Archived

This forum has been archived. Please start a new discussion on GitHub.

Ice.SecurityException IceSSL: handshake error

Hi

I am trying to integrate Ice (using Ice3.2) from Tomcat and https but when I create a proxy I get below errors.

I am able to do https://localhost:8443 but when I create a IceProxy Tomcat crashes and stops fails.This works very well from java application outside tomcat.I have all the certificates at the right path.

This is my connector string for https
and this is how i call NetServicesProxy =
IceProxyFactory.getNetServicesProxy(communicator);


<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150"
keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\bng.ads.my.net.p12"
keystorePass="ererer!"
keystoreType="PKCS12"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
/>


These are the errors.

![CDATA[Could not create the net services proxy: Ice.SecurityException
reason = "IceSSL: handshake error"]]></log4j:message>
<log4j:throwable><![CDATA[Ice.SecurityException
reason = "IceSSL: handshake error"
at IceSSL.Instance.createSSLEngine(Instance.java:484)
at IceSSL.ConnectorI.connect(ConnectorI.java:40)
at IceInternal.OutgoingConnectionFactory.create(OutgoingConnectionFactory.java:323)
at IceInternal.RoutableReference.createConnection(RoutableReference.java:433)
at IceInternal.IndirectReference.getConnection(IndirectReference.java:181)
at Ice._ObjectDelM.setup(_ObjectDelM.java:258)
at Ice.ObjectPrxHelperBase.__getDelegate(ObjectPrxHelperBase.java:1050)
at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:85)
at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:61)
at com.hp.halo.HaloICE.DatabaseServicesPrxHelper.checkedCast(Unknown Source)
at com.hp.halo.util.factory.IceProxyFactory._getDatabaseServicesProxy(IceProxyFactory.java:196)
at com.hp.halo.util.factory.IceProxyFactory.getDatabaseServicesProxy(IceProxyFactory.java:116)
at com.polycom.halo.rmx.util.RMXUtil.getDatabaseProxy(RMXUtil.java:386)
at com.polycom.halo.rmx.util.RMXUtil.startCommunicator(RMXUtil.java:414)
at com.polycom.halo.rmx.util.RMXUtil.<init>(RMXUtil.java:48)
at com.polycom.service.DatabaseService.getNodeStatusFromCp(DatabaseService.java:87)
at com.polycom.service.DatabaseService.getAllStudios(DatabaseService.java:260)
at com.polycom.controller.DirectoryServiceController.getAllStudios(DirectoryServiceController.java:165)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:212)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:126)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:96)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:617)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:578)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:900)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:827)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol
at sun.security.ssl.Handshaker.activate(Unknown Source)
at sun.security.ssl.SSLEngineImpl.kickstartHandshake(Unknown Source)
at sun.security.ssl.SSLEngineImpl.beginHandshake(Unknown Source)
at IceSSL.Instance.createSSLEngine(Instance.java:480)
... 49 more

Comments

  • mes
    mes California
    Hi,

    If I understand things correctly, you are attempting to make an Ice invocation over SSL from within a Tomcat servlet, and the SSL handshake fails with a "No appropriate protocol" message. The most likely reason for this is a configuration problem, either in your servlet or in the remote Ice server. The fact that you're using HTTPS to communicate with the Tomcat server should not have any impact on the Ice activities of your servlet.

    If you're still having trouble, please post the IceSSL configuration properties being used by your servlet and the remote server.

    Best regards,
    Mark
  • Ice.SecurityException IceSSL: handshake error

    Greetings Mark,

    And thanks for your prompt reply.Yes you right I am attempting to make an Ice invocation over SSL from within a Tomcat .Attaching the file from servlet


