Unable to connect to the JIRA application due to IOException Invalid keystore format

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: サーバーと Data Center のみ。この記事は、サーバーおよび Data Center プラットフォームのアトラシアン製品にのみ適用されます。

問題

After JIRA has been upgraded, or configured for SSL, it is not able to be connected to, despite the process running.

The following appears in the Catalina log (for example catalina.2015-10-24.log):

24-Oct-2015 15:54:34.822 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["http-bio-8443"]
 java.io.IOException: Invalid keystore format
	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
	at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
	at java.security.KeyStore.load(KeyStore.java:1445)
	at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:424)
	at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:323)
	at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:581)
	at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:521)
	at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:466)
	at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:205)
	at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:360)
	at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:730)
	at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)

診断

環境

  • JIRA is configured to use SSL, hosted by Tomcat.

診断ステップ

  • If this exception is found in the logs it's highly likely this problem applies.

原因

The Java Keystore (JKS) specified by Tomcat is in an invalid format. Tomcat by default expects it to be a JKS file, and this error can be thrown if it is a PKCS12 format (it's a bit like expecting a BMP and it's a JPG, in the image world).

回避策

It may be possible to tell Java to use the appropriate format - this can be done with the following:

  1. Jira を停止します。
  2. Add the JVM argument Djavax.net.ssl.trustStoreType=pkcs12 as per Setting Properties and Options on Startup.
  3. Start JIRA and test.

If this does not work, proceed to the Resolution.

ソリューション

Go back to the provider who supplied the key (either the CA vendor or appropriate department) and request for a Java Keystore (JKS) with the following in it:

  • A PrivateKeyEntry.
  • Any intermediate certificates, in the form of trustedCertEntry.

(info) It's recommend to host JIRA behind a reverse-proxy as as Apache or Nginx as per the below:

Last modified on Mar 30, 2016

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.