4

In order to update the certificate that I use for SSL for my server I have a code that does the import\export and validation that I need.

It works well, but In order for the changes to take effect I have to restart the tomcat.
I wish to avoid the restart, and update it without using external tools (keytool for example).
I looked up for some similar questions, and found a solution - restarting the 443 connector. I'm able to do so, and the connector is stopping and starting, but the certificate was not updated. Only server restart actually updates it.

Is there some connector initialisation procedure that I'm missing?
Some system cache or objects that I should clear?

This is the code that I use for restarting the connector: 

MBeanServer mbeanServer = null;
ObjectName objectName = null;
final ObjectName objectNameQuery = new ObjectName("*:type=Connector,port=443,*");
for (final MBeanServer server : (ArrayList<MBeanServer>) MBeanServerFactory.findMBeanServer(null)) {
    if (server.queryNames(objectNameQuery, null).size() > 0) {
        mbeanServer = server;
        objectName = (ObjectName) server.queryNames(objectNameQuery,null).toArray()[0];
        break;
    }
}

mbeanServer.invoke(objectName, "stop", null, null);
Thread.sleep(1000);
mbeanServer.invoke(objectName, "start", null, null);

I see in the tomcat logs the following traces of the connector restart:
23-Apr-2017 15:42:00.292 INFO [BG-Task RestartTomcatConnector] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["http-nio-443"]
23-Apr-2017 15:42:01.349 INFO [BG-Task RestartTomcatConnector] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-443"]

csny
  • 164
  • 1
  • 2
  • 14
  • 2
    Have you tried this option: https://serverfault.com/questions/328533/can-tomcat-reload-its-ssl-certificate-without-being-restarted#comment1031061_625075 – zloster Apr 24 '17 at 13:55
  • Yes, just found this - it does cause the connector to load the keystore, but it fails loading it and the connector doesn't function. Same keystore is loaded after a restart, in which the connector is initialised successfully. – csny Apr 24 '17 at 16:02
  • did you get your solution. I am also badly stuck due to this – Jagaran Apr 04 '18 at 17:52
  • @Jagaran, The code, together with the "bindOnInit" param, and a longer sleep between the stop/start made it work for me. – csny Apr 08 '18 at 08:20
  • @csny - So you mean you could add new certificate without tomcat restart using that code. Please if you can send me the sample code. You really making my day and thanks a tonne – Jagaran Apr 09 '18 at 14:37
  • @Jagaran, I mean the same code that is in the question description works well. All I did was to increase the sleep time to 3 seconds, and verify server.xml connector entry has the "bindOnInit=false" param – csny Apr 09 '18 at 14:47
  • @csny - Is it possible to send the sample code for the tomcat server? – Jagaran Apr 09 '18 at 15:06

1 Answers1

0

The problem was solved, these are the components:

  1. server.xml must include bindOnInit="false". This is the config I use

    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
        port="443" SSLEnabled="true" maxThreads="150"
        acceptCount="2000" scheme="https" secure="true"
        ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
        keystoreFile="webapps/ServerKeyStore"
        keystorePass="***"
        clientAuth="false" sslProtocol="TLS"
        sslEnabledProtocols="TLSv1.1,TLSv1.2" compression="on"
        compressableMimeType="text/html,text/xml,application/xml,application/json,application/javascript,text/css,text/plain"
        server="Portal" useSendfile="false"
        compressionMinSize="1024" bindOnInit="false"
/>

  2. The Java code for the connector restart: 

    public class TomcatConnectorRestarter implements Callable<Boolean> {

    private final int waitSeconds = 3;
    private final static ReentrantLock rl = new ReentrantLock();

    @Override
    public Boolean call() throws Exception {
        restartConnector();
        return true;
    }

    protected void restartConnector() throws Exception {
        try {
            if (tryLock()){
                mLogger.info("Acquired lock");
                try {
                    HTTPSConnectorMBean httpsConnector = null;
                    MBeanServer mbeanServer = null;
                    ObjectName objectName = null;
                    final ObjectName objectNameQuery = new ObjectName("*:type=Connector,port=443,*");

                    for (final MBeanServer server : (ArrayList<MBeanServer>) MBeanServerFactory.findMBeanServer(null)) {
                        if (server.queryNames(objectNameQuery, null).size() > 0) {
                            mbeanServer = server;
                            objectName = (ObjectName) server.queryNames(objectNameQuery, null).toArray()[0];
                            httpsConnector = new HTTPSConnectorMBean(objectName, mbeanServer);
                            break;
                        }
                    }

                    if (Objects.nonNull(httpsConnector)) {
                        mLogger.info("Stopping connector");
                        httpsConnector.stop();
                        mLogger.info("Waiting "+waitSeconds+" seconds after "+"stop"+" ...");
                        Thread.sleep(waitSeconds*1000);
                        mLogger.info("Starting connector");
                        httpsConnector.start();
                    }
                    else {
                        mLogger.error("Could not find connector object");
                    }
                }
                catch (Exception e) {
                    mLogger.error("Failed restarting connector",e);
                }
            }
            else {
                mLogger.warn("Operation is in process");
            }
        }
        finally {
            unlock();
        }
    }

    private void unlock() {
        if (rl.isHeldByCurrentThread()) {
            mLogger.debug("Releasing lock");
            rl.unlock();
        }
    }

    private boolean tryLock() {
        return !rl.isHeldByCurrentThread() && rl.tryLock();
    }

    private enum MBeanConnectorAction {
        start,stop,getState;
    }

    private abstract class MBeansObjectAction {
        private final ObjectName on;
        private final MBeanServer server;

        public MBeansObjectAction(ObjectName on, MBeanServer server) {
            this.on = on;
            this.server = server;
        }

        protected Object invoke(MBeanConnectorAction cmd) throws InstanceNotFoundException, ReflectionException, MBeanException {
            return server.invoke(on, cmd.toString(), null, null);
        }
    }

    private class HTTPSConnectorMBean extends MBeansObjectAction {

        public HTTPSConnectorMBean(ObjectName on, MBeanServer server) {
            super(on, server);
        }

        public void start() throws InstanceNotFoundException, ReflectionException, MBeanException {
            invoke(MBeanConnectorAction.start);
        }
        public void stop() throws InstanceNotFoundException, ReflectionException, MBeanException {
            invoke(MBeanConnectorAction.stop);
        }
        public Object status() throws InstanceNotFoundException, ReflectionException, MBeanException {
            return invoke(MBeanConnectorAction.getState);
        }
    }
}
Gary
  • 13,303
  • 18
  • 49
  • 71
csny
  • 164
  • 1
  • 2
  • 14
  • 1. Added a LDPAS certificate 2. Did the connection. 3. Added another certificate 4. connection giving PKIX certificate exception 4. JCONSOLE and start stopped the 443 connector from UI with pause 5. Still the same error 6. Restarted tomcat 7. second connection okay - @csny - Please tell me where i am doing wrong – Jagaran Apr 10 '18 at 20:38
  • Do have errors starting the 443 connector? Do you change the server keystore password, or edit somehow the tomcat configuration during the certificate update? – csny Apr 11 '18 at 10:59
  • Nope. I used the jconsole web UI – Jagaran Apr 12 '18 at 19:13