6

In my java application I am running with supplied -Djavax.net.ssl.trustStore System properties as below. 

-Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.trustStoreType=jks -Djavax.net.debug=ssl

This is my Complete command line :

$JAVA_HOME/bin/java -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp -Xms512m -Xmx1024m -XX:MaxPermSize=192m -Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.keyStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.keyStorePassword=XXXXX -Dweblogic.security.SSL.ignoreHostnameVerification=true -Djavax.net.debug=ssl -Djavax.net.ssl.trustStoreType=jks -cp /Oracle/Middleware/Oracle_Home/wlserver/server/lib/wlfullclient.jar:/myapp/stand‌​alone/lib/asm-5.0.3.jar:/myapp/standalone/lib/castor-1.3.2-core.jar:/myapp/standa‌​lone/lib/myAPP_final.jar

But java is not using that certificate from custom keyStore from the custom path. It is by default going to $JAVA_HOME/lib/security/cacerts with that I am getting below exception : 

java.net.ConnectException: t3s://myapphost.com:7500: Destination 10.243.155.222, 7900 unreachable; nested exception is:
        javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination

When i am importing and adding same certificate in the $JAVA_HOME/lib/security/cacerts it not giving any Exception.

I have refer and this post and try to configured same things in $JAVA_HOME/jre/lib/security/java.security and added following entry:

javax.net.ssl.trustStore=/myapp/app.jks
javax.net.ssl.trustStorePassword=XXXXX
javax.net.ssl.trustStoreType=jks

Still i am facing same problem.

My Question and problem here is, why java always goes java default keyStore location: $JAVA_HOME/lib/security/cacerts though i have supplied and configured my own custom keyStore using : -Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.trustStoreType=jks -Djavax.net.debug=ssl

And if i am importing same certificate in default java keyStore loation it is working fine for me.

where and what all i need to change to configure different keystore to avoid to above exception.

user207421
  • 305,947
  • 44
  • 307
  • 483
Gautam
  • 3,707
  • 5
  • 36
  • 57
  • 2
    Please post the entire command line, and please explain why you think Java is using the default truststore location. I don't see any actual evidence of that here. – user207421 Nov 20 '15 at 08:41
  • $JAVA_HOME/bin/java -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp -Xms512m -Xmx1024m -XX:MaxPermSize=192m -Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.keyStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.keyStorePassword=XXXXX -Dweblogic.security.SSL.ignoreHostnameVerification=true -Djavax.net.debug=ssl -Djavax.net.ssl.trustStoreType=jks -cp /Oracle/Middleware/Oracle_Home/wlserver/server/lib/wlfullclient.jar:/myapp/standalone/lib/asm-5.0.3.jar:/myapp/standalone/lib/castor-1.3.2-core.jar:/myapp/standalone/lib/myAPP_final.jar – Gautam Nov 20 '15 at 12:41
  • above is my complete command line. And I am using : java version "1.7.0_79" Java(TM) SE Runtime Environment (build 1.7.0_79-b15) Java HotSpot(TM) 64-Bit Server VM (build 24.79-b02, mixed mode) – Gautam Nov 20 '15 at 12:42
  • I have noticed If i am not having /Oracle_Home/wlserver/server/lib/wlfullclient.jar in class path : I am getting different Exception: As below : ExecuteThread: '5' for queue: 'default', handling exception: java.net.SocketTimeoutException: Read timed out ExecuteThread: '5' for queue: 'default', handling exception: java.net.SocketTimeoutException: Read timed out - 2015-11-20 04:54:02,645 [AT_230SMyApp:AutoLog] INFO And I have tried below URL as well with respect to custom certificate System parameter https://docs.oracle.com/middleware/1221/wls/SACLT/security.htm#SACLT221 I got same error – Gautam Nov 20 '15 at 14:29
  • None of this suggests anything to do with truststores. It all seems to be about network connectivity. – user207421 Mar 08 '19 at 04:26

1 Answers1

1

After seeing this Post I have configured and supplied following system properties -D option it resolved the problem for me. Hope it will help to others so i am posting it.

-Dweblogic.security.CustomTrustKeyStoreFileName=/myapp/app.jks 
 -Dweblogic.security.TrustKeyStore=CustomTrust 
 -Dweblogic.security.CustomTrustKeyStorePassPhrase=XXXXXPWD
 -Dweblogic.security.CustomTrustKeyStoreType=jks

I have understood following things which i have kept in Note: of -Dweblogic.security.TrustKeyStore parameter.

Note 1: -Dweblogic.security.TrustKeyStore will have following options and internal interpretation

  1. -Dweblogic.security.TrustKeyStore=JavaStandardTrust (We should use when the trusted CAs in the JDK's cacerts, specify this)
  2. -Dweblogic.security.TrustKeyStore=DemoTrust (We should use when the trusted CAs in DemoTrust.jks and in the JDK's cacerts, specify this)
  3. -Dweblogic.security.TrustKeyStore=CustomTrust (We should use when the trusted CAs from another keystore, specify this).

Note 2:

Any time if you got below Exception, it means your java application is not finding certificate in the specified trust-store.

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target,It is telling the same.

Note 3: Important things try to cogfigured -Djavax.net.debug=ssl for seeing more detail view of logs. Normally without that parameter we wont be able to see more details log.

Community
  • 1
  • 1
Gautam
  • 3,707
  • 5
  • 36
  • 57