Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Issue while making HTTPS Connection, javax.net.ssl.SSLHandshakeException

971057Oct 28 2012 — edited Dec 21 2012

Hi,

I am trying to connect to one of our external vendor using HTTPS URL and certificate provide by them, for That i have imported the cert chain and saved it in .der format (also tried PEM/.crt format) as jks file in pur application EAR file, We are using WAS 6 app server

Now when i trying to make connection from my java code I m getting *"java.lang.Exception: Error while writing data to the URL: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found*"

The cert chain i can see in browser is GTECyberTrustGlobalRoot -->AkamaiSubordinateCA3 -->uat.metricsthatmatter.com (its' the url which I am connecting with provided username/password with SSL)
I added all three cert above in my dmskeystore.jks inside our EAR file

Due to org policy and dependency on other team , we can not add these cert to WAS as specified in error log thru WAS Admin console ,

let me know if any body faced similar kind of situation and if is there any way to mark a particular cert as trusted thru code( not from config )

here is code how i am trying to connect using SSL

System.setProperty("com.ibm.ssl.trustStore", GlobalCache.APP_HOME+"/WEB-INF/lib/dmskeystore.jks");
System.setProperty("com.ibm.ssl.trustStorePassword", "changeit");
System.setProperty("com.ibm.ssl.keyStore", GlobalCache.APP_HOME+"/WEB-INF/lib/dmskeystore.jks");
System.setProperty("com.ibm.ssl.keyStorePassword", "changeit");
System.setProperty("java.protocol.handler.pkgs","com.ibm.net.ssl.internal.www.protocol");

com.ibm.net.ssl.www2.protocol.https.a conn = null;
conn = (com.ibm.net.ssl.www2.protocol.https.a)new URL(urlStr).openConnection() ;

here is complete server log with errors we are getting

[10/18/12 16:57:25:693 PDT] 00000028 WSX509TrustMa E CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=www.metricsthatmatter.com, ST=ILLINOIS, OU=KnowledgeAdvisors, O=KnowledgeAdvisors, L=Chicago, C=US" was sent from target host:port "www.metricsthatmatter.com:443". The signer may need to be added to local trust store "/opt/ibm/websphere/6.1.0.23-02_32/deploymentmanager/profiles/ccix-02_32-node/config/cells/ccix-02_32-cell/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "No trusted certificate found".
[10/18/12 16:57:25:694 PDT] 00000028 SystemOut O
[10/18/12 16:57:25:694 PDT] 00000028 SystemOut O CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=www.metricsthatmatter.com, ST=ILLINOIS, OU=KnowledgeAdvisors, O=KnowledgeAdvisors, L=Chicago, C=US" was sent from target host:port "www.metricsthatmatter.com:443". The signer may need to be added to local trust store "/opt/ibm/websphere/6.1.0.23-02_32/deploymentmanager/profiles/ccix-02_32-node/config/cells/ccix-02_32-cell/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "No trusted certificate found".
[10/18/12 16:57:25:694 PDT] 00000028 SystemOut O
[10/18/12 16:57:25:694 PDT] 00000028 SystemOut O
[10/18/12 16:57:25:694 PDT] 00000028 SystemOut O CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=www.metricsthatmatter.com, ST=ILLINOIS, OU=KnowledgeAdvisors, O=KnowledgeAdvisors, L=Chicago, C=US" was sent from target host:port "www.metricsthatmatter.com:443". The signer may need to be added to local trust store "/opt/ibm/websphere/6.1.0.23-02_32/deploymentmanager/profiles/ccix-02_32-node/config/cells/ccix-02_32-cell/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "No trusted certificate found".
[10/18/12 16:57:25:694 PDT] 00000028 SystemOut O
[10/18/12 16:57:25:694 PDT] 00000028 SystemOut O
[10/18/12 16:57:25:695 PDT] 00000028 SystemOut O CWPKI0428I: The signer might need to be added to the local trust store. You can use the Retrieve from port option in the administrative console to retrieve the certificate and resolve the problem. If you determine that the request is trusted, complete the following steps: 1. Log into the administrative console. 2. Expand Security and click SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations. 3. Select the appropriate outbound configuration to get to the (cell):ccix-02_32-cell management scope. 4. Under Related Items, click Key stores and certificates and click the CellDefaultTrustStore key store. 5. Under Additional Properties, click Signer certificates and Retrieve From Port. 6. In the Host field, enter www.metricsthatmatter.com in the host name field, enter 443 in the Port field, and www.metricsthatmatter.com_cert in the Alias field. 7. Click Retrieve Signer Information. 8. Verify that the certificate information is for a certificate that you can trust. 9. Click Apply and Save.
[10/18/12 16:57:25:695 PDT] 00000028 SystemOut O
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O Error while writing data to the URL: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O at com.ibm.jsse2.n.a(n.java:8)
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O at com.ibm.jsse2.pc.a(pc.java:210)
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O at com.ibm.jsse2.eb.a(eb.java:478)
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O at com.ibm.jsse2.eb.a(eb.java:536)
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O at com.ibm.jsse2.fb.a(fb.java:162)
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O at com.ibm.jsse2.fb.a(fb.java:290)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.jsse2.eb.m(eb.java:17)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.jsse2.eb.a(eb.java:295)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.jsse2.pc.a(pc.java:214)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.jsse2.pc.g(pc.java:376)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.jsse2.pc.a(pc.java:573)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.jsse2.pc.startHandshake(pc.java:37)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.net.ssl.www2.protocol.https.b.afterConnect(b.java:32)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.net.ssl.www2.protocol.https.c.connect(c.java:70)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1044)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.net.ssl.www2.protocol.https.a.getOutputStream(a.java:51)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.cisco.common.util.HttpCommunicationHelper.postData(HttpCommunicationHelper.java:95)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at java.lang.reflect.Method.invoke(Method.java:618)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.cisco.common.util.TaskProcessor.executeTask(TaskProcessor.java:74)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.cisco.common.util.TaskProcessor.run(TaskProcessor.java:115)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O Caused by: com.ibm.jsse2.util.h: No trusted certificate found
at com.ibm.jsse2.util.g.a(g.java:39)
at com.ibm.jsse2.util.g.b(g.java:32)
at com.ibm.jsse2.util.e.a(e.java:9)
at com.ibm.jsse2.ec.checkServerTrusted(ec.java:3)
at com.ibm.ws.ssl.core.WSX509TrustManager.checkServerTrusted(WSX509TrustManager.java:286)
at com.ibm.jsse2.nb.checkServerTrusted(nb.java:16)
at com.ibm.jsse2.fb.a(fb.java:298)
at com.ibm.jsse2.fb.a(fb.java:290)
at com.ibm.jsse2.eb.m(eb.java:17)
at com.ibm.jsse2.eb.a(eb.java:295)
at com.ibm.jsse2.pc.a(pc.java:214)
at com.ibm.jsse2.pc.g(pc.java:376)
at com.ibm.jsse2.pc.a(pc.java:573)
at com.ibm.jsse2.pc.startHandshake(pc.java:37)
at com.ibm.net.ssl.www2.protocol.https.b.afterConnect(b.java:32)
at com.ibm.net.ssl.www2.protocol.https.c.connect(c.java:70)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1044)
at com.ibm.net.ssl.www2.protocol.https.a.getOutputStream(a.java:51)
at com.cisco.common.util.HttpCommunicationHelper.postData(HttpCommunicationHelper.java:95)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at com.cisco.common.util.TaskProcessor.executeTask(TaskProcessor.java:74)
at com.cisco.common.util.TaskProcessor.run(TaskProcessor.java:115)

