How to solve javax.net.ssl.SSLHandshakeException ?
This blog is about how two secured web application on SSL can communicate with each other
without get certificate error i.e. SSLHandshakeException
Error developer generally face
When web_application_A with self signed certificate tries to connect to web_application_B (with same self signed certificate), sometimes you must have got below error
detailed message sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
cause javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Details oF mine environment :- I got same error . Here are the environment details
Webserver :- Tomcat -6
OS :- Windows 7
Java Version :- 1.6
web_application_A :- Port 8443
web_application_B:- Port 443
server.xml( For both tomcat) :- Contains below Entry
keystoreFile="c:/.keystore"
keystorePass="changeit"
Java code for Seeing up connection from App_A to App_B
For more information this is how i am making the connection
URL url = new URL(urlStr);
URLConnection conn = url.openConnection();
if (conn instanceof HttpsURLConnection) {
HttpsURLConnection conn1 = (HttpsURLConnection) url.openConnection();
conn1.setHostnameVerifier(new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
reply.load(conn1.getInputStream());
Root Cause :-
Self Signed Certificate issued by App_B is not in the trusted store of App_A jvm.You can confirm it with hitting the same
URL in IE browser, it will work(with warning, There is a problem with this web site's security certificate. Just say continue to this website)
Solution on google I tried but did not work :-
Solution_1
System.setProperty("javax.net.ssl.trustStore", "C:/.keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Solution_2
Setting below in environment variable
CATALINA_OPTS -- param name
-Djavax.net.ssl.trustStore=C:\.keystore -Djavax.net.ssl.trustStorePassword=changeit ---param value
Solution_3
Setting below in environment variable
JAVA_OPTS -- param name
-Djavax.net.ssl.trustStore=C:\.keystore -Djavax.net.ssl.trustStorePassword=changeit ---param value
Final Solution that worked :-
You need to add the certificate for App2 to the truststore file of the used JVM located at %JAVA_HOME%\lib\security\cacerts.
First you can check if your certificate is already in the truststore by running the following command: keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts"
If your certificate is missing you can get it by downloading it with your browser and add it to the truststore with the following command:
keytool -import -noprompt -trustcacerts -alias <AliasName> -file <certificate> -keystore <KeystoreFile> -storepass <Password>
without get certificate error i.e. SSLHandshakeException
Error developer generally face
When web_application_A with self signed certificate tries to connect to web_application_B (with same self signed certificate), sometimes you must have got below error
detailed message sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
cause javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Details oF mine environment :- I got same error . Here are the environment details
Webserver :- Tomcat -6
OS :- Windows 7
Java Version :- 1.6
web_application_A :- Port 8443
web_application_B:- Port 443
server.xml( For both tomcat) :- Contains below Entry
keystoreFile="c:/.keystore"
keystorePass="changeit"
Java code for Seeing up connection from App_A to App_B
For more information this is how i am making the connection
URL url = new URL(urlStr);
URLConnection conn = url.openConnection();
if (conn instanceof HttpsURLConnection) {
HttpsURLConnection conn1 = (HttpsURLConnection) url.openConnection();
conn1.setHostnameVerifier(new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
reply.load(conn1.getInputStream());
Root Cause :-
Self Signed Certificate issued by App_B is not in the trusted store of App_A jvm.You can confirm it with hitting the same
URL in IE browser, it will work(with warning, There is a problem with this web site's security certificate. Just say continue to this website)
Solution on google I tried but did not work :-
Solution_1
System.setProperty("javax.net.ssl.trustStore", "C:/.keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Solution_2
Setting below in environment variable
CATALINA_OPTS -- param name
-Djavax.net.ssl.trustStore=C:\.keystore -Djavax.net.ssl.trustStorePassword=changeit ---param value
Solution_3
Setting below in environment variable
JAVA_OPTS -- param name
-Djavax.net.ssl.trustStore=C:\.keystore -Djavax.net.ssl.trustStorePassword=changeit ---param value
Final Solution that worked :-
You need to add the certificate for App2 to the truststore file of the used JVM located at %JAVA_HOME%\lib\security\cacerts.
First you can check if your certificate is already in the truststore by running the following command: keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts"
If your certificate is missing you can get it by downloading it with your browser and add it to the truststore with the following command:
keytool -import -noprompt -trustcacerts -alias <AliasName> -file <certificate> -keystore <KeystoreFile> -storepass <Password>
After import you can run the first command again to check if your certificate was added.
Nicely Explained !!!
ReplyDeletejust one Question. where should I enter These commands?
ReplyDeleteYou can enter these commands on CLI
ReplyDeleteHello
ReplyDeleteI'm having the same problem.
I saw the solution, but I don't understand it.
Certificate issued by company, applied to server
This problem occurs only on some clients.
Do I need to add a certificate on the server?
Do I need to add a certificate on the client?
5-inch sample near the scalp, meaning your window could last over three months if your hair tends to grow at a slower pace. This type of test is heavily influenced by the frequency of use. If you're more of a casual marijuana user, a blood test will only be able to detect the drug in your system for 1-2 days. However, this detection period increases drastically with more use. If you fall into the chronic heavy user category and ingest marijuana several times a day, it can remain in your system for over 25 days. But, that window can be longer for persons who use drugs often or for a long time Visit: https://www.urineworld.com/
ReplyDeleteCasino Kings - Hendon Mobhub
ReplyDeleteCasino Kings is 상주 출장샵 a unique casino resort located just south of Memphis, Missouri and is owned 여수 출장안마 and operated by the 이천 출장샵 Mohegan Gaming 의왕 출장안마 & 용인 출장샵 Entertainment Rating: 3.4 · 8 reviews
Thanks for sharring this
ReplyDelete