Skip to Main Content
Forums

Java User Groups

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

App accessing cacerts without password or type specified until recently

EddieTurboMay 1 2020 — edited May 1 2020

Hi,

We inherited a Java Application running on RHEL in AWS late last year. It was provisioned every day, across multiple environments, by an automated build. The application uses its own instance of Java and that hasn't changed. However it was configured to look out at system trustStore (/etc/pki/java/cacerts).

All worked fine until 22nd of April (last week) when the application was no longer able to negotiate an SSL Handshake with a downstream server after the nightly build. We have verified the downstream server and nothing changed there.

On closer inspection though it just got really weird. We discovered that the trustStorePassword and trustStoreType parameters were never included as JVM arguments

com.ibm.ssl.trustStore = /etc/pki/java/cacerts     - included as a JVM argument

com.ibm.ssl.trustStorePassword = ********           - never included

com.ibm.ssl.trustStoreType = JKS                      - never included

So my question is, how could the application ever retrieve the signer certs from the store without all 3 arguments being provided?

Thanks.

EddieT

Comments

Vladimir Zhilyaev

Try to check this http://jdevadf.oracle.com/adf-richclient-demo/faces/components/inputComboboxListOfValues.jspx

Vladimir

Timo Hahn

***Moderator note (Timo): Vladimir

Please don't just answer by giving a link. Provide some more information on how you think the link will help to solve the problem. The Oracle Community – General FAQ state:

I have an excellent blog entry that answers a very complex user question. Can I just post a link as the answer?

Unfortunately, a link is not an answer. It’s a location of relevant and correct material to answer the question. And while the link to the blog is probably very useful, it will be flagged for review by the system moderators who are dedicated to ensuring the Community Platform is not susceptible to spam or any forms of promotion.

The best approach is always to “Answer in the Discussion” and in this case, that would mean providing enough content to address the question and answer it completely--if not in absolute detail at least to the extent that it achieves content correctness. Additional resources such as links to relevant and correct material can be offered as “for more information” or further explanation, but the answer should be complete. If an external blog entry is being linked, please provide a substantive quote from the blog entry to add context for users.

***

1 - 2

Post Details

Added on May 1 2020
#java-user-groups-discussions
0 comments
176 views