I generated Keystore in Java home path. Set up the Connector in tomcat server.xml for the port 8443.
MySQL is not getting connected.
Added the following logic in java mysql connection class
String url = "jdbc:mysql://127.0.0.1:3306/xxxx"
"?verifyServerCertificate=false"+
"&useSSL=true"+
"&requireSSL=true";
System.setProperty("javax.net.ssl.keyStore", "path");
System.setProperty("javax.net.ssl.keyStorePassword", "pwd");
I think your key store config have some problem. Please check this link. Also, please attach error report.
Related
I have a JBoss AS7 connecting to AWS and specifically to S3 over the AWS SDK for Java, I have the access and secret keys, and everything runs fine. I use the S3 for various file sharing.
The JBoss' datasource connects to AWS RDS. I've enabled SSL encryption for the datasource - I have the rds-ca-2019-root.pem in my truststore configured in my standalone.xml, and my RDS datasource connects and verifies the SSL with no problem.
However, when I try to connect to S3 over the SDK (when the truststore with the RDS cert is enabled), I get the following exception:
Caused by: com.amazonaws.SdkClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
So, no truststore enabled: I can connect to S3 through SDK just fine. When I enable the truststore with the RDS certificate: my SDK -> S3 connection breaks.
I can't figure out what certificate I need to add to the truststore so that the SDK can work, or do I need to configure the SDK to use TLS somehow?
Ognjen's answer helped me to troubleshoot this issue. I had same problem and the issue was due to AWS SDK using custom truststore that I built for RDS connection. I had specified the custom truststore by setting javax.net.ssl.trustStore parameter explicitly.
The solution I applied:
I used the script in this documentation to import the rds-combined-ca-bundle.pem into the $JAVA_HOME/lib/security/cacerts (You may find this cacerts file inside the jre/lib/security folder if you have the JDK installed.). Then I removed the javax.net.ssl.trustStore setting that I had. Then java started using the default cacerts file and now all is good.
The default password for java default truststore is changeit.
So I figured out what was wrong: not having any sort of custom truststore defined for my jboss meant that the AWS SDK pulled the regular cacerts truststore from $JAVA_HOME/lib/security/cacerts. Defining my own truststore (which lacked all the certificates from the cacerts truststore) - meant that AWS SDK had nowhere to fetch the regular certificates.
So to solve it: I imported my rds-ca-2019-root.pem into the above mentioned cacerts file and linked that as my server truststore in my standalone.xml.
Ognjen and Asanka propose to use the same truststore for whole application (or application server) that is not suitable in some cases. But AWS Java SDK provides ApacheHttpClientConfig via ClientConfiguration to affect Apache HTTP client, e.g.:
import com.amazonaws.ApacheHttpClientConfig;
import com.amazonaws.ClientConfiguration;
import com.amazonaws.http.conn.ssl.SdkTLSSocketFactory;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import org.apache.http.conn.socket.ConnectionSocketFactory;
SSLContext myContext = ...
HostnameVerifier myVerifier = ...
ConnectionSocketFactory factory = new SdkTLSSocketFactory(myContext, myVerifier);
ClientConfiguration clientConfiguration = new ClientConfiguration();
clientConfiguration.getApacheHttpClientConfig().setSslSocketFactory(factory);
AmazonS3 s3client = AmazonS3ClientBuilder.standard()
.withClientConfiguration(clientConfiguration)
.build();
Edit: See also StackOverflow question #47913449.
I followed a guide to enable https in Spring Boot. The application was beforehand working on https://localhost:8080
I've created a keystore.jks which is in the same directory as my application.properties, which now looks like:
# Define a custom port instead of the default 8080
server.port = 8444
# Tell Spring Security (if used) to require requests over HTTPS
security.require-ssl=true
# The format used for the keystore
server.ssl.key-store-type:PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=keystore.p12
# The password used to generate the certificate
server.ssl.key-store-password=<somepassword>
# The alias mapped to the certificate
server.ssl.key-alias=tomcat
Now, if I run the main method to start the spring boot app, it throws:
Description:
The Tomcat connector configured to listen on port 8444 failed to start. The port may already be in use or the connector may be misconfigured.
