In a JBOSS environment, the issue was the connector in the server.xml file is only used for *inbound* connections, not ones out from JBOSS to another SSL enabled service. If you compile and run the following test class below…
[sa-jboss@cmhldecomecm01 ~]$ cat checkSSL.java import java.io.*; import javax.net.ssl.*; public class checkSSL { public static void main(String[] args) throws Exception { SSLSocketFactory sslFactory = (SSLSocketFactory)SSLSocketFactory.getDefault(); SSLSocket sslSocket = (SSLSocket)sslFactory.createSocket(args[0], Integer.parseInt(args[1])); InputStream is = sslSocket.getInputStream(); OutputStream os = sslSocket.getOutputStream(); os.write(1); while (is.available() > 0) { System.out.print(is.read()); } System.out.println("Successfully connected"); } }
…you will see it doesn’t work when the default cacerts file is used…
[sa-jboss@cmhldecomecm01 ~]$ /usr/lib/jvm/java-1.7.0/jre/bin/java -Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.7.0/jre/lib/security/cacerts checkSSL cmhldmomsesb01 61617 Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
…but works when pointed to either a custom keystore…
[sa-jboss@cmhldecomecm01 ~]$ /usr/lib/jvm/java-1.7.0/jre/bin/java -Djavax.net.ssl.trustStore=/opt/jboss/security/domain.com.keystore checkSSL cmhldmomsesb01 61617 Successfully connected [sa-jboss@cmhldecomecm01 ~]$
…or to a cacerts into which the custom certificate has been imported…
[sa-jboss@cmhldecomecm01 ~]$ /usr/lib/jvm/java-1.7.0/jre/bin/java -Djavax.net.ssl.trustStore=/tmp/cacerts checkSSL cmhldmomsesb01 61617 Successfully connected [sa-jboss@cmhldecomecm01 ~]$
Two possible solutions exist:
1. Change the JBOSS arguments file (/opt/jboss/run/ecm_02.conf) to add the “-Djavax.net.ssl.trustStore=/opt/jboss/security/domain.com.keystore” argument
2. Import the custom key into the cacerts file in the default JRE location (/usr/lib/jvm/java-1.7.0/jre/lib/security/cacerts)
Either one would do it.