I am struggling to get my java code (that uses HikariCP) to connect with my database on AWS RDS using SSL. I can connect with the database using MySQL Workbench, I just can't find out how to configure the MySQL Connector/J 5.1.45 driver to access the database using SSL.
Currently this is my HikariCP properties file:
jdbcUrl=jdbc:mysql://mypath.jqwejrkq4568833.us-east-1.rds.amazonaws.com:3306/myschema
username=myusername
password=mypassword
dataSource.cachePrepStmts=true
dataSource.prepStmtCacheSize=250
dataSource.prepStmtCacheSqlLimit=2048
dataSource.useServerPrepStmts=true
dataSource.useLocalSessionState=true
dataSource.useLocalTransactionState=true
dataSource.rewriteBatchedStatements=true
dataSource.cacheResultSetMetadata=true
dataSource.cacheServerConfiguration=true
dataSource.elideSetAutoCommits=true
dataSource.maintainTimeStats=false
dataSource.clientCertificateKeyStoreUrl=file://truststore
dataSource.clientCertificateKeyStorePassword=123456
dataSource.useSSL=true
dataSource.verifyServerCertificate=true
dataSource.requireSSL=true
The truststore file was generated with the RDS certificate from here, it's on my classpath root since it's on my resources folder from maven. I really want to provide my own truststore file to the MySQL Connector/J driver so this program can be moved around without having to configure the truststore from the environment (this is very useful for me because my code runs locally on GlassFish but on the cloud on AWS Lambda and who knows where will it run tomorrow).
When I try to get a connection using this configuration I get the following error:
com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Cannot open file://truststore [truststore]
At first I thought my trustore url was wrong, but if I change it to something like this:
dataSource.clientCertificateKeyStoreUrl=file:///truststore
The error changes to:
com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Cannot open file:///truststore [\truststore (The system cannot find the file specified)]
Which indicates for me that the first url was correct.
I have no idea what am I doing wrong or how to fix this, the `truststore was generated with the following command:
'C:\Program Files\Java\jre1.8.0_151\bin\keytool.exe' -importcert -alias AwsRdsMySqlCACert -file rds-combined-ca-bundle.pem -keystore truststore -storepass 123456
I have no idea what am I doing wrong, which leads me to the question:
What's wrong with my truststore file then?
EDIT:
Digging deeper I could find the cause of the Exception:
com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Cannot open file://truststore [truststore]
is:
java.net.UnknownHostException: truststore
I don't know what this means since my database url is correct because it's the same I use in MySQL Workbench.
if you are using Maven, make sure you are using the -Djavax.net.ssl.trustStore=/home/vagrant with the proper certificate , or configure the MAVEN_OPTS with the proper value for example : -Djavax.net.ssl.trustStore=/dev, also place it on the runner section in Intellij
Related
I was hoping someone could help me out. Some small details will be altered for anonymity.
Initial problem:*
When importing spring boot project into RAD I get this error:
Failure to transfer org.apache.maven:maven-archiver:pom:3.5.0 from https://nexusrm.<myCompany>.net:8443/repository/<myCompany>-maven/
was cached in the local repository, resolution will not be reattempted until the update interval of central has elapsed or updates are forced.
Original error: Could not transfer artifact org.apache.maven:maven-archiver:pom:3.5.0 from/to central
(https://nexusrm.<myCompany>.net:8443/repository/<myCompany>-maven/): PKIX path building failed:
com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
Inferred Cause:
I think my IDE cannot go to my companies nexus repository to get the parent pom file because the repo site uses a self signed certificate (or some other certificate error).
Workaround:
After opening my IDE (RAD/eclipse but I also have IntelliJ with same issue). I open the command line (windows 10), navigate/cd to my project, and add set MAVEN_OPTS="-Dmaven.wagon.http.ssl.insecure=true". This allows the Spring Boot project to run, but I have all sorts of other issues that may or may not be related and would like a permanant solution to this to make sure this is not causing issues. (other issues like when I open RAD I get popups saying failure to transfer other things, some projects saying incorrect package declarations, webserver+LDAP authentication stuff, etc)
Proposed Solution:
I believe I need to add the public certificate of the Nexus server to the trust store of the Java running Maven which I learned from this link https://support.sonatype.com/hc/en-us/articles/213465088-Maven-is-unable-to-connect-to-Nexus-after-configuring-Nexus-to-use-SSL- which says to do this:
Get the certificate from the server into a PEM encoded file on your Java client host:
keytool -printcert -rfc -sslserver example.com > example.pem (Optional/Advised)`
Import the certificate into the default Java truststore location under a relevant alias, using the default truststore password:
keytool -importcert -file example.pem -alias example.com -storepass changeit -keystore $JAVA_HOME/lib/security/cacerts
Main Questions
I cannot figure out how to do this. I need to know:
How to get the certificate (any browser) and how to put it into a PEM encoded file. In regards to the command-
I am unsure of what example.com should be and what example.pem should be. I know they are my server and pem file, but
Is server just the link of the nexus repo ie https://nexusrm.<myCompany>.net:8443/repository/<myCompany>-maven/? And
how do I generate this pem file?