Action:
Verify the connector's configuration, identify and stop any process that's listening on port 8444, or configure this application to listen on another port.
The port isn't in use, so it must be misconfiguration?
I'm unsure of what to change. It's a simple SPA app, Spring just serves an index.html and has a single REST endpoint. How should tomcat/spring be configured to accept https in this case, and start up without errors?
I too had the same problem and was able to fix it. My problem was generating the keystore.p12 file.
If you have a certificate file and private key file, you can generatekeystore.p12 file using following command.
openssl pkcs12 -export -in <mycert.crt> -inkey <mykey.key> -out keystore.p12 -name <alias>
You will be prompted for a password,there you can enter a password you like.
Once the keystore file is generated copy it to the directory where your .jar file exist.
Following is a working example configuration.
server.port=8443
security.require-ssl=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=file:keystore.p12
server.ssl.key-store-password=<password>
server.ssl.key-alias=<alias>
Note the key store file path file:keystore.p12 if it is going to reside in the same directory as the executable .jar file.
I solved the same issue by using the following configuration
# Define a custom port instead of the default 8080
server.port=8443
# Tell Spring Security (if used) to require requests over HTTPS
security.require-ssl=true
# The format used for the keystore
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=src/main/resources/keystore.p12
# The password used to generate the certificate
server.ssl.key-store-password=root0
I removed alias name and it worked perfectly.
"You probably won't need a key alias, since there will only be one key entry" referred from
TOMCAT SSL Error: Alias name does not identify a key entry
From Spring Boot 2.0 and higher, you can ignore this property.
security.require-ssl=true
To enable SSL, use the below configuration in your application.properties
The format used for the keystore
server.ssl.key-store-type=JKS
The path to the keystore containing the certificate
server.ssl.key-store=classpath:somecert.jks
The password used to generate the certificate
server.ssl.key-store-password=password
The alias mapped to the certificate
server.ssl.key-alias=alias_name
Note : server.ssl.key-store refers to the keystore location. Use
classpath prefix, if it is present in src/main/resources. Otherwise use,
file:/some/location.
I had the same issue as well but in my case the file path (in application.properties) for keystore file was incorrect on Linux and causing this error message.
I had same problem. for me server.ssl.key-alias was set to a wrong key. So, it sounds that some server mis-configurations in application.properties can cause this error message to appear.
We are accesing SOAP web service via HTTPS. We have multiple environments set up, for development, testing, user acceptence, production. The main problem is, that our SSL web service call on the developement environment is working, but when we deploy it to test environment, we get
javax.net.ssl.SSLException: SSLSocketFactory is null. This can occur if javax.net.ssl.SSLSocketFactory.getDefault() is called to create a socket and javax.net.ssl.* properties are not set.
when trying to establish connection. The target web service is the same for developement and testing.
We use IBM Websphere 7.0 on both environments. It uses Java 1.6.
I've noticed, that there is a difference in system properties betwen local and test server JRE.
localhost: java.fullversion=JRE 1.6.0 IBM J9 2.4 Windows 7 x86-32
jvmwi3260sr15-20131016_170922 (JIT enabled, AOT enabled) J9VM -
20131016_170922 JIT - r9_20130920_46510ifx2 GC -
GA24_Java6_SR15_20131016_1337_B170922
TestServer: java.fullversion=JRE 1.6.0 IBM J9 2.4 Windows Server 2008 amd64-64 jvmwa6460sr15-20131016_170922 (JIT enabled, AOT enabled) J9VM - 20131016_170922 JIT - r9_20130920_46510ifx2 GC - GA24_Java6_SR15_20131016_1337_B170922_CMPRSS
We are setting all the necesery system properties for SSL in the code:
String certLoc = Configuration.getString("CERT_LOCATION");
System.setProperty("javax.net.ssl.keyStore", certLoc + "\\certificate.pfx");
System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
System.setProperty("javax.net.ssl.trustStore", certLoc + "\\TRUSTSTORE.jks");
System.setProperty("javax.net.ssl.trustStoreType", "JKS");
System.setProperty("javax.net.ssl.trustStorePassword", "password");
If I check system properties on each environment, the values for javax.net.ssl.* are set corectly.
