setup(_ObjectDelM.java:258)
at Ice.ObjectPrxHelperBase.__getDelegate(ObjectPrxHelperBase.java:1050)
at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:85)
at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:61)
at com.hp.halo.HaloICE.DatabaseServicesPrxHelper.checkedCast(Unknown Source)
at com.hp.halo.util.factory.IceProxyFactory._getDatabaseServicesProxy(IceProxyFactory.java:196)
at com.hp.halo.util.factory.IceProxyFactory.getDatabaseServicesProxy(IceProxyFactory.java:116)
at com.polycom.halo.rmx.util.RMXUtil.getDatabaseProxy(RMXUtil.java:386)
at com.polycom.halo.rmx.util.RMXUtil.startCommunicator(RMXUtil.java:414)
at com.polycom.halo.rmx.util.RMXUtil.<init>(RMXUtil.java:48)
at com.polycom.service.DatabaseService.getNodeStatusFromCp(DatabaseService.java:87)
at com.polycom.service.DatabaseService.getAllStudios(DatabaseService.java:260)
at com.polycom.controller.DirectoryServiceController.getAllStudios(DirectoryServiceController.java:165)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:212)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:126)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:96)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:617)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:578)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:900)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:827)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol
at sun.security.ssl.Handshaker.activate(Unknown Source)
at sun.security.ssl.SSLEngineImpl.kickstartHandshake(Unknown Source)
at sun.security.ssl.SSLEngineImpl.beginHandshake(Unknown Source)
at IceSSL.Instance.createSSLEngine(Instance.java:480)
... 49 more
I am trying to integrate Ice (using Ice3.2) from Tomcat and https but when I create a proxy I get below errors.
I am able to do https://localhost:8443 but when I create a IceProxy Tomcat crashes and stops fails.This works very well from java application outside tomcat.I have all the certificates at the right path.
This is my connector string for https
and this is how i call NetServicesProxy =
IceProxyFactory.getNetServicesProxy(communicator);
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150"
keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\bng.ads.my.net.p12"
keystorePass="ererer!"
keystoreType="PKCS12"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
/>
These are the errors.
![CDATA[Could not create the net services proxy: Ice.SecurityException
reason = "IceSSL: handshake error"]]></log4j:message>
<log4j:throwable><![CDATA[Ice.SecurityException
reason = "IceSSL: handshake error"
at IceSSL.Instance.createSSLEngine(Instance.java:484)
at IceSSL.ConnectorI.connect(ConnectorI.java:40)
at IceInternal.OutgoingConnectionFactory.create(OutgoingConnectionFactory.java:323)
at IceInternal.RoutableReference.createConnection(RoutableReference.java:433)
at IceInternal.IndirectReference.getConnection(IndirectReference.java:181)
at Ice._ObjectDelM.setup(_ObjectDelM.java:258)
at Ice.ObjectPrxHelperBase.__getDelegate(ObjectPrxHelperBase.java:1050)
at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:85)
at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:61)
at com.hp.halo.HaloICE.DatabaseServicesPrxHelper.checkedCast(Unknown Source)
at com.hp.halo.util.factory.IceProxyFactory._getDatabaseServicesProxy(IceProxyFactory.java:196)
at com.hp.halo.util.factory.IceProxyFactory.getDatabaseServicesProxy(IceProxyFactory.java:116)
at com.polycom.halo.rmx.util.RMXUtil.getDatabaseProxy(RMXUtil.java:386)
at com.polycom.halo.rmx.util.RMXUtil.startCommunicator(RMXUtil.java:414)
at com.polycom.halo.rmx.util.RMXUtil.<init>(RMXUtil.java:48)
at com.polycom.service.DatabaseService.getNodeStatusFromCp(DatabaseService.java:87)
at com.polycom.service.DatabaseService.getAllStudios(DatabaseService.java:260)
at com.polycom.controller.DirectoryServiceController.getAllStudios(DirectoryServiceController.java:165)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:212)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:126)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:96)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:617)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:578)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:900)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:827)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol
at sun.security.ssl.Handshaker.activate(Unknown Source)
at sun.security.ssl.SSLEngineImpl.kickstartHandshake(Unknown Source)
at sun.security.ssl.SSLEngineImpl.beginHandshake(Unknown Source)
at IceSSL.Instance.createSSLEngine(Instance.java:480)
... 49 more
0
Comments
-
Hi,
If I understand things correctly, you are attempting to make an Ice invocation over SSL from within a Tomcat servlet, and the SSL handshake fails with a "No appropriate protocol" message. The most likely reason for this is a configuration problem, either in your servlet or in the remote Ice server. The fact that you're using HTTPS to communicate with the Tomcat server should not have any impact on the Ice activities of your servlet.
