Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Crowd SSO with MS Active Director fails to connect

Brian McGovern
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 2, 2018

Initial error:

02-Oct-2018 15:33:25.475 SEVERE [main] org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore type [JKS] with path [${JAVA_HOME}/lib/security/cacerts] due to [Illegal character in path at index 1: ${JAVA_HOME}/lib/security/cacerts]
 java.lang.IllegalArgumentException: Illegal character in path at index 1: ${JAVA_HOME}/lib/security/cacerts
        at java.net.URI.create(Unknown Source)
        at java.net.URI.resolve(Unknown Source)
        at org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:88)
        at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:132)
        at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:187)
        at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:182)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
        at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:644)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:355)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:495)
Caused by: java.net.URISyntaxException: Illegal character in path at index 1: ${JAVA_HOME}/lib/security/cacerts
        at java.net.URI$Parser.fail(Unknown Source)
        at java.net.URI$Parser.checkChars(Unknown Source)
        at java.net.URI$Parser.parseHierarchical(Unknown Source)
        at java.net.URI$Parser.parse(Unknown Source)
        at java.net.URI.<init>(Unknown Source)
        ... 27 more

02-Oct-2018 15:33:25.477 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio-8443"]
 java.lang.IllegalArgumentException: java.io.IOException: Failed to load keystore type [JKS] with path [${JAVA_HOME}/lib/security/cacerts] due to [Illegal character in path at index 1: ${JAVA_HOME}/lib/security/cacerts]
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
        at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:644)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:355)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:495)
Caused by: java.io.IOException: Failed to load keystore type [JKS] with path [${JAVA_HOME}/lib/security/cacerts] due to [Illegal character in path at index 1: ${JAVA_HOME}/lib/security/cacerts]
        at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:152)
        at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:187)
        at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:182)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
        ... 20 more

02-Oct-2018 15:33:25.482 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[org.apache.coyote.http11.Http11Protocol-8443]]
 org.apache.catalina.LifecycleException: Failed to initialize component [Connector[org.apache.coyote.http11.Http11Protocol-8443]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:644)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:355)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:495)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:999)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        ... 12 more
Caused by: java.lang.IllegalArgumentException: java.io.IOException: Failed to load keystore type [JKS] with path [${JAVA_HOME}/lib/security/cacerts] due to [Illegal character in path at index 1: ${JAVA_HOME}/lib/security/cacerts]
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
        at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
        ... 13 more
Caused by: java.io.IOException: Failed to load keystore type [JKS] with path [${JAVA_HOME}/lib/security/cacerts] due to [Illegal character in path at index 1: ${JAVA_HOME}/lib/security/cacerts]
        at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:152)
        at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:187)
        at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:182)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
        ... 20 more

02-Oct-2018 15:33:25.483 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 1104 ms
02-Oct-2018 15:33:25.498 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
02-Oct-2018 15:33:25.499 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.5.20
02-Oct-2

Should the JAVA_HOME also have forward slashes?

Also we are using progra~1 instead of program files due to the space causing issues.

For MS ACtive directory should we point the keystorefile to our cacerts file or the user home directory?

 

1 answer

0 votes
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 4, 2018

Hi @Brian McGovern

As far as I can tell from the error you get, you added a keystoreFile attribute to the Connector part of your server.xml configuration file (and its value is wrong). Doing so is intended to enable HTTPS on your Crowd server, which means that your Crowd server is able to receive HTTPS requests.

According to your question, this is not what you're aiming at here. You actually want your Crowd server to connect to your Active Directory using LDAPS. The only thing you need to do here is to add the certificate of the CA that signed your Active Directory's certificate to your JDK's cacerts file.

Thus, first of all please remove your custom configuration in server.xml. Then import the CA's certificate in your JDK by following step 3 of Atlassian's documentation at https://confluence.atlassian.com/crowd/configuring-an-ssl-certificate-for-microsoft-active-directory-63504388.html#ConfiguringanSSLCertificateforMicrosoftActiveDirectory-Step3.ImporttheServerCertificate

If you also need to use Crowd over HTTPS, please follow Atlassian's documentation at https://confluence.atlassian.com/crowd/configuring-crowd-to-work-with-ssl-151520306.html

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events