This discussion is archived
2 Replies Latest reply: Dec 21, 2012 3:15 AM by EJP RSS

Issue while making HTTPS Connection, javax.net.ssl.SSLHandshakeException

971057 Newbie
Currently Being Moderated
Hi,

I am trying to connect to one of our external vendor using HTTPS URL and certificate provide by them, for That i have imported the cert chain and saved it in .der format (also tried PEM/.crt format) as jks file in pur application EAR file, We are using WAS 6 app server

Now when i trying to make connection from my java code I m getting *"java.lang.Exception: Error while writing data to the URL: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found*"

The cert chain i can see in browser is GTECyberTrustGlobalRoot -->AkamaiSubordinateCA3 -->uat.metricsthatmatter.com (its' the url which I am connecting with provided username/password with SSL)
I added all three cert above in my dmskeystore.jks inside our EAR file

Due to org policy and dependency on other team , we can not add these cert to WAS as specified in error log thru WAS Admin console ,

let me know if any body faced similar kind of situation and if is there any way to mark a particular cert as trusted thru code( not from config )

here is code how i am trying to connect using SSL

System.setProperty("com.ibm.ssl.trustStore", GlobalCache.APP_HOME+"/WEB-INF/lib/dmskeystore.jks");      
System.setProperty("com.ibm.ssl.trustStorePassword", "changeit");           
System.setProperty("com.ibm.ssl.keyStore", GlobalCache.APP_HOME+"/WEB-INF/lib/dmskeystore.jks");      
System.setProperty("com.ibm.ssl.keyStorePassword", "changeit");
System.setProperty("java.protocol.handler.pkgs","com.ibm.net.ssl.internal.www.protocol");


com.ibm.net.ssl.www2.protocol.https.a conn = null;
conn = (com.ibm.net.ssl.www2.protocol.https.a)new URL(urlStr).openConnection() ;     


here is complete server log with errors we are getting



[10/18/12 16:57:25:693 PDT] 00000028 WSX509TrustMa E CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=www.metricsthatmatter.com, ST=ILLINOIS, OU=KnowledgeAdvisors, O=KnowledgeAdvisors, L=Chicago, C=US" was sent from target host:port "www.metricsthatmatter.com:443". The signer may need to be added to local trust store "/opt/ibm/websphere/6.1.0.23-02_32/deploymentmanager/profiles/ccix-02_32-node/config/cells/ccix-02_32-cell/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "No trusted certificate found".
[10/18/12 16:57:25:694 PDT] 00000028 SystemOut O
[10/18/12 16:57:25:694 PDT] 00000028 SystemOut O CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=www.metricsthatmatter.com, ST=ILLINOIS, OU=KnowledgeAdvisors, O=KnowledgeAdvisors, L=Chicago, C=US" was sent from target host:port "www.metricsthatmatter.com:443". The signer may need to be added to local trust store "/opt/ibm/websphere/6.1.0.23-02_32/deploymentmanager/profiles/ccix-02_32-node/config/cells/ccix-02_32-cell/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "No trusted certificate found".
[10/18/12 16:57:25:694 PDT] 00000028 SystemOut O
[10/18/12 16:57:25:694 PDT] 00000028 SystemOut O
[10/18/12 16:57:25:694 PDT] 00000028 SystemOut O CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=www.metricsthatmatter.com, ST=ILLINOIS, OU=KnowledgeAdvisors, O=KnowledgeAdvisors, L=Chicago, C=US" was sent from target host:port "www.metricsthatmatter.com:443". The signer may need to be added to local trust store "/opt/ibm/websphere/6.1.0.23-02_32/deploymentmanager/profiles/ccix-02_32-node/config/cells/ccix-02_32-cell/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "No trusted certificate found".
[10/18/12 16:57:25:694 PDT] 00000028 SystemOut O
[10/18/12 16:57:25:694 PDT] 00000028 SystemOut O
[10/18/12 16:57:25:695 PDT] 00000028 SystemOut O CWPKI0428I: The signer might need to be added to the local trust store. You can use the Retrieve from port option in the administrative console to retrieve the certificate and resolve the problem. If you determine that the request is trusted, complete the following steps: 1. Log into the administrative console. 2. Expand Security and click SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations. 3. Select the appropriate outbound configuration to get to the (cell):ccix-02_32-cell management scope. 4. Under Related Items, click Key stores and certificates and click the CellDefaultTrustStore key store. 5. Under Additional Properties, click Signer certificates and Retrieve From Port. 6. In the Host field, enter www.metricsthatmatter.com in the host name field, enter 443 in the Port field, and www.metricsthatmatter.com_cert in the Alias field. 7. Click Retrieve Signer Information. 8. Verify that the certificate information is for a certificate that you can trust. 9. Click Apply and Save.
[10/18/12 16:57:25:695 PDT] 00000028 SystemOut O
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O Error while writing data to the URL: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O at com.ibm.jsse2.n.a(n.java:8)
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O at com.ibm.jsse2.pc.a(pc.java:210)
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O at com.ibm.jsse2.eb.a(eb.java:478)
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O at com.ibm.jsse2.eb.a(eb.java:536)
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O at com.ibm.jsse2.fb.a(fb.java:162)
[10/18/12 16:57:25:696 PDT] 00000028 SystemOut O at com.ibm.jsse2.fb.a(fb.java:290)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.jsse2.eb.m(eb.java:17)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.jsse2.eb.a(eb.java:295)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.jsse2.pc.a(pc.java:214)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.jsse2.pc.g(pc.java:376)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.jsse2.pc.a(pc.java:573)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.jsse2.pc.startHandshake(pc.java:37)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.net.ssl.www2.protocol.https.b.afterConnect(b.java:32)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.net.ssl.www2.protocol.https.c.connect(c.java:70)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1044)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.ibm.net.ssl.www2.protocol.https.a.getOutputStream(a.java:51)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.cisco.common.util.HttpCommunicationHelper.postData(HttpCommunicationHelper.java:95)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at java.lang.reflect.Method.invoke(Method.java:618)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.cisco.common.util.TaskProcessor.executeTask(TaskProcessor.java:74)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O at com.cisco.common.util.TaskProcessor.run(TaskProcessor.java:115)
[10/18/12 16:57:25:697 PDT] 00000028 SystemOut O Caused by: com.ibm.jsse2.util.h: No trusted certificate found
at com.ibm.jsse2.util.g.a(g.java:39)
at com.ibm.jsse2.util.g.b(g.java:32)
at com.ibm.jsse2.util.e.a(e.java:9)
at com.ibm.jsse2.ec.checkServerTrusted(ec.java:3)
at com.ibm.ws.ssl.core.WSX509TrustManager.checkServerTrusted(WSX509TrustManager.java:286)
at com.ibm.jsse2.nb.checkServerTrusted(nb.java:16)
at com.ibm.jsse2.fb.a(fb.java:298)
at com.ibm.jsse2.fb.a(fb.java:290)
at com.ibm.jsse2.eb.m(eb.java:17)
at com.ibm.jsse2.eb.a(eb.java:295)
at com.ibm.jsse2.pc.a(pc.java:214)
at com.ibm.jsse2.pc.g(pc.java:376)
at com.ibm.jsse2.pc.a(pc.java:573)
at com.ibm.jsse2.pc.startHandshake(pc.java:37)
at com.ibm.net.ssl.www2.protocol.https.b.afterConnect(b.java:32)
at com.ibm.net.ssl.www2.protocol.https.c.connect(c.java:70)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1044)
at com.ibm.net.ssl.www2.protocol.https.a.getOutputStream(a.java:51)
at com.cisco.common.util.HttpCommunicationHelper.postData(HttpCommunicationHelper.java:95)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at com.cisco.common.util.TaskProcessor.executeTask(TaskProcessor.java:74)
at com.cisco.common.util.TaskProcessor.run(TaskProcessor.java:115)

