skip to Main Content

I have a Rest web service developed in java, glassfish, running on a centos server.

We recently opted to use the https protocol and started testing through the test certificate provided by glassfish itself at deployment time (port 8181).

Using Postman for testing I just needed to disable one option in the configuration: “SSL certificate verification”.

However the modules that consumed my service, service destop, in java, started to throw exceptions.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

In test environment, windows, the lines below corrected the problem, already in production, hundreds, could not solve.

String certificatesTrustStorePath = "/etc/alternatives/jre_1.8.0/lib/security/cacerts";
System.setProperty("javax.net.ssl.trustStore", certificatesTrustStorePath); System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

The error in centos is the one presented in the post below, already read about the various reasons but could not solve.

Error – trustAnchors parameter must be non-empty

If you know how to solve in linux I appreciate it,but the question is not this …

Do these lines I have published specify where the cacerts file is (and within my platform certificate)?
But it seems to me wrong … I’ve already consumed third party https rest services and never had to specify the certificate path … this would require me to know structurally some details of a third party server. Am I wrong?

So, I imagine there must be another way to do it … could anyone help?

2

Answers


  1. Yes, your code specifies a custom path for truststore where the ssl cert is present.
    This is the public key shared corresponding to the https protocol for the handshake(either self-signed or signed by a whitelisted CA).
    Default path where these get stored is

    $JAVA_HOME/jre/lib/security/cacerts
    

    Though above can be overridden.
    So in your code, you have overridden the path, to point it where the public key(cert) is already present. Thus it’s working for you.
    Truststore is just a collection of public keys.

    Alternatively, you can import the public key in the default truststore as well to make it work.
    In that case, you don’t have to explicitly set a different truststore.

    Login or Signup to reply.
  2. There is many ways to do it.
    copy your file to $java_homejrelibsecuritycacerts than you don’t have to set property manually.

    you can also mention path at runtime using

    -Djavax.net.ssl.trustStore=/home/user/SSL/mycacerts
    -Djavax.net.ssl.keyStore=/home/user/SSL/serverkeystore.jks

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search