If you're still having trouble, please post the IceSSL configuration properties being used by your servlet and the remote server.
Best regards,
Mark0 -
Ice.SecurityException IceSSL: handshake error
Greetings Mark,
And thanks for your prompt reply.Yes you right I am attempting to make an Ice invocation over SSL from within a Tomcat .Attaching the file from servlet
Ice.Package.HaloICE=com.hp.halo
Ice.StdErr=./logs/IceStdErr.txt
Ice.StdOut=./logs/IceStdOut.txt
# This property is used by the clients to connect to IceStorm, Database
# Services, Event Services, Node Services, etc.
# Note that any proxy definitions which use Grid replica
# groups - e.g. any proxy that has an @ - will be using
# two-way SSL, and thus the box that the client is running
# on will require a certificate.
#
Ice.Default.Locator=HaloIceGrid/Locator:tcp -h cv-tst-ice-04.hp.net -p 10000
#DeviceServices.Proxy=DeviceServices:ssl -h %address% -p 10305
DeviceServices.Proxy=DeviceServices:tcp -h %address% -p 10300
SWAVServices.Proxy=SWAVServices:tcp -p 10110
SWAVCollabServices.Proxy=SWAVServices:tcp -p 10100
DatabaseServices.Proxy=DatabaseServices@DatabaseServicesReplicaGroup
AuthenticationService.Proxy=AuthenticationService@AuthenticationServiceReplicaGroup
IceStorm.TopicManager.Proxy=HaloCentralIceStorm/TopicManager@CentralIceStormTopicManagerReplicaGroup
NodeServices.Proxy=NodeServices:ssl -h %address% -p 10505
UIServices.Proxy=UIServices:tcp -h %address% -p 10800
MessageCatalogStore.Proxy=UIServices/MessageCatalogStore:tcp -p 10800
EventServices.Proxy=EventServices@EventServicesReplicaGroup
#
# SSL Configuration
#
Ice.Plugin.IceSSL=IceSSL.PluginFactory
Ice.Plugin.CertVerifier=com.hp.halo.ssl.CertVerifierPluginFactory
Ice.PluginLoadOrder=IceSSL,CertVerifier
IceSSL.DefaultDir=C:\Program Files\Hewlett-Packard\Certificates
IceSSL.Truststore=HPHaloServicesCA.jks
IceSSL.KeystoreType=PKCS12
IceSSL.Ciphers=NONE (RSA.*AES_256) !(EXPORT)
