Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

JNDI SSL does not work when the trust store path is set at runtime

843811Oct 8 2008 — edited Nov 17 2008
Hi All,

We are having an application that connects to the LDAP through JNDI ssl/non-ssl. When it tries to connect through SSL it throws the following exception in Windows (uses sun JRE)

Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

For this exception, I have tried quite a bit of things from internet. Most of them say that I have to install the rootCA certificate. Nothing helped.

The value of the trust store is assigned at the run-time (in the JNDI code) using the api
System.setProperty("javax.net.ssl.trustStore", c:\\certificates\\mystore);

In AIX (using IBM JRE), the same code throws the following exception.

Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:java.security.cert.CertPathValidatorException: The certificate issued by <DN of the CA> is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error

Our application has a application server, webserver and a database. To isolate the problem, I wrote a standalone JNDI program. It connects to the same LDAP with same set of certs from the same machine (both Windows and AIX) through SSL.

Finally I found out 2 ways to make the application work.

1. When I import the certificates in to jssecacerts iniside the jre\lib\security I am able to connect through SSL. The trust store path is not necessary here.
2. When I give the path of the trust store along with the Java VM options in my appserver configuration file and reboot, it works. I think it is similar to giving the keystore path in the command line, i.e.,

c:\> java -Djavax.net.ssl.trustStore=c:\\certificates\\mystore

From this I would say the certificates are not the problem. My app is not able to get the trust store path when I set the path at runtime or the value of the path gets overwritten at some point.

Unfortunately I can resort to any of the above 2 solutions. Have anyone come across these kind of problems? Any help would be appreciated.

- Satheesh

Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Dec 15 2008
Added on Oct 8 2008
#java-secure-socket-extension-jsse
4 comments
1,178 views