CAS server and 3 level long CA

Shi Yusen shiys at langhua.cn
Tue Dec 2 14:24:14 EST 2008 

Personally I guess your problem is similar to this one:
http://www.codecomments.com/archive253-2004-4-173117.html

Perhaps you have to install a new version of the sun java security
policy? Or use OpenJDK instead?

Regards,

Shi Yusen/Beijing Langhua Ltd.

在 2008-12-01一的 18:36 +0100,jehan procaccia写道:
> Hello,
> we are running our own (self-signed) PKI with a 3 level hierarchy 
> (itrootCA -> itCA -> tmspCA -> cas-server), and I have problem 
> configuring tomcat to load that CA-chain, when tomcat start it generate 
> an SEVERE Error
> 
> SEVERE: Error initializing endpoint
> java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
> 
> I load the cas server certificate on the 8443 connector
>  <Connector port="8443" maxHttpHeaderSize="8192"
>                keystoreFile="/etc/tomcat5/cas1_tmsp_openssl.p12" 
> keystorePass="secret" keystoreType="pkcs12" />
> 
> and I load the CA-chain from CATALINA_OPTS env variable:
> 
> CATALINA_OPTS="-Djavax.net.ssl.trustStore=/etc/tomcat5/ca-chain-IT-tmspca-itca-itrootca.keystore 
> -Djavax.net.ssl.trustStorePassword=secret"
> 
> The ca-chain keystore do contain the 3 level CA hierachy:
> 
> [root at cas1 /etc/tomcat5]
> $ keytool -list -v -keystore ./ca-chain-IT-tmspca-itca-itrootca.keystore 
> | grep Owner
> Enter keystore password:  secret
> Owner: C=fr, O=Institut TELECOM, OU=Institut TELECOM, CN=Institut 
> TELECOM class2 Certificate Authority
> Owner: C=fr, O=Institut TELECOM, CN=Institut TELECOM Root class1 
> Certificate Authority
> Owner: C=fr, O=TELECOM & Management SudParis, OU=TELECOM & Management 
> SudParis, CN=TELECOM & Management SudParis class3 Certificate Authority
> 
> I googled that error "...too big.." and saw remarks abour DER vs PEM 
> format, so here's how I created the above keystore
> [root at cas1 /etc/tomcat5]
> $ keytool -import -keystore ca-chain-IT-tmspca-itca-itrootca.keystore 
> -file /etc/pki/tls/certs/itrootca.crt -alias IT_CA_class1
> and the same with the 2 other levels
> 
> Why tomcat is complaining about "
> 
> java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
> 
> is my certificate chain too long !? or in bad format ? how can I check 
> that ?
> Thanks.
> 
> 
> PS:
> I run java-1.6.0-sun-1.6.0.01-1.el5 and tomcat5-5.5.23-0jpp.7.el5_2.1
> here's tomcat catalina.out full logs at stratup:
> 
> Using CATALINA_BASE:   /usr/share/tomcat5
> Using CATALINA_HOME:   /usr/share/tomcat5
> Using CATALINA_TMPDIR: /usr/share/tomcat5/temp
> Using JRE_HOME:      
> Dec 1, 2008 6:10:52 PM org.apache.catalina.core.AprLifecycleListener 
> lifecycleEvent
> INFO: The Apache Tomcat Native library which allows optimal performance 
> in production environments was not found on the java.library.path: 
> /usr/lib/jvm/java-1.6.0-sun-1.6.0.01/jre/lib/i386/client:/usr/lib/jvm/java-1.6.0-sun-1.6.0.01/jre/lib/i386:/usr/lib/jvm/java-1.6.0-sun-1.6.0.01/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib
> Dec 1, 2008 6:10:53 PM org.apache.coyote.http11.Http11BaseProtocol init
> INFO: Initializing Coyote HTTP/1.1 on http-8080
> Dec 1, 2008 6:10:53 PM org.apache.coyote.http11.Http11BaseProtocol init
> SEVERE: Error initializing endpoint
> java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
>     at sun.security.util.DerInputStream.getLength(DerInputStream.java:544)
>     at sun.security.util.DerValue.init(DerValue.java:346)
>     at sun.security.util.DerValue.<init>(DerValue.java:302)
>     at 
> com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1200)
>     at java.security.KeyStore.load(KeyStore.java:1185)
>     at 
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:287)
>     at 
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:261)
>     at 
> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getTrustManagers(JSSE14SocketFactory.java:175)
>     at 
> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:112)
>     at 
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:89)
>     at 
> org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:293)
>     at 
> org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:139)
>     at 
> org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
>     at 
> org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
>     at 
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
>     at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
>     at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>     at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>     at java.lang.reflect.Method.invoke(Method.java:597)
>     at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
>     at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
> Dec 1, 2008 6:10:53 PM org.apache.catalina.startup.Catalina load
> SEVERE: Catalina.start
> LifecycleException:  Protocol handler initialization failed: 
> java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
>     at 
> org.apache.catalina.connector.Connector.initialize(Connector.java:1019)
>     at 
> org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
>     at 
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
>     at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
>     at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>     at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>     at java.lang.reflect.Method.invoke(Method.java:597)
>     at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
>     at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
> Dec 1, 2008 6:10:53 PM org.apache.catalina.startup.Catalina load
> INFO: Initialization processed in 763 ms
> Dec 1, 2008 6:10:53 PM org.apache.catalina.core.StandardService start
> INFO: Starting service Catalina
> Dec 1, 2008 6:10:53 PM org.apache.catalina.core.StandardEngine start
> INFO: Starting Servlet Engine: Apache Tomcat/5.5.23
> Dec 1, 2008 6:10:53 PM org.apache.catalina.core.StandardHost start
> INFO: XML validation disabled
> 
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas

More information about the cas mailing list