Here is a code that I copied from the web
/**
* A simple example that uses HttpClient to perform a GET using Basic
* Authentication. Can be run standalone without parameters.
*
* You need to have JSSE on your classpath for JDK prior to 1.4
*
* #author Michael Becke
*/
public class BasicAuthenticationExample {
/**
* Constructor for BasicAuthenticatonExample.
*/
public BasicAuthenticationExample() {
super();
}
public static void main(String[] args) throws Exception {
HttpClient client = new HttpClient();
client.getState().setCredentials(
new AuthScope("login.website.com", 443),
new UsernamePasswordCredentials("login id", "password")
);
GetMethod get = new GetMethod(
"https://url to the file");
get.setDoAuthentication( true );
try {
// execute the GET
int status = client.executeMethod( get );
// print the status and response
System.out.println(status + "\n" +
get.getResponseBodyAsString());
} finally {
// release any connection resources used by the method
get.releaseConnection();
}
}
}
now because of the line
int status = client.executeMethod( get );
I get the following error
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at BasicAuthenticationExample.main(BasicAuthenticationExample.java:38)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 24 more
Now the reason for this error is of course that the certificate sent by my server is not already in my list of trusted certificates.
My question is how to get the certificate into the trusted list.
Thanks
Pranabesh
This page seems to answer your question:
Adding Certificates to your Java Keystore
It references Andres Sterbenz's InstallCert & explanation blog post.
You might not want to actually add the certificate in your trusted store, if it's only for testing. So you can also disable certificate validation.
You will need a keystore that contains the certificate to trust. You can use Java's keytool command to do that. There are a few ways to do this:
Add it to the default Java keystore (.keystore in your home directory or user directory on Windows)
Set the system property javax.net.ssl.trustStore to the location of an alternate keystore (something like java -Djavax.net.ssl.trustStore=/path/to/keystore)
Build your own SSLSocketFactory implementation that can load a keystore any way you want (this is definitely the most complicated)
A keystore is just a file that contains keys and/or certificates that can be used for various things, in this case a certificate that your application will need to trust. Keytool can be used as follows:
keytool -importcert -file /path/to/certificate/file -keystore /path/to/keystore
For other command-line options, just run
keytool -help
You can use keytool import.
Related
I'm trying to access a dummy REST API like https://reqres.in/api/users or https://jsonplaceholder.typicode.com/todos with a simple JAX-RS client like:
public class RandomDataProvider {
private WebTarget webTarget;
#PostConstruct
public void setUp() {
Client client = ClientBuilder.newBuilder()
.connectTimeout(5, TimeUnit.SECONDS)
.readTimeout(5, TimeUnit.SECONDS)
.build();
this.webTarget = client
.target("https://reqres.in/api/users");
}
public JsonArray getAllPosts() {
return this.webTarget
.request()
.accept(MediaType.APPLICATION_JSON)
.get(JsonArray.class);
}
}
but everytime I try to use HTTPS I get the SSLHandshakeExeption that the server was: unable to find valid certification path to requested target:
[ERROR ] SRVE0283E: Exception caught while initializing context: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://reqres.in/api/users: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.apache.cxf.jaxrs.client.AbstractClient.checkClientException(AbstractClient.java:640)
at [internal classes]
at de.rieckpil.udemy.RandomDataProvider.getAllPosts(RandomDataProvider.java:32)
at de.rieckpil.udemy.RandomDataPrinter.initialize(RandomDataPrinter.java:17)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)
at org.jboss.weld.injection.StaticMethodInjectionPoint.invoke(StaticMethodInjectionPoint.java:95)
at [internal classes]
Caused by (repeated) ... : javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://reqres.in/api/users: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.base/java.lang.reflect.Constructor.newInstance(Unknown Source)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1451)
... 9 more
Caused by: java.security.cert.CertificateException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.ws.ssl.core.WSX509TrustManager.checkServerTrusted(WSX509TrustManager.java:806)
... 9 more
The Dockerfile looks like the following:
FROM open-liberty:microProfile3-java11
COPY --chown=1001:0 target/mywar.war /config/dropins/
I'm assuming that this official Docker image is using the JDK trusted certificates or do I have to configure this explicitly in an own server.xml?
