Javacloud - SDK - Working with SSL Trusted Certificates

Amit Gokhru-Oracle

Tired with SSLHandshake exception when accessing a HTTPS URL from your application deployed in JCS-SX and wondering what is going wrong and how to fix it. Read on, this blogpost will explain this.

Let's first understand what's happening - In layman's term -

When the application which is deployed in JCS-SX tries to connect to any URL over HTTPS, Server sends its certificate (public key) to the client i.e JCS-SX and  client must authenticate this certificate by checking it against the list of trusted certificate. JCS-SX maintains the list of certificates which it trusts in the store called trustStore.

If you want to try what is explained below, you need to have JCS-SX SDK.

Do not have SDK, follow this link - https://docs.oracle.com/cloud/latest/javacs_gs/CSJSU/GUID-B2007CE3-274C-43F9-80CF-E388B5F2C065.htm#CSJSU7165

Check for the available trusted certificate in this store - To check for the existing certificates which are trusted by default by your JCS-SX env, use below command

javacloud -dc <data-center> -identitydomain <id-domain-name> -serviceinstance <instance-name> -user <user-name> -password <password>  -httpproxy <proxy-server:proxy-port> -list-ssl-certificates

This command will list all trusted certificates in the format below ---

S.NO        - <S.NO>
Alias       - <Alias - Name>
Expired     - <Expiry status>
Expiring in - <Time for expiry in format - 4 years, 236 days, 14 hours, 54 minutes and 7 seconds>

When you see SSLHandshake exception, your server's certificate does not exist in JCS-SX truststore and hence it is not able to validate it. Here is how you can add it in JCS-SX using below command

javacloud -dc <data-center> -identitydomain <id-domain-name> -serviceinstance <instance-name> -user <user-name> -password <password>  -httpproxy <proxy-server:proxy-port> -add-ssl-certificates -path <path to certificate file>

Response will be like below.

[INFO]    - 1 certificate(s) added.

You can check via list-ssl-certificates command for your certificate availability in JCS-SX truststore.

If you want to revoke trust to specific server's certificate, delete its certificate from the truststore using below command -

javacloud -dc <data-center> -identitydomain <id-domain-name> -serviceinstance <instance-name> -user <user-name> -password <password>  -httpproxy <proxy-server:proxy-port> -delete-ssl-certificates -alias <alias-name>

Response will be -

Alias <alias-name> deleted.

If you messed up with your truststore and not sure how to get it right again, JCS-SX comes to your rescue and provide the reset command which you can use to reset the truststore to the default value. Please be aware that it will remove all certificates added and trusted by you.

javacloud -dc <data-center> -identitydomain <id-domain-name> -serviceinstance <instance-name> -user <user-name> -password <password>  -httpproxy <proxy-server:proxy-port> -reset-ssl-certificate-store

Response will be like below -

This will undo all the certificate management operations you have performed.
Are you sure you want to reset SSL trust-store?(yes/no):yes
[INFO]    - The SSL certificate store is reset.

You can download the complete truststore or specific certificates into your local m/c by download-ssl-certificates command as -

javacloud -dc <data-center> -identitydomain <id-domain-name> -serviceinstance <instance-name> -user <user-name> -password <password>  -httpproxy <proxy-server:proxy-port> -download-ssl-certificates -output <output-dir>

Response will be like below -

[INFO]    - 76 certificates downloaded.
[INFO]    - Downloaded at: <output-dir>
            downloaded_certificates.jks

Please note that downloaded jks file does not have any password.

Hope this blogpost will help you configuring and trouble-shooting SSL trust specific issues. Enjoy the Cloud Infra

The views expressed in this post are my own and do not necessarily reflect the views of Oracle.