0

I have a Rest web service developed in java, glassfish, running on a centos server.

We recently opted to use the https protocol and started testing through the test certificate provided by glassfish itself at deployment time (port 8181).

Using Postman for testing I just needed to disable one option in the configuration: "SSL certificate verification".

However the modules that consumed my service, service destop, in java, started to throw exceptions.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

In test environment, windows, the lines below corrected the problem, already in production, hundreds, could not solve.

String certificatesTrustStorePath = "/etc/alternatives/jre_1.8.0/lib/security/cacerts";
System.setProperty("javax.net.ssl.trustStore", certificatesTrustStorePath); System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

The error in centos is the one presented in the post below, already read about the various reasons but could not solve.

Error - trustAnchors parameter must be non-empty

If you know how to solve in linux I appreciate it,but the question is not this ...

Do these lines I have published specify where the cacerts file is (and within my platform certificate)? But it seems to me wrong ... I've already consumed third party https rest services and never had to specify the certificate path ... this would require me to know structurally some details of a third party server. Am I wrong?

So, I imagine there must be another way to do it ... could anyone help?

Julio Bindandi
  • 1
  • 2

2 Answers2

0

Yes, your code specifies a custom path for truststore where the ssl cert is present. This is the public key shared corresponding to the https protocol for the handshake(either self-signed or signed by a whitelisted CA). Default path where these get stored is

$JAVA_HOME/jre/lib/security/cacerts

Though above can be overridden. So in your code, you have overridden the path, to point it where the public key(cert) is already present. Thus it's working for you. Truststore is just a collection of public keys.

Alternatively, you can import the public key in the default truststore as well to make it work. In that case, you don't have to explicitly set a different truststore.

deadzg_devil
  • 376
  • 2
  • 10
  • I don't understand ... the variable $JAVA_Home is not equal to "/etc/alternatives/jre_1.8.0/lib/security/cacerts" ? – Julio Bindandi Oct 25 '19 at 13:16
  • You need to explicitly set it – deadzg_devil Oct 25 '19 at 13:17
  • What you mean is: I set $ JAVA_HOME = '/ etc / alternatives /'? Will it make a difference in the final result? – Julio Bindandi Oct 25 '19 at 14:07
  • What is your JAVA_HOME? It should be similar to /Library/Java/JavaVirtualMachines/jdk1.8.0_202.jdk/Contents/Home (in Mac).Which OS are you using? Which java version are you using? The end goal is to find the path($JAVA_HOME/jre/lib/security/cacerts) and import the certificate in the trust store if you don't want to explicitly specify the cert location using the code. – deadzg_devil Oct 25 '19 at 15:02
  • It is a centos 8 – Julio Bindandi Oct 25 '19 at 16:50
0

There is many ways to do it. copy your file to $java_home\jre\lib\security\cacerts\ than you don't have to set property manually.

you can also mention path at runtime using

-Djavax.net.ssl.trustStore=/home/user/SSL/mycacerts -Djavax.net.ssl.keyStore=/home/user/SSL/serverkeystore.jks

Suyash Kumar Singh
  • 173
  • 1
  • 2
  • 10
  • $java_home\jre\lib\security\cacerts\ from the server, correct? certificate is already in the directory. "-Djavax.net.ssl.trustStore=/home/user/SSL/mycacerts -Djavax.net.ssl.keyStore=/home/user/SSL/serverkeystore.jks" Where do I put this? Anyway I still need to know the certificate path. What if it was a third party server? How would I know the way? – Julio Bindandi Oct 25 '19 at 13:14