Issues integrating Crowd with SSL

Hi, I was trying to integrate crowd with SSL. I followed all the steps in https://confluence.atlassian.com/display/CROWD/Configuring+Crowd+to+Work+with+SSLand i still cannot get it working. I have verified that certificate has got imported successfully. However when i start crowd, i get these errors

INFO: Deploying configuration descriptor C:\CROWD_INSTALL\apache-tomcat\conf\Catalina\localhost\openidclient.xml

Jul 21, 2014 6:30:49 AM org.apache.catalina.core.StandardContext startInternal

SEVERE: Error listenerStart

Jul 21, 2014 6:30:49 AM org.apache.catalina.core.StandardContext startInternal

SEVERE: Context [/openidclient] startup failed due to previous errors

Jul 21, 2014 6:30:49 AM org.apache.catalina.startup.HostConfig deployDescriptor

INFO: Deploying configuration descriptor C:\CROWD_INSTALL\apache-tomcat\conf\Catalina\localhost\openidserver.xml

Jul 21, 2014 6:31:01 AM org.apache.catalina.core.StandardContext startInternal

SEVERE: Error listenerStart

Jul 21, 2014 6:31:01 AM org.apache.catalina.core.StandardContext startInternal

SEVERE: Context [/openidserver] startup failed due to previous errors

Jul 21, 2014 6:31:02 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

SEVERE: The web application [/openidserver] appears to have started a thread named [HSQLDB Timer @556ef89c] but has failed to stop it. This is very likely to create a memory leak.

Jul 21, 2014 6:31:02 AM org.apache.catalina.startup.HostConfig deployDirectory

INFO: Deploying web application directory C:\CROWD_INSTALL\apache-tomcat\webapps\ROOT

Jul 21, 2014 6:31:02 AM org.apache.coyote.AbstractProtocol start

INFO: Starting ProtocolHandler ["http-bio-8095"]

Jul 21, 2014 6:31:02 AM org.apache.coyote.AbstractProtocol start

INFO: Starting ProtocolHandler ["http-bio-8443"]

Jul 21, 2014 6:31:02 AM org.apache.catalina.startup.Catalina start

INFO: Server startup in 88428 ms

Jul 21, 2014 6:31:34 AM org.apache.tomcat.util.http.Cookies processCookieHeader

INFO: Cookies: Invalid cookie. Value not a token or quoted value

Note: further occurrences of Cookie errors will be logged at DEBUG level.

And when i try to access the link of crowd using https, i see the following error.

Exception in thread "http-bio-8443-exec-3"

Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler i

n thread "http-bio-8443-exec-3"

Exception in thread "http-bio-8443-exec-4"

Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler i

n thread "http-bio-8443-exec-4"

Exception in thread "http-bio-8443-exec-7" Exception in thread "http-bio-8443-ex

ec-9"

Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler i

n thread "http-bio-8443-exec-7"

Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler i

n thread "http-bio-8443-exec-9"

Exception in thread "C3P0PooledConnectionPoolManager[identityToken->31j0v293ok3k

nl1rcwmlj|15b4634]-AdminTaskTimer" Exception in thread "http-bio-8443-exec-10" E

xception in thread "http-bio-8443-exec-8" Exception in thread "http-bio-8443-exe

c-6"

Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler i

n thread "C3P0PooledConnectionPoolManager[identityToken->31j0v293ok3knl1rcwmlj|1

5b4634]-AdminTaskTimer"

Am not sure how to fix this issue. Any clues?

2 answers

Make sure you have java_opts that point to the keystore and truststore:

JAVA_OPTS="-Xms128m -Xmx1024m -XX:MaxPermSize=256m $JAVA_OPTS -Djavax.net.ssl.keyStore=/<pathtokeystore>/.keystore -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=/<pathtokeystore>/.keystore -Djavax.net.ssl.trustStorePassword=changeit"

I would be very surprised if you need that much memory to run crowd, especially if this is a new install. Your permsize shouldn't need to be more than 256m and at the most 512m. For the Heap I would be suprised if you need more than 1024m max.

In addition the default JDK keys store is not pkcs12 but, JKS. You might need to convert your cert to a x509 and then import it and the private key to your keystore or make sure you set the keystore type to pkcs12.

Hi Shravanthi, I see some OutOfMemoryError erros in your logs, you may want to increase Crowd memory and see if it brings any improvement.

Cheers

I have increased the memory setting. Here is my setenv.bat file in Crowd-Install/apache-tomcat/bin/setenv.bat contents

JAVA_OPTS="-Xms3072m -Xmx6144m -XX:PermSize=3072m -XX:MaxPermSize=3072m"

It is still giving me the same error. Should i increase it further? My crowd server is Windows 2008 server with 8GB RAM. Please let me know how if i need to increase it further.

I also see this in the log. What does it mean?

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bi

o-8443"]

java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

I verified if certificate was imported properly by running command

keytool -list -v -keystore "C:\Program Files\Java\jdk1.7.0_55\jre\lib\security\cacerts"

and it shows the certificate am looking for. Its in pkcs12 format.

I was able to get past out of memory exception after i removed openid xml so startup of crowd did not give any error and i can access the crowd login with https and 8443 port.

However when i try to login using admin credentials, it throws these errors (in crowd logs)

http-bio-8443-exec-4 ERROR [xfire.transport.http.HttpChannel] java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

Line 9885: 2014-07-22 02:14:59,747 http-bio-8443-exec-4 ERROR [xfire.transport.http.HttpChannel] java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

Line 9886: 2014-07-22 02:14:59,750 http-bio-8443-exec-4 ERROR [crowd.integration.springsecurity.CrowdSSOAuthenticationProcessingFilter] Unable to unset Crowd SSO token

Line 10028: 2014-07-22 02:15:00,010 http-bio-8443-exec-5 ERROR [crowd.console.action.Login] Failed to connect to the authentication server, please check your crowd.properties

Also saw these in logs

Caused by: org.codehaus.xfire.XFireException: Couldn't send message.

Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

Am using a pkcs12 keystore and it is imported properly. I tried to give keystoretype as PKCS12(modified java.security file as well to pkcs12) but even login screen did not come up. So reverted the changes

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Feb 27, 2018 in Crowd

The Crowd team is looking for feedback on Server & Data Center customers' identity strategies!

Do you own more than one Server or Data Center product? Do you have challenges provisioning users across your Atlassian products? Are you spending a lot of time integrating each Atlassian product wit...

1,209 views 6 14
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you