Discussions
Categories
- 17.9K All Categories
- 3.4K Industry Applications
- 3.3K Intelligent Advisor
- 63 Insurance
- 536.4K On-Premises Infrastructure
- 138.3K Analytics Software
- 38.6K Application Development Software
- 5.8K Cloud Platform
- 109.5K Database Software
- 17.5K Enterprise Manager
- 8.8K Hardware
- 71.1K Infrastructure Software
- 105.3K Integration
- 41.6K Security Software
Javacloud - SDK - Working with SSL Trusted Certificates

Tired with SSLHandshake exception when accessing a HTTPS URL from your application deployed in JCS-SX and wondering what is going wrong and how to fix it. Read on, this blogpost will explain this.
Let's first understand what's happening - In layman's term -
When the application which is deployed in JCS-SX tries to connect to any URL over HTTPS, Server sends its certificate (public key) to the client i.e JCS-SX and client must authenticate this certificate by checking it against the list of trusted certificate. JCS-SX maintains the list of certificates which it trusts in the store called trustStore.
If you want to try what is explained below, you need to have JCS-SX SDK.
Do not have SDK, follow this link - https://docs.oracle.com/cloud/latest/javacs_gs/CSJSU/GUID-B2007CE3-274C-43F9-80CF-E388B5F2C065.htm#CSJSU7165
Check for the available trusted certificate in this store - To check for the existing certificates which are trusted by default by your JCS-SX env, use below command
javacloud -dc <data-center> -identitydomain <id-domain-name> -serviceinstance <instance-name> -user <user-name> -password <password> -httpproxy <proxy-server:proxy-port> -list-ssl-certificates
This command will list all trusted certificates in the format below ---
S.NO - <S.NO> Alias - <Alias - Name> Expired - <Expiry status> Expiring in - <Time for expiry in format - 4 years, 236 days, 14 hours, 54 minutes and 7 seconds>
When you see SSLHandshake exception, your server's certificate does not exist in JCS-SX truststore and hence it is not able to validate it. Here is how you can add it in JCS-SX using below command
javacloud -dc <data-center> -identitydomain <id-domain-name> -serviceinstance <instance-name> -user <user-name> -password <password> -httpproxy <proxy-server:proxy-port> -add-ssl-certificates -path <path to certificate file>
Response will be like below.
[INFO] - 1 certificate(s) added.
You can check via list-ssl-certificates command for your certificate availability in JCS-SX truststore.
If you want to revoke trust to specific server's certificate, delete its certificate from the truststore using below command -
javacloud -dc <data-center> -identitydomain <id-domain-name> -serviceinstance <instance-name> -user <user-name> -password <password> -httpproxy <proxy-server:proxy-port> -delete-ssl-certificates -alias <alias-name>
Response will be -
Alias <alias-name> deleted.
If you messed up with your truststore and not sure how to get it right again, JCS-SX comes to your rescue and provide the reset command which you can use to reset the truststore to the default value. Please be aware that it will remove all certificates added and trusted by you.
javacloud -dc <data-center> -identitydomain <id-domain-name> -serviceinstance <instance-name> -user <user-name> -password <password> -httpproxy <proxy-server:proxy-port> -reset-ssl-certificate-store
Response will be like below -
This will undo all the certificate management operations you have performed. Are you sure you want to reset SSL trust-store?(yes/no):yes [INFO] - The SSL certificate store is reset.
You can download the complete truststore or specific certificates into your local m/c by download-ssl-certificates command as -
javacloud -dc <data-center> -identitydomain <id-domain-name> -serviceinstance <instance-name> -user <user-name> -password <password> -httpproxy <proxy-server:proxy-port> -download-ssl-certificates -output <output-dir>
Response will be like below -
[INFO] - 76 certificates downloaded. [INFO] - Downloaded at: <output-dir> downloaded_certificates.jks
Please note that downloaded jks file does not have any password.
Hope this blogpost will help you configuring and trouble-shooting SSL trust specific issues. Enjoy the Cloud Infra
The views expressed in this post are my own and do not necessarily reflect the views of Oracle.