    Ice.Package.HaloICE=com.hp.halo

    Ice.StdErr=./logs/IceStdErr.txt
    Ice.StdOut=./logs/IceStdOut.txt


    # This property is used by the clients to connect to IceStorm, Database
    # Services, Event Services, Node Services, etc.
    # Note that any proxy definitions which use Grid replica
    # groups - e.g. any proxy that has an @ - will be using
    # two-way SSL, and thus the box that the client is running
    # on will require a certificate.
    #
    Ice.Default.Locator=HaloIceGrid/Locator:tcp -h cv-tst-ice-04.hp.net -p 10000
    #DeviceServices.Proxy=DeviceServices:ssl -h %address% -p 10305
    DeviceServices.Proxy=DeviceServices:tcp -h %address% -p 10300
    SWAVServices.Proxy=SWAVServices:tcp -p 10110
    SWAVCollabServices.Proxy=SWAVServices:tcp -p 10100
    DatabaseServices.Proxy=DatabaseServices@DatabaseServicesReplicaGroup
    AuthenticationService.Proxy=AuthenticationService@AuthenticationServiceReplicaGroup
    IceStorm.TopicManager.Proxy=HaloCentralIceStorm/TopicManager@CentralIceStormTopicManagerReplicaGroup
    NodeServices.Proxy=NodeServices:ssl -h %address% -p 10505
    UIServices.Proxy=UIServices:tcp -h %address% -p 10800
    MessageCatalogStore.Proxy=UIServices/MessageCatalogStore:tcp -p 10800
    EventServices.Proxy=EventServices@EventServicesReplicaGroup

    #
    # SSL Configuration
    #
    Ice.Plugin.IceSSL=IceSSL.PluginFactory
    Ice.Plugin.CertVerifier=com.hp.halo.ssl.CertVerifierPluginFactory
    Ice.PluginLoadOrder=IceSSL,CertVerifier
    IceSSL.DefaultDir=C:\Program Files\Hewlett-Packard\Certificates
    IceSSL.Truststore=HPHaloServicesCA.jks
    IceSSL.KeystoreType=PKCS12
    IceSSL.Ciphers=NONE (RSA.*AES_256) !(EXPORT)
    IceSSL.CheckCertName=1
    IceSSL.Trace.Security=1


    SslVerifier.CRL_URL=http://vmhost-prod00.ads.hhven.net/crl/LatestCRL.crl
    SslVerifier.CRL=LatestCRL.crl
    SslVerifier.OnlyLogCRLViolations=true

    # Delay at start time for the first CRL download, in seconds
    SslVerifier.CRLDownloadDelayAtStart=60

    # Time between CRL downloads, in minutes
    SslVerifier.TimeBetweenCRLDownloads=240


    #
    # Connection Timeout Global Maximum
    #
    Ice.Override.ConnectTimeout=2000

    #
    # Warn about connection exceptions
    #
    Ice.Warn.Connections=2

    #
    # Network Tracing
    #
    # 0 = no network tracing
    # 1 = trace connection establishment and closure
    # 2 = like 1, but more detailed
    # 3 = like 2, but also trace data transfer
    #
    Ice.Trace.Network=0

    #
    # Protocol Tracing
    #
    # 0 = no protocol tracing
    # 1 = trace protocol messages
    #
    Ice.Trace.Protocol=0

    #
    # Security Tracing
    #
    # 0 = no security tracing
    # 1 = trace warning messages
    # 2 = config file parsing warnings
    #
    IceSSL.Trace.Security=0

    #
    # Controls the maximum size of messages that can be read or written. This value
    # corresponds to the size of the data sent in the getScreenImages method.
    # Note that the server ice configuration file also needs to have this parameter set
    # and should match what is specified here.
    #
    Ice.MessageSizeMax=5000



    ########################################################################
    # Device Manager properties
    ########################################################################
    # Device Services Configuration
    #DeviceLib.DeviceServiceType=server
    #DeviceLib.DeviceServiceType=client
    DeviceLib.cachingEnabled=false

    ########################################################################
    # ClientUtil properties
    ########################################################################
    ClientUtil.NodeObserver.Endpoints=ssl
    ClientUtil.NodeObserver.StartPort=10550
    ClientUtil.NodeObserver.PortCount=20
    ClientUtil.MeetingObserver.Endpoints=ssl
    ClientUtil.MeetingObserver.StartPort=10450
    ClientUtil.MeetingObserver.PortCount=20







    mes wrote: »
    Hi,
    '
    If I understand things correctly, you are attempting to make an Ice invocation over SSL from within a Tomcat servlet, and the SSL handshake fails with a "No appropriate protocol" message. The most likely reason for this is a configuration problem, either in your servlet or in the remote Ice server. The fact that you're using HTTPS to communicate with the Tomcat server should not have any impact on the Ice activities of your servlet.

    If you're still having trouble, please post the IceSSL configuration properties being used by your servlet and the remote server.

    Best regards,
    Mark
  • mes
    mes California
    As a first step, I suggest changing the following properties in your servlet's configuration:

    Ice.Trace.Network=3
    Ice.Trace.Protocol=1

    Run your servlet again, capture the log file output, and attach it here. My goal is to find out which endpoint the servlet is attempting to use.

