Forum Stats

  • 3,733,585 Users
  • 2,246,789 Discussions
  • 7,856,785 Comments

Discussions

App accessing cacerts without password or type specified until recently

EddieTurbo
EddieTurbo Member Posts: 1 Green Ribbon

Hi,

We inherited a Java Application running on RHEL in AWS late last year. It was provisioned every day, across multiple environments, by an automated build. The application uses its own instance of Java and that hasn't changed. However it was configured to look out at system trustStore (/etc/pki/java/cacerts).

All worked fine until 22nd of April (last week) when the application was no longer able to negotiate an SSL Handshake with a downstream server after the nightly build. We have verified the downstream server and nothing changed there.

On closer inspection though it just got really weird. We discovered that the trustStorePassword and trustStoreType parameters were never included as JVM arguments

com.ibm.ssl.trustStore = /etc/pki/java/cacerts     - included as a JVM argument

com.ibm.ssl.trustStorePassword = ********           - never included

com.ibm.ssl.trustStoreType = JKS                      - never included

So my question is, how could the application ever retrieve the signer certs from the store without all 3 arguments being provided?

Thanks.

EddieT

Sign In or Register to comment.