Java, JBOSS

“Unable to find valid certification path to requested target” exception

by  •  • 0 Comments

In a JBOSS environment, the issue was the connector in the server.xml file is only used for *inbound* connections, not ones out from JBOSS to another SSL enabled service. If you compile and run the following test class below…

[sa-jboss@cmhldecomecm01 ~]$ cat checkSSL.java
import java.io.*;
import javax.net.ssl.*;

public class checkSSL {
  public static void main(String[] args) throws Exception {
    SSLSocketFactory sslFactory = (SSLSocketFactory)SSLSocketFactory.getDefault();
    SSLSocket sslSocket = (SSLSocket)sslFactory.createSocket(args[0], Integer.parseInt(args[1]));

    InputStream is = sslSocket.getInputStream();
    OutputStream os = sslSocket.getOutputStream();

    os.write(1);
    while (is.available() > 0) {
      System.out.print(is.read());
    }
    System.out.println("Successfully connected");
  }
}

…you will see it doesn’t work when the default cacerts file is used…

[sa-jboss@cmhldecomecm01 ~]$ /usr/lib/jvm/java-1.7.0/jre/bin/java -Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.7.0/jre/lib/security/cacerts checkSSL cmhldmomsesb01 61617
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

…but works when pointed to either a custom keystore…

[sa-jboss@cmhldecomecm01 ~]$ /usr/lib/jvm/java-1.7.0/jre/bin/java -Djavax.net.ssl.trustStore=/opt/jboss/security/domain.com.keystore checkSSL cmhldmomsesb01 61617
Successfully connected
[sa-jboss@cmhldecomecm01 ~]$

…or to a cacerts into which the custom certificate has been imported…

[sa-jboss@cmhldecomecm01 ~]$ /usr/lib/jvm/java-1.7.0/jre/bin/java -Djavax.net.ssl.trustStore=/tmp/cacerts checkSSL cmhldmomsesb01 61617
Successfully connected
[sa-jboss@cmhldecomecm01 ~]$

Two possible solutions exist:

1. Change the JBOSS arguments file (/opt/jboss/run/ecm_02.conf) to add the “-Djavax.net.ssl.trustStore=/opt/jboss/security/domain.com.keystore” argument
2. Import the custom key into the cacerts file in the default JRE location (/usr/lib/jvm/java-1.7.0/jre/lib/security/cacerts)

Either one would do it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.