Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Issues integrating Crowd with SSL

Shravanthi Suda
Shravanthi Sudarshana July 20, 2014

Hi, I was trying to integrate crowd with SSL. I followed all the steps in https://confluence.atlassian.com/display/CROWD/Configuring+Crowd+to+Work+with+SSLand i still cannot get it working. I have verified that certificate has got imported successfully. However when i start crowd, i get these errors

INFO: Deploying configuration descriptor C:\CROWD_INSTALL\apache-tomcat\conf\Catalina\localhost\openidclient.xml

Jul 21, 2014 6:30:49 AM org.apache.catalina.core.StandardContext startInternal

SEVERE: Error listenerStart

Jul 21, 2014 6:30:49 AM org.apache.catalina.core.StandardContext startInternal

SEVERE: Context [/openidclient] startup failed due to previous errors

Jul 21, 2014 6:30:49 AM org.apache.catalina.startup.HostConfig deployDescriptor

INFO: Deploying configuration descriptor C:\CROWD_INSTALL\apache-tomcat\conf\Catalina\localhost\openidserver.xml

Jul 21, 2014 6:31:01 AM org.apache.catalina.core.StandardContext startInternal

SEVERE: Error listenerStart

Jul 21, 2014 6:31:01 AM org.apache.catalina.core.StandardContext startInternal

SEVERE: Context [/openidserver] startup failed due to previous errors

Jul 21, 2014 6:31:02 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

SEVERE: The web application [/openidserver] appears to have started a thread named [HSQLDB Timer @556ef89c] but has failed to stop it. This is very likely to create a memory leak.

Jul 21, 2014 6:31:02 AM org.apache.catalina.startup.HostConfig deployDirectory

INFO: Deploying web application directory C:\CROWD_INSTALL\apache-tomcat\webapps\ROOT

Jul 21, 2014 6:31:02 AM org.apache.coyote.AbstractProtocol start

INFO: Starting ProtocolHandler ["http-bio-8095"]

Jul 21, 2014 6:31:02 AM org.apache.coyote.AbstractProtocol start

INFO: Starting ProtocolHandler ["http-bio-8443"]

Jul 21, 2014 6:31:02 AM org.apache.catalina.startup.Catalina start

INFO: Server startup in 88428 ms

Jul 21, 2014 6:31:34 AM org.apache.tomcat.util.http.Cookies processCookieHeader

INFO: Cookies: Invalid cookie. Value not a token or quoted value

Note: further occurrences of Cookie errors will be logged at DEBUG level.

And when i try to access the link of crowd using https, i see the following error.

Exception in thread "http-bio-8443-exec-3"

Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler i

n thread "http-bio-8443-exec-3"

Exception in thread "http-bio-8443-exec-4"

Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler i

n thread "http-bio-8443-exec-4"

Exception in thread "http-bio-8443-exec-7" Exception in thread "http-bio-8443-ex

ec-9"

Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler i

n thread "http-bio-8443-exec-7"

Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler i

n thread "http-bio-8443-exec-9"

Exception in thread "C3P0PooledConnectionPoolManager[identityToken->31j0v293ok3k

nl1rcwmlj|15b4634]-AdminTaskTimer" Exception in thread "http-bio-8443-exec-10" E

xception in thread "http-bio-8443-exec-8" Exception in thread "http-bio-8443-exe

c-6"

Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler i

n thread "C3P0PooledConnectionPoolManager[identityToken->31j0v293ok3knl1rcwmlj|1

5b4634]-AdminTaskTimer"

Am not sure how to fix this issue. Any clues?

Answer
Watch
Like Be the first to like this
1414 views

2 answers

1 vote
Jason Hensler1
Jason Hensler
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 20, 2014

Make sure you have java_opts that point to the keystore and truststore:

JAVA_OPTS="-Xms128m -Xmx1024m -XX:MaxPermSize=256m $JAVA_OPTS -Djavax.net.ssl.keyStore=/<pathtokeystore>/.keystore -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=/<pathtokeystore>/.keystore -Djavax.net.ssl.trustStorePassword=changeit"

I would be very surprised if you need that much memory to run crowd, especially if this is a new install. Your permsize shouldn't need to be more than 256m and at the most 512m. For the Heap I would be suprised if you need more than 1024m max.

In addition the default JDK keys store is not pkcs12 but, JKS. You might need to convert your cert to a x509 and then import it and the private key to your keystore or make sure you set the keystore type to pkcs12.

Reply
0 votes
Tiago Comasseto
Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 20, 2014

Hi Shravanthi, I see some OutOfMemoryError erros in your logs, you may want to increase Crowd memory and see if it brings any improvement.

Cheers

View More Comments
Shravanthi Suda
Shravanthi Sudarshana July 20, 2014

I have increased the memory setting. Here is my setenv.bat file in Crowd-Install/apache-tomcat/bin/setenv.bat contents

JAVA_OPTS="-Xms3072m -Xmx6144m -XX:PermSize=3072m -XX:MaxPermSize=3072m"

It is still giving me the same error. Should i increase it further? My crowd server is Windows 2008 server with 8GB RAM. Please let me know how if i need to increase it further.

Like
Shravanthi Suda
Shravanthi Sudarshana July 20, 2014

I also see this in the log. What does it mean?

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bi

o-8443"]

java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

I verified if certificate was imported properly by running command

keytool -list -v -keystore "C:\Program Files\Java\jdk1.7.0_55\jre\lib\security\cacerts"

and it shows the certificate am looking for. Its in pkcs12 format.

Like
Shravanthi Suda
Shravanthi Sudarshana July 21, 2014

I was able to get past out of memory exception after i removed openid xml so startup of crowd did not give any error and i can access the crowd login with https and 8443 port.

However when i try to login using admin credentials, it throws these errors (in crowd logs)

http-bio-8443-exec-4 ERROR [xfire.transport.http.HttpChannel] java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

Line 9885: 2014-07-22 02:14:59,747 http-bio-8443-exec-4 ERROR [xfire.transport.http.HttpChannel] java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

Line 9886: 2014-07-22 02:14:59,750 http-bio-8443-exec-4 ERROR [crowd.integration.springsecurity.CrowdSSOAuthenticationProcessingFilter] Unable to unset Crowd SSO token

Line 10028: 2014-07-22 02:15:00,010 http-bio-8443-exec-5 ERROR [crowd.console.action.Login] Failed to connect to the authentication server, please check your crowd.properties

Also saw these in logs

Caused by: org.codehaus.xfire.XFireException: Couldn't send message.

Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

Am using a pkcs12 keystore and it is imported properly. I tried to give keystoretype as PKCS12(modified java.security file as well to pkcs12) but even login screen did not come up. So reverted the changes

Like
Reply

Suggest an answer

Log in or Sign up to answer
Crowd
Crowd
TAGS
AUG Leaders

Atlassian Community Events

    See all events