    Regards,
    Mark
  • Ice.SecurityException IceSSL: handshake error

    Thanks Mark.

    Added the Trace and Network as requested by you and attaching the log IceStdError.log with Traces and RMXUtil.log for further Analysis.

    IceStdError.log

    [ 11/1/12 22:54:35:785 Network: trying to establish tcp connection to 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:785 Network: tcp connection established
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:816 Network: received 14 of 14 bytes via tcp
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:816 Protocol: received validate connection
    message type = 3 (validate connection)
    compression status = 0 (not compressed; do not compress response, if any)
    message size = 14 ]
    [ 11/1/12 22:54:35:816 Protocol: sending request
    message type = 0 (request)
    compression status = 0 (not compressed; do not compress response, if any)
    message size = 92
    request id = 1
    identity = HaloIceGrid/Locator
    facet =
    operation = findAdapterById
    mode = 1 (nonmutating)
    context = ]
    [ 11/1/12 22:54:35:816 Network: sent 92 of 92 bytes via tcp
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:832 Network: received 14 of 14 bytes via tcp
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:832 Network: received 157 of 157 bytes via tcp
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:832 Protocol: received reply
    message type = 2 (reply)
    compression status = 0 (not compressed; do not compress response, if any)
    message size = 171
    request id = 1
    reply status = 0 (ok) ]
    [ 11/1/12 22:54:35:832 Network: trying to establish ssl connection to 141.124.212.104:10205 ]
    [ 11/1/12 22:54:35:832 Network: trying to establish ssl connection to 141.124.212.105:10205 ]
    [ 11/1/12 22:54:35:832 Network: trying to establish ssl connection to 141.124.212.106:10205 ]
    [ 11/1/12 22:54:35:848 Protocol: sending request
    message type = 0 (request)
    compression status = 0 (not compressed; do not compress response, if any)
    message size = 92
    request id = 2
    identity = HaloIceGrid/Locator
    facet =
    operation = findAdapterById
    mode = 1 (nonmutating)
    context = ]
    [ 11/1/12 22:54:35:848 Network: sent 92 of 92 bytes via tcp
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:848 Network: received 14 of 14 bytes via tcp
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:848 Network: received 157 of 157 bytes via tcp
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:848 Protocol: received reply
    message type = 2 (reply)
    compression status = 0 (not compressed; do not compress response, if any)
    message size = 171
    request id = 2
    reply status = 0 (ok) ]
    [ 11/1/12 22:54:35:848 Network: trying to establish ssl connection to 141.124.212.104:10205 ]
    [ 11/1/12 22:54:35:848 Network: trying to establish ssl connection to 141.124.212.105:10205 ]
    [ 11/1/12 22:54:35:848 Network: trying to establish ssl connection to 141.124.212.106:10205 ]
    [ 11/1/12 22:54:35:863 Protocol: sending request
    message type = 0 (request)
    compression status = 0 (not compressed; do not compress response, if any)
    message size = 92
    request id = 3
    identity = HaloIceGrid/Locator
    facet =
    operation = findAdapterById
    mode = 1 (nonmutating)
    context = ]
    [ 11/1/12 22:54:35:863 Network: sent 92 of 92 bytes via tcp
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:863 Network: received 14 of 14 bytes via tcp
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:863 Network: received 157 of 157 bytes via tcp
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:863 Protocol: received reply
    message type = 2 (reply)
    compression status = 0 (not compressed; do not compress response, if any)
    message size = 171
    request id = 3
    reply status = 0 (ok) ]
    [ 11/1/12 22:54:35:863 Network: trying to establish ssl connection to 141.124.212.105:10205 ]
    [ 11/1/12 22:54:35:863 Network: trying to establish ssl connection to 141.124.212.104:10205 ]
    [ 11/1/12 22:54:35:879 Network: trying to establish ssl connection to 141.124.212.106:10205 ]
    [ 11/1/12 22:54:35:879 Protocol: sending request
    message type = 0 (request)
    compression status = 0 (not compressed; do not compress response, if any)
    message size = 92
    request id = 4
    identity = HaloIceGrid/Locator
    facet =
    operation = findAdapterById
    mode = 1 (nonmutating)
    context = ]
    [ 11/1/12 22:54:35:879 Network: sent 92 of 92 bytes via tcp
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:879 Network: received 14 of 14 bytes via tcp
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:879 Network: received 157 of 157 bytes via tcp
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:879 Protocol: received reply
    message type = 2 (reply)
    compression status = 0 (not compressed; do not compress response, if any)
    message size = 171
    request id = 4
    reply status = 0 (ok) ]
    [ 11/1/12 22:54:35:879 Network: trying to establish ssl connection to 141.124.212.106:10205 ]
    [ 11/1/12 22:54:35:879 Network: trying to establish ssl connection to 141.124.212.105:10205 ]
    [ 11/1/12 22:54:35:894 Network: trying to establish ssl connection to 141.124.212.104:10205 ]
    [ 11/1/12 22:54:35:894 Protocol: sending close connection
    message type = 4 (close connection)
    compression status = 0 (not compressed; do not compress response, if any)
    message size = 14 ]
    [ 11/1/12 22:54:35:894 Network: sent 14 of 14 bytes via tcp
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:894 Network: shutting down tcp connection for writing
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
    [ 11/1/12 22:54:35:894 Network: closing tcp connection
    local address = 141.124.211.57:54284
    remote address = 141.124.212.105:10000 ]
  • mes
    mes California
    Hi,

