In a JBOSS environment, the issue was the connector in the server.xml file is only used for *inbound* connections, not ones out from JBOSS to another SSL enabled service. If you compile and run the following test class below\u2026<\/p>\n
\r\n[sa-jboss@cmhldecomecm01 ~]$ cat checkSSL.java\r\nimport java.io.*;\r\nimport javax.net.ssl.*;\r\n\r\npublic class checkSSL {\r\n public static void main(String[] args) throws Exception {\r\n SSLSocketFactory sslFactory = (SSLSocketFactory)SSLSocketFactory.getDefault();\r\n SSLSocket sslSocket = (SSLSocket)sslFactory.createSocket(args[0], Integer.parseInt(args[1]));\r\n\r\n InputStream is = sslSocket.getInputStream();\r\n OutputStream os = sslSocket.getOutputStream();\r\n\r\n os.write(1);\r\n while (is.available() > 0) {\r\n System.out.print(is.read());\r\n }\r\n System.out.println(\"Successfully connected\");\r\n }\r\n}\r\n<\/pre>\n\u2026you will see it doesn\u2019t work when the default cacerts file is used\u2026<\/p>\n
\r\n[sa-jboss@cmhldecomecm01 ~]$ \/usr\/lib\/jvm\/java-1.7.0\/jre\/bin\/java -Djavax.net.ssl.trustStore=\/usr\/lib\/jvm\/java-1.7.0\/jre\/lib\/security\/cacerts checkSSL cmhldmomsesb01 61617\r\nException in thread \"main\" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\r\n<\/pre>\n\u2026but works when pointed to either a custom keystore\u2026<\/p>\n
\r\n[sa-jboss@cmhldecomecm01 ~]$ \/usr\/lib\/jvm\/java-1.7.0\/jre\/bin\/java -Djavax.net.ssl.trustStore=\/opt\/jboss\/security\/domain.com.keystore checkSSL cmhldmomsesb01 61617\r\nSuccessfully connected\r\n[sa-jboss@cmhldecomecm01 ~]$\r\n<\/pre>\n\u2026or to a cacerts into which the custom certificate has been imported\u2026<\/p>\n
\r\n[sa-jboss@cmhldecomecm01 ~]$ \/usr\/lib\/jvm\/java-1.7.0\/jre\/bin\/java -Djavax.net.ssl.trustStore=\/tmp\/cacerts checkSSL cmhldmomsesb01 61617\r\nSuccessfully connected\r\n[sa-jboss@cmhldecomecm01 ~]$\r\n<\/pre>\nTwo possible solutions exist:<\/p>\n
1. Change the JBOSS arguments file (\/opt\/jboss\/run\/ecm_02.conf) to add the \u201c-Djavax.net.ssl.trustStore=\/opt\/jboss\/security\/domain.com.keystore\u201d argument
\n2. Import the custom key into the cacerts file in the default JRE location (\/usr\/lib\/jvm\/java-1.7.0\/jre\/lib\/security\/cacerts)<\/p>\n
Either one would do it.<\/p>\n","protected":false},"excerpt":{"rendered":"
In a JBOSS environment, the issue was the connector in the server.xml file is only used for *inbound* connections, not ones out from JBOSS to another SSL enabled service. If you compile and run the following test class below\u2026 [sa-jboss@cmhldecomecm01…<\/p>\n