0

I have some java code in Liferay 6.2 ee sp14 that needs to load a keystore JKS file in order to access some web services (using third-party libraries). If I attempt to call the code (and therefore load the JKS file) as soon as the server has loaded after a restart, it sometimes works. But sometimes it won't work, throwing an error message that suggests the JKS file wasn't actually loaded properly. And it is almost guaranteed to fail if I don't try to access the web services as soon as the server is running.

If it works the first time then it will continue to work until the server is restarted. If it doesn't work the first time then it will never work, and the only chance of getting it to work is to restart the server and try to run the code as soon as the server has loaded.

This is the error message that I see:

com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I get the same error message if I don't try to load a keystore file, or I deliberately load the wrong keystore file first, which is why I think the issue is with the keystore file not being loaded. I'm sure it's FINDING my file because I can always read it and display the contents. My theory is that some other module (probably an outdated one) is loading a different keystore file, and the system simply won't load a second file.

Is there any way to figure out what could be interfering with my keystore file being loaded, or to force it to load even if another keystore file has already been loaded?

The specific code I'm using to load the jks file:

System.setProperty("javax.net.ssl.keyStore", jksPath);
System.setProperty("javax.net.ssl.keyStorePassword",  jksPass);
System.setProperty("javax.net.ssl.keyStoreType", "JKS");
System.setProperty("javax.net.ssl.trustStore", jksPath);
System.setProperty("javax.net.ssl.trustStorePassword", jksPass);
System.setProperty("javax.net.ssl.trustStoreType", "JKS");

I have tried clearing the properties first, but it makes no difference:

System.clearProperty("javax.net.ssl.keyStore");
System.clearProperty("javax.net.ssl.keyStorePassword");
System.clearProperty("javax.net.ssl.keyStoreType");
System.clearProperty("javax.net.ssl.trustStore");
System.clearProperty("javax.net.ssl.trustStorePassword");
System.clearProperty("javax.net.ssl.trustStoreType");

Does anyone have any suggestions? I'm really desperate here.

SolS
  • 11
  • 4
  • Been there done that. If you control the code I would recommend NOT using the standard system keystore/truststore (which is configured using the global properties) but to create your own with code and use them for your call only. Then you are in control and won't clash with other classes that also mess with global data. – ewramner Sep 22 '21 at 13:18
  • That sounds very promising, I'll see if I can figure out how to do that. Thank you! If it's not too much trouble, is there any chance you could point me at a guide or tutorial or something? – SolS Sep 22 '21 at 14:13
  • See https://stackoverflow.com/a/38616401/2612030, perhaps it is similar to what you need? – ewramner Sep 22 '21 at 14:53
  • Thanks ewramner. From what I can tell from the link, this solution requires setting up the connection code manually? Unfortunately we are accessing these online services using their own java libraries, so I don't seem to be able to initialise the connection with my own keystore. – SolS Sep 23 '21 at 08:04
  • Right. Then my first advice would be to set the system properties from the command line for the JVM instead (there has to be a way to do that in Liferay), making sure they are in place the first time they are used. If that doesn't help you may need to find out who sets them - dumping the heap with jmap is a great help there. The worst-case solution would be to add your certificates to the JKS file that the system is using instead of having your own. – ewramner Sep 24 '21 at 08:02

0 Answers0