IceSSL.CheckCertName=1
IceSSL.Trace.Security=1
SslVerifier.CRL_URL=http://vmhost-prod00.ads.hhven.net/crl/LatestCRL.crl
SslVerifier.CRL=LatestCRL.crl
SslVerifier.OnlyLogCRLViolations=true
# Delay at start time for the first CRL download, in seconds
SslVerifier.CRLDownloadDelayAtStart=60
# Time between CRL downloads, in minutes
SslVerifier.TimeBetweenCRLDownloads=240
#
# Connection Timeout Global Maximum
#
Ice.Override.ConnectTimeout=2000
#
# Warn about connection exceptions
#
Ice.Warn.Connections=2
#
# Network Tracing
#
# 0 = no network tracing
# 1 = trace connection establishment and closure
# 2 = like 1, but more detailed
# 3 = like 2, but also trace data transfer
#
Ice.Trace.Network=0
#
# Protocol Tracing
#
# 0 = no protocol tracing
# 1 = trace protocol messages
#
Ice.Trace.Protocol=0
#
# Security Tracing
#
# 0 = no security tracing
# 1 = trace warning messages
# 2 = config file parsing warnings
#
IceSSL.Trace.Security=0
#
# Controls the maximum size of messages that can be read or written. This value
# corresponds to the size of the data sent in the getScreenImages method.
# Note that the server ice configuration file also needs to have this parameter set
# and should match what is specified here.
#
Ice.MessageSizeMax=5000
########################################################################
# Device Manager properties
########################################################################
# Device Services Configuration
#DeviceLib.DeviceServiceType=server
#DeviceLib.DeviceServiceType=client
DeviceLib.cachingEnabled=false
########################################################################
# ClientUtil properties
########################################################################
ClientUtil.NodeObserver.Endpoints=ssl
ClientUtil.NodeObserver.StartPort=10550
ClientUtil.NodeObserver.PortCount=20
ClientUtil.MeetingObserver.Endpoints=ssl
ClientUtil.MeetingObserver.StartPort=10450
ClientUtil.MeetingObserver.PortCount=20Hi,
'
If I understand things correctly, you are attempting to make an Ice invocation over SSL from within a Tomcat servlet, and the SSL handshake fails with a "No appropriate protocol" message. The most likely reason for this is a configuration problem, either in your servlet or in the remote Ice server. The fact that you're using HTTPS to communicate with the Tomcat server should not have any impact on the Ice activities of your servlet.
If you're still having trouble, please post the IceSSL configuration properties being used by your servlet and the remote server.
Best regards,
Mark0 -
As a first step, I suggest changing the following properties in your servlet's configuration:
Ice.Trace.Network=3
Ice.Trace.Protocol=1
Run your servlet again, capture the log file output, and attach it here. My goal is to find out which endpoint the servlet is attempting to use.
Regards,
Mark0 -
Ice.SecurityException IceSSL: handshake error
Thanks Mark.
Added the Trace and Network as requested by you and attaching the log IceStdError.log with Traces and RMXUtil.log for further Analysis.
IceStdError.log
[ 11/1/12 22:54:35:785 Network: trying to establish tcp connection to 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:785 Network: tcp connection established
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:816 Network: received 14 of 14 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:816 Protocol: received validate connection
message type = 3 (validate connection)
compression status = 0 (not compressed; do not compress response, if any)
message size = 14 ]
[ 11/1/12 22:54:35:816 Protocol: sending request
message type = 0 (request)
compression status = 0 (not compressed; do not compress response, if any)
message size = 92
request id = 1
identity = HaloIceGrid/Locator
facet =
operation = findAdapterById
mode = 1 (nonmutating)
context = ]
[ 11/1/12 22:54:35:816 Network: sent 92 of 92 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:832 Network: received 14 of 14 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:832 Network: received 157 of 157 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:832 Protocol: received reply
message type = 2 (reply)
compression status = 0 (not compressed; do not compress response, if any)
message size = 171
request id = 1
reply status = 0 (ok) ]
[ 11/1/12 22:54:35:832 Network: trying to establish ssl connection to 141.124.212.104:10205 ]
[ 11/1/12 22:54:35:832 Network: trying to establish ssl connection to 141.124.212.105:10205 ]
[ 11/1/12 22:54:35:832 Network: trying to establish ssl connection to 141.124.212.106:10205 ]
[ 11/1/12 22:54:35:848 Protocol: sending request
message type = 0 (request)
compression status = 0 (not compressed; do not compress response, if any)
message size = 92
request id = 2
identity = HaloIceGrid/Locator
facet =
operation = findAdapterById
mode = 1 (nonmutating)
context = ]
[ 11/1/12 22:54:35:848 Network: sent 92 of 92 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:848 Network: received 14 of 14 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:848 Network: received 157 of 157 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:848 Protocol: received reply
message type = 2 (reply)