[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O at com.ibm.jsse2.util.g.a(g.java:39)
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O at com.ibm.jsse2.util.g.b(g.java:32)
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O at com.ibm.jsse2.util.e.a(e.java:9)
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O at com.ibm.jsse2.ec.checkServerTrusted(ec.java:3)
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O at com.ibm.ws.ssl.core.WSX509TrustManager.checkServerTrusted(WSX509TrustManager.java:286)
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O at com.ibm.jsse2.nb.checkServerTrusted(nb.java:16)
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O at com.ibm.jsse2.fb.a(fb.java:298)
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O ... 18 more
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O Exception occured while executing: java.lang.reflect.InvocationTargetException
[10/18/12 16:57:25:700 PDT] 00000027 SystemOut O java.lang.reflect.InvocationTargetException
[10/18/12 16:57:25:700 PDT] 00000027 SystemOut O at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[10/18/12 16:57:25:701 PDT] 00000027 SystemOut O at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
[10/18/12 16:57:25:701 PDT] 00000027 SystemOut O at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[10/18/12 16:57:25:701 PDT] 00000027 SystemOut O at java.lang.reflect.Method.invoke(Method.java:618)
[10/18/12 16:57:25:701 PDT] 00000027 SystemOut O at com.cisco.common.util.TaskProcessor.executeTask(TaskProcessor.java:74)
[10/18/12 16:57:25:701 PDT] 00000027 SystemOut O at com.cisco.common.util.TaskProcessor.run(TaskProcessor.java:115)
[10/18/12 16:57:25:701 PDT] 00000027 SystemOut O Caused by: java.lang.Exception: Error while writing data to the URL: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found

Thanks in Advance
Anuj

Edited by: 968054 on Oct 27, 2012 10:20 PM

Locked Post

New comments cannot be posted to this locked post.

Locked on Jan 18 2013

Added on Oct 28 2012

#java-secure-socket-extension-jsse, #ssl

2 comments

6,196 views