    Thanks for posting the log information.

    My first suggestion is to verify that the servers shown in these endpoints are in fact using SSL (and not TCP):

    [Network: trying to establish ssl connection to 141.124.212.106:10205 ]
    [Network: trying to establish ssl connection to 141.124.212.105:10205 ]
    [Network: trying to establish ssl connection to 141.124.212.104:10205 ]

    Note that the endpoint settings for these servers is probably stored in IceGrid.

    Second, since you stated in your original message that a standalone (non-Tomcat) application works correctly, the goal should be to discover what the differences are between the standalone and servlet cases. For example, are you absolutely sure that the servlet is using the configuration properties in the file that you attached? One way to verify this is to add the following diagnostic code to your servlet:
    java.util.Map m = communicator.getProperties().getPropertiesForPrefix("");
    Ice.Logger l = communicator.getLogger();
    java.util.Iterator i = m.entrySet().iterator();
    while(i.hasNext())
    {
        java.util.Map.Entry e = (java.util.Map.Entry)i.next();
        l.print(e.getKey().toString() + " = " + e.getValue().toString());
    }
    
    This code simply dumps the contents of the communicator's properties. Once you have this output, I would compare it against the properties (especially the IceSSL properties) that you expect it to be using.

    Regards,
    Mark
  • Ice.SecurityException IceSSL: handshake error

    Thanks Mark.

    Yes I am using an IceGrid and I have jar file which I call outside tomcat and inside tomcat.And all configurations are same.Only thing outside Tomcat it works.

    I have made the changes you mentioned and attaching the logs from IceStdErrorOutsideTomcat and
    IceStdErrorFromServletTomcat

    Also Attaching the file which I am using for Testing









    mes wrote: »
    Hi,

    Thanks for posting the log information.

    My first suggestion is to verify that the servers shown in these endpoints are in fact using SSL (and not TCP):

    [Network: trying to establish ssl connection to 141.124.212.106:10205 ]
    [Network: trying to establish ssl connection to 141.124.212.105:10205 ]
    [Network: trying to establish ssl connection to 141.124.212.104:10205 ]

    Note that the endpoint settings for these servers is probably stored in IceGrid.

    Second, since you stated in your original message that a standalone (non-Tomcat) application works correctly, the goal should be to discover what the differences are between the standalone and servlet cases. For example, are you absolutely sure that the servlet is using the configuration properties in the file that you attached? One way to verify this is to add the following diagnostic code to your servlet:
    java.util.Map m = communicator.getProperties().getPropertiesForPrefix("");
    Ice.Logger l = communicator.getLogger();
    java.util.Iterator i = m.entrySet().iterator();
    while(i.hasNext())
    {
        java.util.Map.Entry e = (java.util.Map.Entry)i.next();
        l.print(e.getKey().toString() + " = " + e.getValue().toString());
    }
    
    This code simply dumps the contents of the communicator's properties. Once you have this output, I would compare it against the properties (especially the IceSSL properties) that you expect it to be using.

    Regards,
    Mark
  • mes
    mes California
    Please post your version information for the following:
    • JVM used for the standalone (non-Tomcat) program
    • JVM used for Tomcat
    • Tomcat version

    Thanks,
    Mark
  • mes
    mes California
    Our suspicion is that Tomcat's SSL configuration is interfering with your servlet's SSL connection. You could try temporarily disabling the use of HTTPS in Tomcat (i.e., use HTTP instead) to see if that eliminates the servlet's failure.

