OpenAM 10.0 EA has recently been released (you are download from
here). So, as usual, I'll have a copy running in our labs.
I have Tomcat 7.0.26 installed and enabled SSL. Fairly straightforward to enable SSL on Tomcat with APR (Read
here). I have also ensure the CA certificate is imported into the Java keystone which Tomcat was running on.
However, when I run the OpenAM configurator, I kept getting "Connection reset" error.
[openam@IDP config]$ java -jar configurator.jar -f idp.config
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
Very strange. I would expect a "PKIX path building failed" error, which is very common when an invalid certificate or no certificate was imported into the keystore.
I even went to the extend of firing up
SSLPoke to identify what has went wrong. No luck! It threw me the same "Connection reset" error.
What's next is
set the following JVM-option:
"-Djavax.net.debug=SSL,handshake,trustmanager"
$ java -Djavax.net.debug=ssl,handshake -cp . SSLPoke idp.azlabs.sg 8080
Bingo!
:
:
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
:
:
main, WRITE: TLSv1 Handshake, length = 75
main, WRITE: SSLv2 client hello message, length = 101
main, handling exception: java.net.SocketException: Connection reset
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Broken pipe
main, called closeSocket()
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:830)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:11 70)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:637)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:89)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:103)
at SSLPoke.main(SSLPoke.java:31)
Now I know what's wrong.
I shouldn't have cut-n-paste from Tomcat 7 documentation without thinking.
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
clientAuth="optional" SSLProtocol="TLSv1"/>
TLSv1 !! Remove it resolve the issue.
.