Do I get the certificate by going to my browser->view certificate->details->copy to file?
What do I save the file as?
Conclusion:
Thanks so much for taking the time to read, I hope you can tell by my questions that I am new to all of this. It is possible there is a better way to fix this problem, or that this is not the right way to go about it at all it could be a firewall, configuration, or permissions thing, so any advice will be appreciated, just please keep in mind my skill level. I am just setting up my environment for my first software developer job, and trying to learn web applications using spring/spring boot. Please ask if you need more info.
Additional Info:
Java version 1.8_0_311 (jdk 1.8_0_311, jre 1.8_0_311)
Apache Maven Version 3.8.3
Particular error on Spring 2.5.5 but similair error on 2.6.0
I am using a Cisco anyconnect vpn
My app connects to Kafka topic and everything goes well in local environment when truststore and keystore are stored under classpath, but when I try to switch to Dockerized external environment and point to those files localized on a server, then the app crashes.
Snippet in a local environment where it works:
spring.kafka.ssl.trust-store-location=file:src/main/resources/keys/application.truststore.jks
spring.kafka.ssl.key-store-location=file:src/main/resources/keys/application.keystore.jks
Snippet of application.properties on a server side when the app is launched inside a docker container and does not work. Both keys are stored in /deployment/keys folder inside the container:
spring.kafka.ssl.trust-store-location=/deployment/keys/application.truststore.jks
spring.kafka.ssl.key-store-location=/deployment/keys/application.keystore.jks
The following java exception occurs:
NoSuchFileException: /tmp/tomcat-docbase.45456574985379.8080/deployment/keys/application.keystore.jks
So for an unknown reason Spring Boot inside Docker container adds the /tmp/tomcat-docbase.45456574985379.8080/ prefix to the keystore and truststore location.
I have also tried:
spring.kafka.ssl.trust-store-location=file:/deployment/keys/application.truststore.jks
spring.kafka.ssl.key-store-location=file:/deployment/keys/application.keystore.jks
and
spring.kafka.ssl.trust-store-location=file:///deployment/keys/application.truststore.jks
spring.kafka.ssl.key-store-location=file:///deployment/keys/application.keystore.jks
but none of them seem to work. I would not like to change the code but what comes to my mind is to create a Properties object and create strings with those paths. Then inject them to the KafkaTemplate as a bean. However, I have not yet checked if this could help. Would rather focus just on adjusting application.properties file than correct the code. Could you please help me find the solution?
I am trying to build a project in Android Studio, and Android's default build tool, Gradle, ALWAYS gives me an error when it attempts to build my project. The following is the result of using the "gradlew build" command:
FAILURE: Build failed with an exception.
* What went wrong:
A problem occurred configuring root project 'MyFirstApp'.
> Could not resolve all dependencies for configuration ':classpath'.
> Could not resolve com.android.tools.build:gradle:2.1.3.
Required by:
:MyFirstApp:unspecified
> Could not resolve com.android.tools.build:gradle:2.1.3.
> Could not get resource 'https://jcenter.bintray.com/com/android/tools/build/
gradle/2.1.3/gradle-2.1.3.pom'.
> Could not GET 'https://jcenter.bintray.com/com/android/tools/build/gradle
/2.1.3/gradle-2.1.3.pom'.
> jcenter.bintray.com:443 failed to respond
I have tried using an http proxy, vpn, turning off my firewall, deleting the cache in the .gradle foler, and even completely reinstalling Android Studio, but nothing seems to be working.
I am new to Android development, so any information is appreciated!
Here is the error when the proxy is implemented:
FAILURE: Build failed with an exception.
* What went wrong:
A problem occurred configuring root project 'MyFirstApp'.
> Could not resolve all dependencies for configuration ':classpath'.
> Could not resolve com.android.tools.build:gradle:2.1.3.
Required by:
:MyFirstApp:unspecified
> Could not resolve com.android.tools.build:gradle:2.1.3.
> Could not get resource 'https://jcenter.bintray.com/com/android/tools/build/
gradle/2.1.3/gradle-2.1.3.pom'.
> Could not GET 'https://jcenter.bintray.com/com/android/tools/build/gradle
/2.1.3/gradle-2.1.3.pom'.
