How to solve javax.net.ssl.SSLHandshakeException ?

This blog is about how two secured web application on SSL can communicate with each other
without get certificate error i.e. SSLHandshakeException

Error developer generally face
When web_application_A with self signed certificate  tries to connect to web_application_B (with same self signed certificate), sometimes you must have got below error

detailed message sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

cause javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


Details oF mine environment :- I got same error . Here are the environment details

Webserver :- Tomcat -6
OS :- Windows 7
Java Version :- 1.6
web_application_A :- Port 8443
web_application_B:- Port 443
server.xml( For both tomcat) :- Contains below Entry

keystoreFile="c:/.keystore"
keystorePass="changeit"


Java code for Seeing up connection from App_A to App_B

For more information this is how i am making the connection

URL url = new URL(urlStr);

URLConnection conn = url.openConnection();

if (conn instanceof HttpsURLConnection) {

  HttpsURLConnection conn1 = (HttpsURLConnection) url.openConnection();

  conn1.setHostnameVerifier(new HostnameVerifier() {
    public boolean verify(String hostname, SSLSession session) {
      return true;
    }
  });

  reply.load(conn1.getInputStream());

Root Cause :-

Self Signed Certificate issued by App_B is not in the trusted store of App_A jvm.You can confirm it with hitting the same
URL in IE browser, it will work(with warning, There is a problem with this web site's security certificate. Just say continue to this website)

Solution on google I tried but did not work :- 


Solution_1

    System.setProperty("javax.net.ssl.trustStore", "C:/.keystore");
    System.setProperty("javax.net.ssl.trustStorePassword", "changeit");


Solution_2
Setting below in environment variable

    CATALINA_OPTS -- param name
    -Djavax.net.ssl.trustStore=C:\.keystore -Djavax.net.ssl.trustStorePassword=changeit ---param value


Solution_3
Setting below in environment variable

    JAVA_OPTS -- param name
    -Djavax.net.ssl.trustStore=C:\.keystore -Djavax.net.ssl.trustStorePassword=changeit ---param value


Final Solution that worked :-

You need to add the certificate for App2 to the truststore file of the used JVM located at %JAVA_HOME%\lib\security\cacerts.

First you can check if your certificate is already in the truststore by running the following command: keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts"

If your certificate is missing you can get it by downloading it with your browser and add it to the truststore with the following command:

keytool -import -noprompt -trustcacerts -alias <AliasName> -file   <certificate> -keystore <KeystoreFile> -storepass <Password>



After import you can run the first command again to check if your certificate was added.



Comments

  1. Nicely Explained !!!

    ReplyDelete
  2. just one Question. where should I enter These commands?

    ReplyDelete
  3. You can enter these commands on CLI

    ReplyDelete
  4. Hello
    I'm having the same problem.
    I saw the solution, but I don't understand it.
    Certificate issued by company, applied to server
    This problem occurs only on some clients.
    Do I need to add a certificate on the server?
    Do I need to add a certificate on the client?

    ReplyDelete
  5. 5-inch sample near the scalp, meaning your window could last over three months if your hair tends to grow at a slower pace. This type of test is heavily influenced by the frequency of use. If you're more of a casual marijuana user, a blood test will only be able to detect the drug in your system for 1-2 days. However, this detection period increases drastically with more use. If you fall into the chronic heavy user category and ingest marijuana several times a day, it can remain in your system for over 25 days. But, that window can be longer for persons who use drugs often or for a long time Visit: https://www.urineworld.com/

    ReplyDelete
  6. Casino Kings - Hendon Mobhub
    Casino Kings is 상주 출장샵 a unique casino resort located just south of Memphis, Missouri and is owned 여수 출장안마 and operated by the 이천 출장샵 Mohegan Gaming 의왕 출장안마 & 용인 출장샵 Entertainment  Rating: 3.4 · ‎8 reviews

    ReplyDelete

Post a Comment

Popular posts from this blog

When to use Java 8 Optional instead of traditional null pointer check ?

What is REST actually?