compression status = 0 (not compressed; do not compress response, if any)
message size = 171
request id = 2
reply status = 0 (ok) ]
[ 11/1/12 22:54:35:848 Network: trying to establish ssl connection to 141.124.212.104:10205 ]
[ 11/1/12 22:54:35:848 Network: trying to establish ssl connection to 141.124.212.105:10205 ]
[ 11/1/12 22:54:35:848 Network: trying to establish ssl connection to 141.124.212.106:10205 ]
[ 11/1/12 22:54:35:863 Protocol: sending request
message type = 0 (request)
compression status = 0 (not compressed; do not compress response, if any)
message size = 92
request id = 3
identity = HaloIceGrid/Locator
facet =
operation = findAdapterById
mode = 1 (nonmutating)
context = ]
[ 11/1/12 22:54:35:863 Network: sent 92 of 92 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:863 Network: received 14 of 14 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:863 Network: received 157 of 157 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:863 Protocol: received reply
message type = 2 (reply)
compression status = 0 (not compressed; do not compress response, if any)
message size = 171
request id = 3
reply status = 0 (ok) ]
[ 11/1/12 22:54:35:863 Network: trying to establish ssl connection to 141.124.212.105:10205 ]
[ 11/1/12 22:54:35:863 Network: trying to establish ssl connection to 141.124.212.104:10205 ]
[ 11/1/12 22:54:35:879 Network: trying to establish ssl connection to 141.124.212.106:10205 ]
[ 11/1/12 22:54:35:879 Protocol: sending request
message type = 0 (request)
compression status = 0 (not compressed; do not compress response, if any)
message size = 92
request id = 4
identity = HaloIceGrid/Locator
facet =
operation = findAdapterById
mode = 1 (nonmutating)
context = ]
[ 11/1/12 22:54:35:879 Network: sent 92 of 92 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:879 Network: received 14 of 14 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:879 Network: received 157 of 157 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:879 Protocol: received reply
message type = 2 (reply)
compression status = 0 (not compressed; do not compress response, if any)
message size = 171
request id = 4
reply status = 0 (ok) ]
[ 11/1/12 22:54:35:879 Network: trying to establish ssl connection to 141.124.212.106:10205 ]
[ 11/1/12 22:54:35:879 Network: trying to establish ssl connection to 141.124.212.105:10205 ]
[ 11/1/12 22:54:35:894 Network: trying to establish ssl connection to 141.124.212.104:10205 ]
[ 11/1/12 22:54:35:894 Protocol: sending close connection
message type = 4 (close connection)
compression status = 0 (not compressed; do not compress response, if any)
message size = 14 ]
[ 11/1/12 22:54:35:894 Network: sent 14 of 14 bytes via tcp
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:894 Network: shutting down tcp connection for writing
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]
[ 11/1/12 22:54:35:894 Network: closing tcp connection
local address = 141.124.211.57:54284
remote address = 141.124.212.105:10000 ]0 -
Hi,
Thanks for posting the log information.
My first suggestion is to verify that the servers shown in these endpoints are in fact using SSL (and not TCP):
[Network: trying to establish ssl connection to 141.124.212.106:10205 ]
[Network: trying to establish ssl connection to 141.124.212.105:10205 ]
[Network: trying to establish ssl connection to 141.124.212.104:10205 ]
Note that the endpoint settings for these servers is probably stored in IceGrid.
Second, since you stated in your original message that a standalone (non-Tomcat) application works correctly, the goal should be to discover what the differences are between the standalone and servlet cases. For example, are you absolutely sure that the servlet is using the configuration properties in the file that you attached? One way to verify this is to add the following diagnostic code to your servlet:java.util.Map m = communicator.getProperties().getPropertiesForPrefix(""); Ice.Logger l = communicator.getLogger(); java.util.Iterator i = m.entrySet().iterator(); while(i.hasNext()) { java.util.Map.Entry e = (java.util.Map.Entry)i.next(); l.print(e.getKey().toString() + " = " + e.getValue().toString()); }
This code simply dumps the contents of the communicator's properties. Once you have this output, I would compare it against the properties (especially the IceSSL properties) that you expect it to be using.
Regards,
Mark0 -
Ice.SecurityException IceSSL: handshake error
Thanks Mark.
Yes I am using an IceGrid and I have jar file which I call outside tomcat and inside tomcat.And all configurations are same.Only thing outside Tomcat it works.
I have made the changes you mentioned and attaching the logs from IceStdErrorOutsideTomcat and
IceStdErrorFromServletTomcat
Also Attaching the file which I am using for TestingHi,
Thanks for posting the log information.
My first suggestion is to verify that the servers shown in these endpoints are in fact using SSL (and not TCP):
[Network: trying to establish ssl connection to 141.124.212.106:10205 ]
[Network: trying to establish ssl connection to 141.124.212.105:10205 ]
[Network: trying to establish ssl connection to 141.124.212.104:10205 ]
Note that the endpoint settings for these servers is probably stored in IceGrid.