[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O at com.ibm.jsse2.util.g.a(g.java:39)
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O at com.ibm.jsse2.util.g.b(g.java:32)
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O at com.ibm.jsse2.util.e.a(e.java:9)
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O at com.ibm.jsse2.ec.checkServerTrusted(ec.java:3)
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O at com.ibm.ws.ssl.core.WSX509TrustManager.checkServerTrusted(WSX509TrustManager.java:286)
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O at com.ibm.jsse2.nb.checkServerTrusted(nb.java:16)
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O at com.ibm.jsse2.fb.a(fb.java:298)
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O ... 18 more
[10/18/12 16:57:25:700 PDT] 00000028 SystemOut O Exception occured while executing: java.lang.reflect.InvocationTargetException
[10/18/12 16:57:25:700 PDT] 00000027 SystemOut O java.lang.reflect.InvocationTargetException
[10/18/12 16:57:25:700 PDT] 00000027 SystemOut O at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[10/18/12 16:57:25:701 PDT] 00000027 SystemOut O at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
[10/18/12 16:57:25:701 PDT] 00000027 SystemOut O at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[10/18/12 16:57:25:701 PDT] 00000027 SystemOut O at java.lang.reflect.Method.invoke(Method.java:618)
[10/18/12 16:57:25:701 PDT] 00000027 SystemOut O at com.cisco.common.util.TaskProcessor.executeTask(TaskProcessor.java:74)
[10/18/12 16:57:25:701 PDT] 00000027 SystemOut O at com.cisco.common.util.TaskProcessor.run(TaskProcessor.java:115)
[10/18/12 16:57:25:701 PDT] 00000027 SystemOut O Caused by: java.lang.Exception: Error while writing data to the URL: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found


Thanks in Advance
Anuj

Edited by: 968054 on Oct 27, 2012 10:20 PM
  • 1. Re: Issue while making HTTPS Connection, javax.net.ssl.SSLHandshakeException
    811168 Newbie
    Currently Being Moderated
    You can try this..
    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
    keyStore.load(getClass().getResourceAsStream("/dmskeystore.jka"), "changeit".toCharArray()); 
    // dmskeystore.jks should be present in the 'classes' folder of the webapp. i.e, you can put it in your 'src' folder.
    
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
     tmf.init(keyStore);
    
    SSLContext ctx = SSLContext.getInstance("SSL");
    ctx.init(null, tmf.getTrustManagers(), null);
    
    HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
  • 2. Re: Issue while making HTTPS Connection, javax.net.ssl.SSLHandshakeException
    EJP Guru
    Currently Being Moderated
    Setting the system properties won't do it inside an an application server. By the time you get to do it, even if you have the requisite permissions, it is almost certainly too late. You need to initialize a custom SSLContext as shown in @Raees's answer.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points