It's all about the answers!

Ask a question

"SSLContext not available" in tomcat catalina log when RQM(4.0.3) startup on Redhat Linux 6.3


Pamela Mei (6111) | asked Apr 28 '14, 8:54 a.m.
tomcat catalina log:
Apr 28, 2014 3:13:31 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Apr 28, 2014 3:13:31 PM org.apache.tomcat.util.digester.SetPropertiesRule begin
WARNING: [SetPropertiesRule]{Server/Service/Engine/Realm} Setting property 'debug' to '99' did not find a matching property.
Apr 28, 2014 3:13:31 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-9080"]
Apr 28, 2014 3:13:31 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-9443"]
Apr 28, 2014 3:13:31 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-9443"]
java.io.IOException: ${jazz.connector.sslProtocol} SSLContext not available
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:475)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
        at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:393)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:610)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:429)
        at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:658)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:622)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:450)
Caused by: java.security.NoSuchAlgorithmException: ${jazz.connector.sslProtocol} SSLContext not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
        at javax.net.ssl.SSLContext.getInstance(SSLContext.java:142)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:488)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:448)
        ... 19 more


Comments
Philippe Chevalier commented Apr 28 '14, 11:13 a.m.
JAZZ DEVELOPER

There is really not enough information to go on here,  Are you trying to start the server via the Tomcat services, of using the the server.startup script.

Doing a quick search on the net I found the following technote that can help explain the situation.

Tomcat as a Windows Service fails with SSLContext error when using Rational Team Concert
http://www-01.ibm.com/support/docview.wss?uid=swg21460726

Hope this helps

4 answers



permanent link
Pamela Mei (6111) | answered Apr 28 '14, 11:22 a.m.


Yes, I'm using the server.startup script.
Yeah, I read that page too. But it's on windows for RTC not RQM.
And I can see SSL is defined on server.xml under tomcat/conf
    <!-- Define a SSL HTTP/1.1 Connector on port 9443
         This connector uses the JSSE configuration, when using APR, the
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->
    <!--
    <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->
    <Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" algorithm="${jazz.connector.algorithm}" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="ibm-team-ssl.keystore" keystorePass="ibm-team" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="9443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="${jazz.connector.sslProtocol}"/>

Comments
Philippe Chevalier commented Apr 28 '14, 12:49 p.m.
JAZZ DEVELOPER

 I not sure what is happening on you system, but I can reproduce the same message on my system if I comment out the following java option JAVA_OPTS="$JAVA_OPTS -Djazz.connector.sslProtocol=SSL_TLS".  BY default the server.startup should be setting up the SSL_TLS option like the technote in the last comment explains.


What you need to investigate, is you server startup process:

Why are you missing this option?  
Are you using the right server.startup?  
  Some organization transform the Tomcat home to fit their needs, are there requirements in you environment that changes the startup sequence?
Is it possible that you are using a initd (Unix services to startup the server and some of the required Java option are missing?

I would recommend to open a PMR if you need further investigation.




Philippe Chevalier commented Apr 28 '14, 12:52 p.m.
JAZZ DEVELOPER

 This is the Linux Platform I tested on


Linux someserver.ibm.com 2.6.32-431.11.2.el6.x86_64 #1 SMP Mon Mar 3 13:32:45 EST 2014 x86_64 x86_64 x86_64 GNU/Linux

And the next two section are the update I did in the server.startup, and the output form the tomcat JVM after startup.

<EXTRACT server.startup

# For Mac OS X (unsupported, but used by developers)
if [ uname = Darwin ];
  then
   ... (removed due to limit of numb or char aloud)
  else
    JRE_HOME=pwd/jre
#    JAVA_OPTS="$JAVA_OPTS -Djazz.connector.sslProtocol=SSL_TLS"
    JAVA_OPTS="$JAVA_OPTS -Djazz.connector.algorithm=IbmX509"
fi

<EXTRACT/>




Philippe Chevalier commented Apr 28 '14, 12:54 p.m.
JAZZ DEVELOPER

 Log Output


<LOG Catalina.out>
...Apr 28, 2014 12:36:08 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-9443"]
Apr 28, 2014 12:36:09 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-9443"]
Throwable occurred: java.io.IOException: ${jazz.connector.sslProtocol} SSLContext not available
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:475)
   ...
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:450)
Caused by: java.security.NoSuchAlgorithmException: ${jazz.connector.sslProtocol} SSLContext not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:210)
<LOGS>



permanent link
Pamela Mei (6111) | answered Apr 29 '14, 9:33 p.m.
Hi I checked server.startup the line of SSL_TLS is not commented out.
See below:
# For Mac OS X (unsupported, but used by developers)
if [ `uname` = Darwin ];
  then
    JRE_HOME=/System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home
    JAVA_OPTS="$JAVA_OPTS -Djazz.connector.sslProtocol=TLS"
    JAVA_OPTS="$JAVA_OPTS -Djazz.connector.algorithm=SunX509"
  else
    JRE_HOME=`pwd`/jre
    JAVA_OPTS="$JAVA_OPTS -Djazz.connector.sslProtocol=SSL_TLS"
    JAVA_OPTS="$JAVA_OPTS -Djazz.connector.algorithm=IbmX509"
fi


permanent link
Pamela Mei (6111) | answered Apr 30 '14, 4:30 a.m.
on the cannot startup same day, I just knew that the openssl has been just updated.
OpenSSL 1.0.1e-fips 11 Feb 2013
so when the openssl updated? whether the ibm-team-ssl.keystore
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" algorithm="IbmX509" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="ibm-team-ssl.keystore" keystorePass="ibm-team" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="9443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="${jazz.connector.sslProtocol}"/>



Comments
Philippe Chevalier commented Apr 30 '14, 8:47 a.m.
JAZZ DEVELOPER

Can you please clarify "so when the openssl updated? whether the ibm-team-ssl.keystore" 


Are you asking if the ibm-team-ssl.keystore is the concern? and does it require an update because of the change to your openssl libraries?


permanent link
Pamela Mei (6111) | answered May 04 '14, 12:27 a.m.
sorry for loss pasting content.
I remember the openssl is updated due to "Heart Bleed".
Yes, I'm asking whether the keystore is the concern?whether the keystore file needs to be updated or not.

Your answer


Register or to post your answer.