Did someone have similar problems? Can You please share Your solution with me?
Thank You!
Since you are running in a test environment (or any system remote from your development machine), make sure that your code does get the right system property values by logging them (maybe switching log levels to debug). It could be possible that the "user" running the code has a different set of system/runtime properties, or not being set at all.
If you've confirmed that your development properties are indeed defined in the context of the running code in your test environment, check that the full file path pointed to by your properties exist, and your code has read access to it (specially in *nix systems). Also, check that the value of certloc has the right separators in the environment.
For greater portability, when building string path values, consider using file.separator and path.separator that you can retrieve from System.properties, https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html.
I'm trying to setup SSL for embedded Tomcat. Both connectors starts but I only get response on http. On https I get in chrome a "No data received message" when I try http://localhost:9000/
The port is open:
I've tried telnet
telnet localhost 9000
and I have a connection.
I've also tried
openssl s_client -connect localhost:9000
and GET / method
and my servlet prints me the expected result in console. I do not understand why I get this error in browsers(chrome and Firefox)
My OS is Ubuntu 14.04 and I've tried with both Java 7 and Java 8 having the same result. Tomcat version is 8.0.23 from Maven repo
The code is:
public class Main {
public static void main(String[] args) throws Exception {
Tomcat tomcat = new Tomcat();
Service service = tomcat.getService();
service.addConnector(getSslConnector());
File base = new File(System.getProperty("java.io.tmpdir"));
Context rootCtx = tomcat.addContext("/", base.getAbsolutePath());
Tomcat.addServlet(rootCtx, "emptyServlet", new EmptyServlet());
rootCtx.addServletMapping("/*", "emptyServlet");
tomcat.start();
tomcat.getServer().await();
}
private static Connector getSslConnector() {
Connector connector = new Connector();
connector.setPort(9000);
connector.setSecure(true);
connector.setScheme("https");
connector.setAttribute("keyAlias", "tomcat");
connector.setAttribute("keystorePass", "password");
connector.setAttribute("keystoreType", "JKS");
connector.setAttribute("keystoreFile",
"keystore.jks");
connector.setAttribute("clientAuth", "false");
connector.setAttribute("protocol", "HTTP/1.1");
connector.setAttribute("sslProtocol", "TLS");
connector.setAttribute("maxThreads", "200");
connector.setAttribute("protocol", "org.apache.coyote.http11.Http11AprProtocol");
connector.setAttribute("SSLEnabled", true);
return connector;
}
}
The keystore you can find it on github
I've already tried different keystores but with the same result. Also the keystore looks good: keytool -list -keystore keystore.jks seems to be as expected.
Thanks in advance
It turned out to be my fault. The service was up and running but I kept on trying on http://localhost:9000 not https://locahost:9000 in my browser
Downloaded the FedEx web service for smartpost shipment and tried to run their sample file and calling the processShipment service using command line (Java). I am getting the error as
org.apache.axis2.AxisFault: WSWS7130E: No Secure Sockets Layer (SSL)
configuration is available for the ..............
Can someone please help how to do SSL configuration for executing this using command line.
Appreciate your help in advance.
Have you been given a client certificate and truststore to use when connecting to the service?
Typically you can configure SSL for client authentication if you have a keystore and a truststore, configuring them at runtime using the following properties
javax.net.ssl.keyStore
javax.net.ssl.keyStorePassword
javax.net.ssl.keyStoreType
javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
javax.net.ssl.trustStoreType
These can be passed in at runtime as follows:
java -cp myjar.jar com.test.Main -Djavax.net.ssl.keyStore=keystore.jks -Djavax.net.ssl.keyStorePassword=letmein -Djavax.net.....