Second, since you stated in your original message that a standalone (non-Tomcat) application works correctly, the goal should be to discover what the differences are between the standalone and servlet cases. For example, are you absolutely sure that the servlet is using the configuration properties in the file that you attached? One way to verify this is to add the following diagnostic code to your servlet:java.util.Map m = communicator.getProperties().getPropertiesForPrefix(""); Ice.Logger l = communicator.getLogger(); java.util.Iterator i = m.entrySet().iterator(); while(i.hasNext()) { java.util.Map.Entry e = (java.util.Map.Entry)i.next(); l.print(e.getKey().toString() + " = " + e.getValue().toString()); }
This code simply dumps the contents of the communicator's properties. Once you have this output, I would compare it against the properties (especially the IceSSL properties) that you expect it to be using.
Regards,
Mark0 -
Please post your version information for the following:
- JVM used for the standalone (non-Tomcat) program
- JVM used for Tomcat
- Tomcat version
Thanks,
Mark0 -
Our suspicion is that Tomcat's SSL configuration is interfering with your servlet's SSL connection. You could try temporarily disabling the use of HTTPS in Tomcat (i.e., use HTTP instead) to see if that eliminates the servlet's failure.
Another suggestion: run the standalone program with the JVM option -Djavax.net.debug=all, and then run Tomcat with the same option. This will probably generate a lot of output, especially for Tomcat, but it should provide some useful information about the protocols and ciphersuites that the JVM is using.
Mark0 -
Ice.SecurityException IceSSL: handshake error
Hi Mark
I switched to https when I had the same handshake issue with http .Anyway I have switched over to http based on your request.
I see that after adding debug -Djavax.net.debug=all outside and inside(tomcat).
My jvm is 1.6.024 for both outside and Inside tomcat. And I am running Tomcat_6 Apache Tomcat 6.0.18 Server - Apache Tomcat - Welcome!
Anyway attaching all the files for your clarity
The IceStdout is the one which gives the certifcate output.
Attaching Inside_Tomcat_IceStdOut and OutSide-Tomcat and also http_Tomcat_Std_out for reference
Yes outside Tomcat the IceStdOut output produced is more as it works there.
Thanks
ShrinivasOur suspicion is that Tomcat's SSL configuration is interfering with your servlet's SSL connection. You could try temporarily disabling the use of HTTPS in Tomcat (i.e., use HTTP instead) to see if that eliminates the servlet's failure.
Another suggestion: run the standalone program with the JVM option -Djavax.net.debug=all, and then run Tomcat with the same option. This will probably generate a lot of output, especially for Tomcat, but it should provide some useful information about the protocols and ciphersuites that the JVM is using.
Mark0 -
-
Ice.SecurityException IceSSL: handshake error
Based on some findings I also tried changing in jre/lib/java.security by adding these lines but that to had no effect
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
I restarted tomcat after the above.
I would like to know if we need any modifications in Ice code for thisAttaching Tomcat-Server.xml also for your reference mUsing http only0 -
Hi,
I set up a Tomcat server using the following environment:
* Windows 7 (32-bit)
* apache-tomcat-6.0.36
* jdk1.6.0_25
I created a simple servlet version of the client from the Ice "hello" demo:import java.io.*; import javax.servlet.*; import javax.servlet.http.*; public class HelloWorld extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println("<html>"); out.println("<head>"); out.println("<title>Hello World!</title>"); out.println("</head>"); out.println("<body>"); try { Ice.InitializationData id = new Ice.InitializationData(); id.properties = Ice.Util.createProperties(); id.properties.load("C:/hp/config.client"); Ice.Communicator c = Ice.Util.initialize(id); Ice.ObjectPrx o = c.propertyToProxy("Hello.Proxy"); Demo.HelloPrx h = Demo.HelloPrxHelper.uncheckedCast(o); h.sayHello(0); c.destroy(); out.println("<h1>Hello World!</h1>"); } catch(Exception ex) { ex.printStackTrace(out); } out.println("</body>"); out.println("</html>"); } }
The config.client file contains:Hello.Proxy=hello:ssl -p 10001 Ice.Plugin.IceSSL=IceSSL.PluginFactory Ice.ThreadPerConnection=1 IceSSL.DefaultDir=C:/hp IceSSL.Keystore=client.jks IceSSL.Password=password IceSSL.Truststore=certs.jks IceSSL.Ciphers=NONE (RSA.*AES_128) !(EXPORT)
I deployed the webapp, started the Ice "hello" server, and used the browser to access the servlet. The servlet successfully connected to the server via SSL and invoked the sayHello operation without problems.