Liberty does not use the JDK's trusted certificates by default. If you want to use the cacerts file for trust then it will have to be configured. I'll assume you have no ssl configuration. To add the cacerts file you can add a configuration like this:
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="caTrustStore" />
<keyStore id="caTrustStore" location=“enter path to cacerts file" type="JKS" password="changeit" />
This has actually gotten even easier to configure since that last post. There is an attribute on the ssl element that will tell the SSL context to use the JVM's default truststore in addition to the configure one.
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustDefaultCerts="true" />
I'm trying to connect to my MySQL instance listening at luther:3306. I followed these instructions on how to set up SSL for a MySQL instance on Ubuntu and it works great. I can connect to luther:3306 with user ford no problem from the GUI (MySQL Workbench) when I provide it username, password, SSL key, SSL certificate, and SSL CA.
Now, I'm trying to connect via a Java app and I'm having issues giving Java the correct certificate. Here's the code:
System.setProperty("javax.net.ssl.keyStore","C:/Program Files/Java/jre1.8.0_45/bin/cacerts");
System.setProperty("javax.net.ssl.keyStorePassword","changeit");
System.setProperty("javax.net.ssl.trustStore","C:/Program Files/Java/jre1.8.0_45/bin/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword","changeit");
System.setProperty("javax.net.debug", "SSL");
// Create the DB connection
try {
String connectionUrl = "jdbc:mysql://luther/ford";
Properties dbProps = new Properties();
dbProps.setProperty("user", "ford");
dbProps.setProperty("password", "<password>");
dbProps.setProperty("useSSL", "true");
dbProps.setProperty("requreSSL", "true");
dbConnection = DriverManager.getConnection(connectionUrl, dbProps);
log.info("Connected to DB? " + dbConnection.isValid(5000));
} catch (SQLException e) {
log.fatal("Unable to connect to DB!");
e.printStackTrace();
return;
}
Here's the contents of the CA cert file:
C:\Program Files\Java\jre1.8.0_45\bin>keytool -keystore cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
mysqlcacert, Jan 20, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 71:92:DA:13:02:57:64:49:3D:72:A0:40:1B:B8:55:42:7D:21:0A:CF
mysqlclientcert, Jan 20, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): A1:F5:5A:DB:31:78:D9:3C:F7:D7:C6:28:77:AB:DF:0A:58:CC:EA:A7
It shows that I have my CA cert and my Client cert. Here's the top level exception I get when I run my Java program:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:512)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:493)
at org.jsoup.helper.HttpConnection.execute(HttpConnection.java:205)
at org.jsoup.helper.HttpConnection.get(HttpConnection.java:194)
Do I also somehow need to add my CA key or my client key to the keystore?
First, I'm assuming you have already created the keys by following these instructions:
https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html
And I'm assuming you've correctly configured the server using these instructions:
https://dev.mysql.com/doc/refman/5.6/en/using-encrypted-connections.html
(for those having trouble generating keys, you can use CYGWIN for windows, and download OpenSSL as a package)
Now, for you specifically: There's no need to mess with the CACerts from the java keystore (bad practice). Instead use the following parameters at the end of the java connection string:
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html
...?useSSL=true&clientCertificateKeyStoreUrl=file://path_to_truststore_file&clientCertificateKeyStorePassword=mypassword
Also, make sure you import the certificates correctly. I myself followed these instructions after much research (I imported them into a separate keystore as recommended by the instructions)
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html
This got me connected. I'm running into other issues now, but this should fix your problem.
EDIT:
I also had to add the following:
trustCertificateKeyStoreUrl=file://path_to_truststore_file&trustCertificateKeyStorePassword=mypassword
I have two different key pair values which generated using Java keytool and stored in two different files called keystore1.jks and keystore2.jks.