    Another suggestion: run the standalone program with the JVM option -Djavax.net.debug=all, and then run Tomcat with the same option. This will probably generate a lot of output, especially for Tomcat, but it should provide some useful information about the protocols and ciphersuites that the JVM is using.

    Mark
  • Ice.SecurityException IceSSL: handshake error

    Hi Mark

    I switched to https when I had the same handshake issue with http .Anyway I have switched over to http based on your request.

    I see that after adding debug -Djavax.net.debug=all outside and inside(tomcat).

    My jvm is 1.6.024 for both outside and Inside tomcat. And I am running Tomcat_6 Apache Tomcat 6.0.18 Server - Apache Tomcat - Welcome!

    Anyway attaching all the files for your clarity

    The IceStdout is the one which gives the certifcate output.

    Attaching Inside_Tomcat_IceStdOut and OutSide-Tomcat and also http_Tomcat_Std_out for reference

    Yes outside Tomcat the IceStdOut output produced is more as it works there.

    Thanks
    Shrinivas





    mes wrote: »
    Our suspicion is that Tomcat's SSL configuration is interfering with your servlet's SSL connection. You could try temporarily disabling the use of HTTPS in Tomcat (i.e., use HTTP instead) to see if that eliminates the servlet's failure.

    Another suggestion: run the standalone program with the JVM option -Djavax.net.debug=all, and then run Tomcat with the same option. This will probably generate a lot of output, especially for Tomcat, but it should provide some useful information about the protocols and ciphersuites that the JVM is using.

    Mark
  • Attaching Tomcat-Server.xml also for your reference mUsing http only
  • Ice.SecurityException IceSSL: handshake error

    Based on some findings I also tried changing in jre/lib/java.security by adding these lines but that to had no effect

    security.provider.1=sun.security.provider.Sun
    security.provider.2=com.sun.net.ssl.internal.ssl.Provider

    I restarted tomcat after the above.

    I would like to know if we need any modifications in Ice code for this

    salageri wrote: »
    Attaching Tomcat-Server.xml also for your reference mUsing http only
  • mes
    mes California
    Hi,

    I set up a Tomcat server using the following environment:

    * Windows 7 (32-bit)
    * apache-tomcat-6.0.36
    * jdk1.6.0_25

    I created a simple servlet version of the client from the Ice "hello" demo:
    import java.io.*;
    import javax.servlet.*;
    import javax.servlet.http.*;
    
    public class HelloWorld extends HttpServlet
    {
        public void doGet(HttpServletRequest request, HttpServletResponse response)
            throws IOException, ServletException
        {
            response.setContentType("text/html");
            PrintWriter out = response.getWriter();
            out.println("<html>");
            out.println("<head>");
            out.println("<title>Hello World!</title>");
            out.println("</head>");
            out.println("<body>");
            try
            {
                Ice.InitializationData id = new Ice.InitializationData();
                id.properties = Ice.Util.createProperties();
                id.properties.load("C:/hp/config.client");
                Ice.Communicator c = Ice.Util.initialize(id);
                Ice.ObjectPrx o = c.propertyToProxy("Hello.Proxy");
                Demo.HelloPrx h = Demo.HelloPrxHelper.uncheckedCast(o);
                h.sayHello(0);
                c.destroy();
                out.println("<h1>Hello World!</h1>");
            }
            catch(Exception ex)
            {
                ex.printStackTrace(out);
            }
            out.println("</body>");
            out.println("</html>");
        }
    }
    

    The config.client file contains:
    Hello.Proxy=hello:ssl -p 10001
    Ice.Plugin.IceSSL=IceSSL.PluginFactory
    Ice.ThreadPerConnection=1
    IceSSL.DefaultDir=C:/hp
    IceSSL.Keystore=client.jks
    IceSSL.Password=password
    IceSSL.Truststore=certs.jks
    IceSSL.Ciphers=NONE (RSA.*AES_128) !(EXPORT)
    

    I deployed the webapp, started the Ice "hello" server, and used the browser to access the servlet. The servlet successfully connected to the server via SSL and invoked the sayHello operation without problems.

    I can provide an archive of the servlet files if you'd like to see them.

