Re: [Pki-users] Problems with java11
----- Original Message -----
> Are you getting this error:
>
> java.lang.IllegalArgumentException: Alias name [sslserver] does not
> identify a key
> entry
>
> or this error?
>
> java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were
> provided
> for the host name [_default_]. Host names must be unique.
>
> If it's the first one, that means the PKCS #11 keystore (i.e. JSS keystore)
> cannot
> find the SSL server certificate. We may not have a solution since we do not
> support
> Java 11 yet.
But I've patched Dogtag to support the new keystore, and am using JSS
4.5.1, I thought they did support Java 11.. so something is missing
still then..
IIUC JSS was updated so it can build with Java 11, but I don't think it
has been thoroughly tested yet. The only user of JSS keystore (that I'm aware
of) is Dogtag and Dogtag is still using Java 8 on Fedora.
> If it's the second one, that message is coming from Tomcat
when validating
> the
> server.xml. Is certificateVerification the only thing you change in that
> file? You
> might want to try adding defaultSSLHostConfigName to Connector and hostName
> to
> SSLHostConfig, but I'm really not sure what's going on.
>
> See also this page:
>
https://stackoverflow.com/questions/42135892/tomcat-8-5-server-xml-multip...
>
> If you put any of these deprecated attributes in the Connector directive,
> tomcat
> assumes you are using the old way and auto creates a SSLHostConfig itself,
> which
> then conflicts with the one you are creating.
--
Endi S. Dewata