41

I've built a Java program as a front end for a database on a server, and I'm trying to use SSL to encrypt traffic between clients and the server. Here is the command I issued to create the server certificate:

keytool -genkey -alias localhost -keyalg RSA -keypass kpass123 -storepass kpass123 -keystore keystore.jks

Here is the relevant code:

System.setProperty("javax.net.ssl.keyStore",
                   "G:/Data/Android_Project/keystore.jks");

System.setProperty("javax.net.ssl.keyPassword", "kpass123");

SSLServerSocketFactory factory = 
    (SSLServerSocketFactory)SSLServerSocketFactory.getDefault();

SSLServerSocket accessSocket = 
    (SSLServerSocket)factory.createServerSocket(DB_ACCESS_PORT);

When I try to run this, I catch this:

java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)

I've also found that the "KeyPairGenerator" service has algorithms DIFFIEHELLMAN, DSA, RSA available to it, while "SSLContext" has algorithms SSL, TLS, SSLV3, DEFAULT, TLSV1.

Do I need to find some way to install RSA into the SSLContext service? Am I even looking at the correct services? Should I not be using RSA?

I'm new to the whole SSL - Security - Certificates thing, and it just blows me away that each of these different services don't have the same algorithms when they are supposed to be accessing the same certificates.

Drew Noakes
  • 300,895
  • 165
  • 679
  • 742
Zarjio
  • 1,097
  • 2
  • 12
  • 22
  • Looks eerily similar to [this problem](http://stackoverflow.com/questions/2125686/using-a-self-generated-key-to-test-java-ssl-app). I suspected the limited cryptography support first, but 1024-bit strong keypairs should have worked fine. RSA should be available without adding any separate providers. – Vineet Reynolds Jun 15 '11 at 23:03
  • 1
    Thanks for the link! I looked at that question, and it appears I am doing everything correctly but still getting exceptions. – Zarjio Jun 16 '11 at 04:42
  • 2
    It would also be interesting to see the various "Caused by" exceptions you get before this `NoSuchAlgorithmException`: that's often where the real cause lies. – Bruno Jun 16 '11 at 09:34

1 Answers1

76

Try javax.net.ssl.keyStorePassword instead of javax.net.ssl.keyPassword: the latter isn't mentioned in the JSSE ref guide.

The algorithms you mention should be there by default using the default security providers. NoSuchAlgorithmExceptions are often cause by other underlying exceptions (file not found, wrong password, wrong keystore type, ...). It's useful to look at the full stack trace.

You could also use -Djavax.net.debug=ssl, or at least -Djavax.net.debug=ssl,keymanager, to get more debugging information, if the information in the stack trace isn't sufficient.

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • 1
    @Bruno Yes the whole "keystore pass must be same as keypass" and also I had the old password on the "keyStorePassword" line but your answer reminded me to check that again. THANKS a lot! – Dexter May 01 '17 at 23:03
  • Thanks, this was helpful. Turns out I needed single quotes around the two Java system properties for the keystore in the systemd start file /etc/systemd/system/activemq.service - otherwise the password property is skipped due to the space as per: https://askubuntu.com/questions/614106/how-to-specify-an-environment-systemd-directive-containing - e.g. Environment='ACTIVEMQ_SSL_OPTS=-Djavax.net.ssl.keyStore=/opt/activemq/conf/keystore.jks -Djavax.net.ssl.keyStorePassword=secret' – beaudet Jan 03 '18 at 13:01