    My first suggestion is to try your servlet without defining the IceSSL.Ciphers property, just to see if that makes a difference.

    My second suggestion would be to start over with a simple servlet example like mine and slowly modify it to more closely resemble your final version. If you can provide me with a small (but complete) example that reproduces the problem, I'd be happy to take a look at it.

    Regards,
    Mark
  • Thanks Mark,

    You are very much right.Disabling the IceSSL.CIPHERS resolves the issue.I am able to invoke it perfecly now.


    Thanks again
    Shrinivas

    mes wrote: »
    Hi,

    I set up a Tomcat server using the following environment:

    * Windows 7 (32-bit)
    * apache-tomcat-6.0.36
    * jdk1.6.0_25

    I created a simple servlet version of the client from the Ice "hello" demo:
    import java.io.*;
    import javax.servlet.*;
    import javax.servlet.http.*;
    
    public class HelloWorld extends HttpServlet
    {
        public void doGet(HttpServletRequest request, HttpServletResponse response)
            throws IOException, ServletException
        {
            response.setContentType("text/html");
            PrintWriter out = response.getWriter();
            out.println("<html>");
            out.println("<head>");
            out.println("<title>Hello World!</title>");
            out.println("</head>");
            out.println("<body>");
            try
            {
                Ice.InitializationData id = new Ice.InitializationData();
                id.properties = Ice.Util.createProperties();
                id.properties.load("C:/hp/config.client");
                Ice.Communicator c = Ice.Util.initialize(id);
                Ice.ObjectPrx o = c.propertyToProxy("Hello.Proxy");
                Demo.HelloPrx h = Demo.HelloPrxHelper.uncheckedCast(o);
                h.sayHello(0);
                c.destroy();
                out.println("<h1>Hello World!</h1>");
            }
            catch(Exception ex)
            {
                ex.printStackTrace(out);
            }
            out.println("</body>");
            out.println("</html>");
        }
    }
    

    The config.client file contains:
    Hello.Proxy=hello:ssl -p 10001
    Ice.Plugin.IceSSL=IceSSL.PluginFactory
    Ice.ThreadPerConnection=1
    IceSSL.DefaultDir=C:/hp
    IceSSL.Keystore=client.jks
    IceSSL.Password=password
    IceSSL.Truststore=certs.jks
    IceSSL.Ciphers=NONE (RSA.*AES_128) !(EXPORT)
    

    I deployed the webapp, started the Ice "hello" server, and used the browser to access the servlet. The servlet successfully connected to the server via SSL and invoked the sayHello operation without problems.

    I can provide an archive of the servlet files if you'd like to see them.

    My first suggestion is to try your servlet without defining the IceSSL.Ciphers property, just to see if that makes a difference.

    My second suggestion would be to start over with a simple servlet example like mine and slowly modify it to more closely resemble your final version. If you can provide me with a small (but complete) example that reproduces the problem, I'd be happy to take a look at it.

    Regards,
    Mark
  • mes
    mes California
    Hi,

    Glad to hear that it's working for you now.

    I suspect what's happening is that Tomcat (somehow) is limiting the available ciphers, or perhaps using an entirely different set of ciphers, than what you get outside of Tomcat. If you run your standalone client and your servlet with IceSSL.Trace.Security=1, Ice will log the list of available ciphers. Your setting for IceSSL.Ciphers was apparently too restrictive in Tomcat and eliminated all possibilities. Once you know what ciphers are available, you can enable IceSSL.Ciphers with an appropriate value.

    Regards,
    Mark
  • Hi,

    Well I see that TLS_RSA_WITH_AES_256 Cipher suite or any other Cipher suite is not diplayed from Tomcat IceStdout but gets displayed outside tomcat.

    Looks like disabling it makes a possible workaround.

    Also
    openssl ciphers -v 'ALL:!ADH:@STRENGTH' doesnot indicate the above SSL and so bypassing it makes sense.



    Glad to hear that it's working for you now.

    I suspect what's happening is that Tomcat (somehow) is limiting the available ciphers, or perhaps using an entirely different set of ciphers, than what you get outside of Tomcat. If you run your standalone client and your servlet with IceSSL.Trace.Security=1, Ice will log the list of available ciphers. Your setting for IceSSL.Ciphers was apparently too restrictive in Tomcat and eliminated all possibilities. Once you know what ciphers are available, you can enable IceSSL.Ciphers with an appropriate value.

    Regards,
    Mark[/QUOTE]