> Remote host closed connection during handshake
I was able to add the HTTPS certificate to the keystore for jcenter.bintray.com, but now I am getting a JVM error whenever I start android studio:
Android Studio JVM Error
I have checked my environment variables, tried changing them, and the error persists. My java environment variables are set as follows:
User Variables:
PATH: %JAVA_HOME%\bin
JAVA_HOME: C:\Program Files\Java\jdk1.8.0_101
System Variables:
CLASSPATH: C:\Program Files\Java\jre1.8.0_101
JAVA_HOME: C:\Program Files\Java\jdk1.8.0_101\bin
EDIT:
After setting my Java home path in the gradle.properties file, I am now getting a different error when I attempt to build my project.
Downloading https://services.gradle.org/distributions/gradle-2.14.1-all.zip
Exception in thread "main" java.net.SocketException: Software caused connection abort: recv failed
EDIT:
I just wanted to let everyone know that I figured it out! Apparently my parents put some insanely powerful parental control software on my computer a few years ago and I forgot it was there. After uninstalling, Android Studio now works flawlessly. The software basically blocked all unknown traffic coming in and out of most of the ports. Anyway, thank you to everyone for the help. I can finally start developing!
Try setting both http and https as shown below
gradlew -Dhttp.proxyHost=127.0.0.1 -Dhttp.proxyPort=8080 -Dhttps.proxyHost=127.0.0.1 -Dhttps.proxyPort=8144
EDIT1 :
Gradle is trying to download jars from https repo "https://jcenter.bintray.com" but java does not have client certificates. Follow below steps to import client certificates
Step 1 : Download Client Certificate
a) Open https://jcenter.bintray.com URL in the browser (i.e firefox)
b) Click on the lock icon right to the URL bar
c) Server URL is shown , click to get right arrow and then on "more information"
d) Pop-up is opened to view the certificate of the Server.
e) click on the "View Certificate", In "details" table export to a file CERT_FILE_NAME.crt
Step 2 : Import the client certificate to JDK which Gradle is using
keytool -import -noprompt -trustcacerts -alias "clojars.org" -file C:\CERT_FILE_NAME.crt -keystore C:\java\jre\lib\security\cacerts -storepass "changeit"
If you behind a proxy, you must set proxy for Gradle separately because Gradle doesn't use AndroidStudio's proxy settings:
open gradle.properties and add the following lines, change ip addr to your proxy's ip.
systemProp.http.proxyHost=127.0.0.1
systemProp.https.proxyPort=7070
systemProp.https.proxyHost=127.0.0.1
systemProp.http.proxyPort=7070
I just wanted to let everyone know that I figured it out! Apparently my parents put some insanely powerful parental control software on my computer a few years ago and I forgot it was there. After uninstalling, Android Studio now works flawlessly. The software basically blocked all unknown traffic coming in and out of most of the ports. Anyway, thank you to everyone for the help. I can finally start developing!
I met this problem because i was in China. i set a wrong proxy for my AndroidStudio.it works when i delete my proxy in config file gradle.properties located in gradle directory.
Hope this can help you!
systemProp.https.proxyPort=10808
systemProp.http.proxyHost=127.0.0.1
systemProp.https.proxyHost=127.0.0.1
systemProp.http.proxyPort=10808
Comment or delete above lines!
Other than adding the certificate of https://jcenter.bintray.com/ to your key store, can you also check if there is a parent certificate for https://jcenter.bintray.com/. If so, you may need to add that certificate as well in the keystore.
I created a pair of SSL certificates using OpenSSL, self-signed, to secure the HTTPS connection for a JBoss application.
When I ran the application and tried to get access by HTTPS, it did not show the site and threw an error in my console:
PKIX path building failed in Java application
I know that I should import some certs into Java, like what they said:
The long story short here is to run java InstallCert server:1234 to
generate a file called jssecacerts. Then, drop this file in
${JAVA_HOME}/lib/security directory.
What I do not understand:
1.in fact I try to get access to host B from host A, using HTTPS, why should I add the certificate of my own host to Java, not the client one?
2.using this method, there is nothing to do with my actual certificates (I mean .key and .crt), is that normal?
you need to enter your certificate inside java cacert file
This link demonstrate it the best.
Step 1 : Download certificate
Step 2 : store inside cacert
That is it! your problem resolved.
I downloaded the current microsoft dynamics crm SDK, and was trying to run the 'Main' class which is in the Walkthrough -> java2crmpack folder. I imported all the classes in eclipse and also generated stubs using wsdl.
So, while running this class I am facing certificate issues as the url is 'https'.
While making an authentication request it uses https://login.microsoftonline.com/RST2.srf url.
As this is a https call, it requires a certificate. In order to make it run, I downloaded the certificate and inserted it in the truststore. The truststore location is provided in eclipse configuration, still the error persists.
Error : "unable to find valid certification path to requested target".
Kindly, help me in resolving this issue
This sort of error i have seen in two scenario's
1. Code unable to locate Truststore properly
2. Truststore does not have valid chain