What I did is I have imported the key pair from keystore2.jks to keystore1.jks by the below command
keytool -importkeystore -srcstoretype JKS -srckeystore <source_keystorfile> -deststoretype JKS -destkeystore <keystorfile_to_import_keypair>
I have added the keystore1.jks to server to listen in ssl using this keystore.
Now I have import the public key from the file keystore2.jks to truststore file named truststore.jks
From this truststore.jks file when I try to connect to the server which is listen in ssl using keystore1.jks, server unfortunately not accepting the connection and throwing an exception as below
javax.jms.JMSException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:62)
at org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1298)
at org.apache.activemq.ActiveMQConnection.ensureConnectionInfoSent(ActiveMQConnection.java:1382)
at org.apache.activemq.ActiveMQConnection.createSession(ActiveMQConnection.java:309)
at com.sample.ssl.job.handler.MessageQueueLocator.getJmsSession(Unknown Source)
at com.sample.ssl.job.handler.MessageQueueLocator.sendMessageToGeneralQueue(Unknown Source)
at com.sample.ssl.communication.JobResposeDispatcherInvoker.dispatchStartupMessage(Unknown Source)
at com.sample.ssl.job.MessageDispatchJob.dispatchStartupMessage(Unknown Source)
at com.sample.ssl.job.MessageDispatchJob.execute(Unknown Source)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:637)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:89)
at org.apache.activemq.transport.tcp.TcpBufferedOutputStream.flush(TcpBufferedOutputStream.java:115)
at java.io.DataOutputStream.flush(DataOutputStream.java:106)
at org.apache.activemq.transport.tcp.TcpTransport.oneway(TcpTransport.java:181)
at org.apache.activemq.transport.InactivityMonitor.oneway(InactivityMonitor.java:255)
at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:168)
at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:84)
at org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:74)
at org.apache.activemq.transport.failover.FailoverTransport.doReconnect(FailoverTransport.java:844)
at org.apache.activemq.transport.failover.FailoverTransport$2.iterate(FailoverTransport.java:135)
at org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:122)
at org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:43)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:289)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:263)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:184)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
... 21 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:330)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:275)
... 28 more
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:421)
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:133)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:112)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
... 32 more
I don't know in which I have made a mistake. In my case half portion of clients use trust store of the key pair from keystore1.jks and remaining use keystore2.jks.
The clients those use trust store of keystore1.jks connecting to the server fine. But those clients use trust store of keystore2.jks is unable to connect.
Please help me in this context to resolve. If I have made anything wrong in my way please give a correct path. Thanks in advance.
I did not understand some things from you..
You have two files that have passwords.. You import the second file to the first.
So. why do you need to use a second file?
I think the command should be: (backup first)
keytool -importkeystore -srckeystore keystore2.jks -deskeystore keystore1.jks
I'm trying to run a java JNLP-based application.
It works fine from home : javac+javaws are the same v.1.8.?
Now I'm trying to run my application at work. I'm working behind a proxy and I used the Controlpanel to tell java to bypass the proxy for our local server hosting the JNLP.
On the server side, the aplication is compiled with
javac 1.7.0_60
On the client side, I'm trying to run it with:
$ javaws -version
Java(TM) Web Start 11.40.2.26-fcs
$ java -version
java version "1.8.0_40"
Nevertheless, I get the following exception in javaws
javax.net.ssl.SSLHandshakeException: com.sun.deploy.security.RevocationChecker$StatusUnknownException
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:90)
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1432)
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1430)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivileged(AccessController.java:713)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1429)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.sun.deploy.security.RevocationChecker$StatusUnknownException
at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
... 33 more
I read https://community.oracle.com/thread/3651870?start=15&tstart=0
But I don't really understand what I should do.
For example, I've commented out <>/lib/security/java.security
#jdk.tls.disabledAlgorithms=SSLv3
but that still doesn't work. As I see a 'getInputStream' in the stacktrace, I wonder if javaws tries to download something outside the proxy ?
Any idea ?
EDIT: the JNLP works if,in the controlPanel, I check
Perform signed code: do not check (not recommended)
Perform TLS certificatie revocation: do not check (not recommended)
is this problem linked to my proxy server ?
