How to specify custom truststore for webapp-runner in Heroku?

Question

My sample webapp makes secure calls to webservices on behalf of its clients, this works on my local environment and now I want to try deploying it on Heroku.

I have setup a Procfile that looks like:

web: java $JAVA_OPTS -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=cacerts_custom.jks -Djavax.net.ssl.trustStorePassword=password -jar target/dependency/webapp-runner.jar --port $PORT target/*.war

And thanks to -Djavax.net.debug=ssl I can clearly see that the custom server certificate that I added onto the cacerts file is being loaded.

app web.1 - - trustStore is: cacerts_custom.jks
app web.1 - - trustStore type is : jks
app web.1 - - trustStore provider is :
app web.1 - - init truststore
app web.1 - - adding as trusted cert:
app web.1 - - Subject: me me me
app web.1 - - Issuer: me me me

But I still keep getting these exceptions:

com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
  at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle (ApacheHttpClient4Handler.java:184)
...
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
  at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:371)

app web.1 - - INFO: 1 * Client out-bound request
app web.1 - - 1 > GET https://webservice.com:80/gimmestuff
app web.1 - - 1 > Accept-Encoding: application/zip
app web.1 - -
app web.1 - - http-nio-31384-exec-5, setSoTimeout(0) called
app web.1 - - Allow unsafe renegotiation: false
app web.1 - - Allow legacy hello messages: true
app web.1 - - Is initial handshake: true
app web.1 - - Is secure renegotiation: false
app web.1 - - %% No cached client session
app web.1 - - *** ClientHello, TLSv1
app web.1 - - RandomCookie:  GMT: 1340484029 bytes = { 185, 85, 19, 4, 68, 226, 214, 134, 35, 143, 91, 59, 106, 156, 34, 20, 77, 75, 64, 92, 131, 186, 239, 23, 168, 188, 37, 157 }
app web.1 - - Session ID:  {}
app web.1 - - Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
app web.1 - - Compression Methods:  { 0 }
app web.1 - - ***
app web.1 - - http-nio-31384-exec-5, WRITE: TLSv1 Handshake, length = 75
app web.1 - - http-nio-31384-exec-5, WRITE: SSLv2 client hello message, length = 101
app web.1 - - http-nio-31384-exec-5, READ: TLSv1 Alert, length = 2
app web.1 - - http-nio-31384-exec-5, RECV TLSv1 ALERT:  fatal, handshake_failure
app web.1 - - http-nio-31384-exec-5, called closeSocket()
app web.1 - - http-nio-31384-exec-5, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
app web.1 - - http-nio-31384-exec-5, IOException in getSession():  javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
app web.1 - - http-nio-31384-exec-5, called close()
app web.1 - - http-nio-31384-exec-5, called closeInternal(true)
app web.1 - - http-nio-31384-exec-5, called close()
app web.1 - - http-nio-31384-exec-5, called closeInternal(true)

So, at this point I'm left wondering:

What else can I do to try and configure the webapp-runner.jar to use cacerts_custom.jks file?
If there a problem in Procfile or some other Heroku level component that runs the app server?
What could I possibly be doing wrong in my code if nothing else is the problem?

UPDATE # 1:

I see Using Apache httpclient for https that there may be an underlying issue with httpclient here but I find it hard to believe that its still a problem today. I will research and post back but if someone knows the answer please do tell.

UPDATE # 2 (Jan 15th 2013):

If I go by what it says in the following stackoverflow post:

Receiving SSLHandshakeException: handshake_failure despite my client ignoring all certs

It hints that the following logs are a sign of trouble:

app[web.1]: http-nio-45949-exec-4, WRITE: TLSv1 Handshake, length = 75
app[web.1]: http-nio-45949-exec-4, WRITE: SSLv2 client hello message, length = 101
app[web.1]: http-nio-45949-exec-4, READ: TLSv1 Alert, length = 2
app[web.1]: http-nio-45949-exec-4, RECV TLSv1 ALERT:  fatal, handshake_failure

So what's to blame here? The side that is presenting the server certificate? That cannot be because my locally hosted webapp can work with that side ... unless its the JDK in my local env versus what is on Heroku that is drastically different in its implementation of the SSL handshake and/or protocol?

score 3 · Accepted Answer · answered Jan 17 '13 at 23:35

For licensing reasons the OpenJDK builds that Heroku uses don't include the Java Cryptography Extensions (JCE). Some SSL certificates require JCE to be processed.

You can include JCE with your app to be included in the JDK by following the steps in this article: https://devcenter.heroku.com/articles/customizing-the-jdk

Download the JCE here: http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to specify custom truststore for webapp-runner in Heroku?

UPDATE # 1:

UPDATE # 2 (Jan 15th 2013):

1 Answers1