Request jvm truststore and jssecacerts file?
I have two https web apps app1 and app2 installed on two different cats t1 and t2 (t1 and t2 on different machines). when in app1 I make url connection to app2 I get SSL handshake error. The reason is that I am using a self signed certificate in app 2 which is not in app1 jvm truststore. So the correct approach to fix is it installs the self signed certificate in JAVA-HOME / jre / lib / security. To do the same, I followed the steps given at http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/ . The same steps are suggested in different forums. But still I get the same SSL handshake attempt which
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.
provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
Though I got rid of that SSLHandshakeException by specifying below options in JVM store. -Djavax.net.ssl.trustStore = C: .keystore -Djavax.net.ssl.trustStorePassword = changeit
My question here is why the first approach (which is the correct approach). If putting jssecacerts file in / lib / security doesn't work? Another point is what is different between the first and second approaches?
source to share
Though I got rid of this SSLHandshakeException by mentioning the options in the JVM store below. -Djavax.net.ssl.trustStore = C: .keystore -Djavax.net.ssl.trustStorePassword = changeit
It is not clear what you were trying to do with these parameters. Either you use the default trust store (usually if it exists, otherwise ), or you specify your own. tends to be used as a key store rather than trust (although there is no default JSSE value). (By the way, I would also specify the full path instead .) jssecacerts
cacerts
.keystore
C:.keystore
It's probably better to make a copy of the original file cacerts
(or jssecacerts
) (remove the extra one you put in if you changed something) and add your remote certificate to it (i.e. app2 cert in app1 copy and app1 cert in app2 if necessary).
You can list the certificates with keytool -list -keystore keystore.jks
(see help for advanced options if needed).
You can export the certificate using keytool -export -keystore server1-keystore.jks -alias server_alias -file server1.crt
.
Then import it into another trust store: keytool -import -keystore client2-truststore.jks -file server1.crt
. ( client2-truststore.jks
Will be a copy here cacerts
.) Then configure your JVM to use Apache Tomcat (not necessarily the Tomcat connector). You have to set JVM parameters to catalina.sh
( JAVA_OPTS=-D...
).
EDIT:
My question is why the first approach (which is the correct approach) i.e. put jssecacerts file in / lib / security doesn't work?
To answer your question in more detail, I just double checked a clean install of Oracle JRE 6 (1.6.0_31) and jssecacerts
takes precedence over cacerts
if present (as described in the JSSE Ref Guide, so there seems to be no error). I'm not sure where Oracle moved the Andreas Sterbenz Sun blog, so I'm not sure which copy InstallCert
you were using. I think something didn't work out there.
As far as I know, InstallCert
connects to the server to get its certificate (replacing the export step above): you are actually assuming that the certificate you get the first time you connect is correct (and may be trusted). You can also obtain this certificate using OpenSSL . However, in your case, you seem to have control over the two servers and their respective keystores, so you can also use keytool -export
.
Another point is what is different from the first and second approaches?
The first approach (change jssecacerts
) sets the configuration for all applications that will use this JRE installation, while the second will apply these settings to the JVM only after Apache Tomcat has started.
Please note that if you did not have a file jssecacerts
, but only a file cacerts
, if you only import your certificate into jssecacerts
, it cacerts
will be ignored, which means you will not be able to connect to servers that have a certificate issued by the CA, which will usually be trusted by default. Therefore, it is useful to start with a copy of the default file. (Also, if your app also connects to other sites that are generally trusted by default, that might also explain why you get this error message elsewhere this time.)
It is ultimately your responsibility to verify that in jssecacerts
orcacerts
:
IMPORTANT NOTE: The JDK comes with a limited number of trusted root certificates in the / lib / security / cacerts file. As stated in keytool, you are responsible for maintaining (i.e. adding / removing) the certificates contained in this file if you use this file as a trusted store.
Depending on the certificate configuration of the servers you are communicating with, you may need to add additional root certificates. Obtain what you need from the appropriate supplier.
source to share
The difference is that you added the certificate to the wrong trust file :). JUST System Truststore is not jssecacerts but just cacerts in $ {JRE_HOME} / lib / security /. You were creating a new trust that the JRE is not aware of. Adding the certificate to the proper store will solve your problem. However, let me warn you that it is not recommended to add your own CA certificates to the truststore. Add them to the user's trust store and use it the way you do in the second option.
source to share