I can provide an archive of the servlet files if you'd like to see them.
My first suggestion is to try your servlet without defining the IceSSL.Ciphers property, just to see if that makes a difference.
My second suggestion would be to start over with a simple servlet example like mine and slowly modify it to more closely resemble your final version. If you can provide me with a small (but complete) example that reproduces the problem, I'd be happy to take a look at it.
Regards,
Mark0 -
Thanks Mark,
You are very much right.Disabling the IceSSL.CIPHERS resolves the issue.I am able to invoke it perfecly now.
Thanks again
ShrinivasHi,
I set up a Tomcat server using the following environment:
* Windows 7 (32-bit)
* apache-tomcat-6.0.36
* jdk1.6.0_25
I created a simple servlet version of the client from the Ice "hello" demo:import java.io.*; import javax.servlet.*; import javax.servlet.http.*; public class HelloWorld extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println("<html>"); out.println("<head>"); out.println("<title>Hello World!</title>"); out.println("</head>"); out.println("<body>"); try { Ice.InitializationData id = new Ice.InitializationData(); id.properties = Ice.Util.createProperties(); id.properties.load("C:/hp/config.client"); Ice.Communicator c = Ice.Util.initialize(id); Ice.ObjectPrx o = c.propertyToProxy("Hello.Proxy"); Demo.HelloPrx h = Demo.HelloPrxHelper.uncheckedCast(o); h.sayHello(0); c.destroy(); out.println("<h1>Hello World!</h1>"); } catch(Exception ex) { ex.printStackTrace(out); } out.println("</body>"); out.println("</html>"); } }
The config.client file contains:Hello.Proxy=hello:ssl -p 10001 Ice.Plugin.IceSSL=IceSSL.PluginFactory Ice.ThreadPerConnection=1 IceSSL.DefaultDir=C:/hp IceSSL.Keystore=client.jks IceSSL.Password=password IceSSL.Truststore=certs.jks IceSSL.Ciphers=NONE (RSA.*AES_128) !(EXPORT)
I deployed the webapp, started the Ice "hello" server, and used the browser to access the servlet. The servlet successfully connected to the server via SSL and invoked the sayHello operation without problems.
I can provide an archive of the servlet files if you'd like to see them.
My first suggestion is to try your servlet without defining the IceSSL.Ciphers property, just to see if that makes a difference.
My second suggestion would be to start over with a simple servlet example like mine and slowly modify it to more closely resemble your final version. If you can provide me with a small (but complete) example that reproduces the problem, I'd be happy to take a look at it.
Regards,
Mark0 -
Hi,
Glad to hear that it's working for you now.
I suspect what's happening is that Tomcat (somehow) is limiting the available ciphers, or perhaps using an entirely different set of ciphers, than what you get outside of Tomcat. If you run your standalone client and your servlet with IceSSL.Trace.Security=1, Ice will log the list of available ciphers. Your setting for IceSSL.Ciphers was apparently too restrictive in Tomcat and eliminated all possibilities. Once you know what ciphers are available, you can enable IceSSL.Ciphers with an appropriate value.
Regards,
Mark0 -
Hi,
Well I see that TLS_RSA_WITH_AES_256 Cipher suite or any other Cipher suite is not diplayed from Tomcat IceStdout but gets displayed outside tomcat.
Looks like disabling it makes a possible workaround.
Also
openssl ciphers -v 'ALL:!ADH:@STRENGTH' doesnot indicate the above SSL and so bypassing it makes sense.
Glad to hear that it's working for you now.
I suspect what's happening is that Tomcat (somehow) is limiting the available ciphers, or perhaps using an entirely different set of ciphers, than what you get outside of Tomcat. If you run your standalone client and your servlet with IceSSL.Trace.Security=1, Ice will log the list of available ciphers. Your setting for IceSSL.Ciphers was apparently too restrictive in Tomcat and eliminated all possibilities. Once you know what ciphers are available, you can enable IceSSL.Ciphers with an appropriate value.
Regards,
Mark[/QUOTE]0