Java certificate revocation checking uses one or both of these methods:
Certificate Revocations Lists (CRLs)
This method needs lists to be generated and published periodically by Certificate Authority (CA) to keep the it current.
Online Certificate Status Protocol (OCSP)
This method performs a real time certificate status check with CA making it more reliable and faster.
If your server certificate is self-signed, or your company has an internal CA, your JRE may not be able to complete the revocation check properly -- hence the "Unknown" status. If you want to run with revocation checking on (and usually you do), you will need certs signed by a CA that supports one or both of these methods.
It is also important to remember that there are potentially two certificates in play here:
The cert used to sign the JARs; and
The cert used to connect to the server
Both certs must be signed and valid (that is, not revoked) in order for the handshake to succeed.
I am trying to make HTTP GET request using HttpURLConnection in java.
When I make get using browser it says me certificate is not trusted do you want to proceed.
I accept certificate and GET request get data. but i am getting certificate exception in java( given below )
What i understood from this exception is, I need to download that certificate and put this
java system property berfore making GET request.
My questions are.
How will download this certificate from browser?
Can I use browser's certificate store in my java program, what do I need to know to use that?
If i want to install certificate in my keystore then what do I need to do?
THANKS A LOT :)
I am trying to download certificate using keytool command. I do not have any idea where certificate is stored in server, but i gave the path of server which i use in browser and browser says certificate is not trusted.
URL gatewayServiceUrl = new URL("http://192.168.55.179:56400/nwa");
HttpURLConnection connection = (HttpURLConnection) gatewayServiceUrl.openConnection();
connection.setRequestMethod("GET");
connection.setRequestProperty("Authorization", getExample.getBasicAuth());
connection.connect();
if (HttpURLConnection.HTTP_OK == connection.getResponseCode()) {
System.out.println("success");
System.out.println(getExample.getDataFromStream(connection.getInputStream()));
} else {
System.out.println("success");
System.out.println(getExample.getDataFromStream(connection.getErrorStream()));
}
System.out.println(connection.getResponseCode());
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at com.testweb.GetExample.main(GetExample.java:18)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
You have to add the issuer CA's of your server certificate (or directly the server certificate in case of for example your cds is selfsigned) to the truststore in order to avoid PKIX path builder exception.
By default java truststore is on JAVA_HOME/jre/lib/security/cacerts (you can specify another trust store with javax.net.ssl.trustStore property).
To do this, first download the server certificate. You can download the server certificate for example with Chrome connecting to the server url and click on the green lock, then select the tab connection and click on certificate information:
Then save this certificate on disc.
Now you have to add this certificate to java trust store, you can do it with java keytool (if is in your path use keytool if not keytool is on JAVA_HOME/bin/keytool):
keytool -import -trustcacerts -alias myServerCertificate -file path/myServerCert.crt -keystore JAVA_HOME/jre/lib/security/cacerts
The default password for cacerts is: changeit
Hope this helps,
The other answers work, but I find exporting the cert in browsers to be troublesome. Here's my steps for exporting then importing the cert all from the command line:
https://gist.github.com/jeffsheets/d2880dc1e2ea241b19f140c54809f750
Command to export a cert from a website to a .cer file (example uses google.com):
openssl s_client -servername google.com -connect google.com:443 </dev/null 2>/dev/null | openssl x509 -inform PEM -outform DER -out google.com.cer
Command to import into local java truststore (use your own location of JAVA_HOME)
"$JAVA_HOME"/bin/keytool -keystore "$JAVA_HOME"/jre/lib/security/cacerts -importcert -alias google.com -file google.com.cer
default java keystore password is changeit
if you get an update denied message, in Windows File Explorer set
security on cacerts file to MODIFY for all Users (or chmod on linux)
if keytool is not found, define a JAVA_HOME environment variable (or
replace $JAVA_HOME with the full path)
Otherwise, Try to follow solution that you can found in this link: https://stackoverflow.com/a/3685601/2088039
You can export a certificate using Firefox, this site has instructions. Then you use keytool to add the certificate.