1

We are using HttpsUrlConnection in a WebSphere TAI in WebSphere Liberty Profile to connect to a security server. I had a lot of problems with SSL cert errors, until I discovered that it is looking for signer certs in the WLP keystore, not the WLP truststore or JVM truststore. There is nothing in the code setting this, it must be a default. But I am confused, because when we use an HTTP client in other code, it uses the JVM's truststore.

How can I make the HttpsUrlConnection use the WLP or JVM truststore, and not the keystore?

Westy
  • 707
  • 2
  • 10
  • 23
  • What is your `server.xml`? In the `` element you can have `trustStoreRef="defaultTrustStore"` which will point to the configured truststore. If you omit that, the default truststore is the keystore. See [Liberty:SSL configuration attributes](https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.doc/ae/rwlp_ssl.html) for more details. – Gas Sep 19 '16 at 21:47
  • Thanks. I already have SSL set up in my 'server.xml'. I ended up doing what is described in the first answer below. – Westy Sep 20 '16 at 13:37

1 Answers1

3

You can load your trust store as below and set it to SSLContext which can be set into HttpsUrlConnection. As this is an example I used defaults, you should replace them with appropriate algorithms, protocol and truststore type.

        try (FileInputStream truststoreFile = new FileInputStream("path/to/your/truststore.jks")) {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            KeyStore truststore = KeyStore.getInstance(KeyStore.getDefaultType());
            char[] trustorePassword = "<truststorePassword".toCharArray();
            truststore.load(truststoreFile, trustorePassword);
            trustManagerFactory.init(truststore);
            SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
            KeyManager[] keyManagers = {};//if you have key managers;

            sslContext.init(keyManagers, trustManagerFactory.getTrustManagers(), new SecureRandom());

            URL httpsUrl = new URL("<your https url>");
            URLConnection urlConnection = httpsUrl.openConnection();

        } catch (NoSuchAlgorithmException | KeyStoreException | CertificateException | IOException e) {
            //handle exception
        } catch (KeyManagementException e) {
           //handle exception
        }
Laksitha Ranasingha
  • 4,321
  • 1
  • 28
  • 33