I am looking for ways to remove all aliases and certificates, and have a fresh start.
I tried searching for the keystore file but I am not able to find it.
I have no idea about the result of deleting 'cacerts' file in my java home.
Currently I am getting this exception:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
I am using Java 8.
I will appreciate your help. Thanks !
Related
In converting an ACF website to Lucee, we're facing some configuration issues. Our environment is Lucee5, Tomcat7, and Java.
There seems to be something not configured correctly for Lucee to be able to access an endpoint webservice via SSL. The same code works without any issues on CF9 on the same sever in a different Tomcat container.
The test call:
cfhttp(method="GET", charset="utf-8", url="https://our_lucee_server.org/wf/webservice/wf_webservice.cfc?wsdl", result="result") {
}
writeDump(result);
results in a:
java.security.cert.CertificateException: No X509TrustManager implementation available
It's been suggested that the endpoint serving the WSDL is the issue and that either Tomcat or Apache needs to be configured. Since Lucee is the program throwing the error, how can I determine what's preventing Lucee from accessing the endpoint?
The WSDL can be accessed no problem from a browser.
Things we've tried.
importing the SSL into Lucee from the target domain using Lucee server admin and restarting.
Spinning up an instance of Lucee using CommandBox, and then copying the cacerts file from CommandBox to the Lucee Server.
i think this can be solved by importing the cert for the site you are trying to access and adding it to the java home / jre / lib / security folder ...
for reasons unknown the cert for the site you are trying to access is not trusted so need to add it to trust store.
the final solution for us was running the following two commands.
this is for a CentOS7, Java 8, Tomcat, Lucee5 set up ...
step 1: back up the lucee keystore:
mv /opt/tomcatxxx/webapps/xxxx/WEB-INF/lucee-server/context/security/cacerts /opt/tomcatxxx/webapps/xxxx/WEB-INF/lucee-server/context/security/cacerts.bak
(where /opt/tomcatXXX/webapps/XXX/WEB-INF/ is the path to the lucee instance)
step 2: make a symbolic link between the java keystore and the lucee keystore
ln -s /opt/tomcatxxx/conf/s2s-ubertruststore_01_10_18.jks /opt/tomcatxxx/webapps/xxxx/WEB-INF/lucee-server/context/security/cacerts
Essentially, the keystore that came with Lucee5 didn't work out of the box.
Pointing the lucee keystore to the working Java keystore fixed it.
Step 3:
Restart Tomcat and lucee
I have a web service that had been working fine while we were on Java 7 version 75. We recently updated to Java 8 and now we are getting this error on the web service: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This is the full dump:
Charset [empty string]
ErrorDetail I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Filecontent Connection Failure
Header [empty string]
Mimetype Unable to determine MIME type of file.
Responseheader ws dump - struct [empty]
Statuscode Connection Failure. Status code unavailable.
Text YES
We have updated the certificates and the certificates have been re-imported in the correct key store and verified it's there using keytool -list and restarted, but still get the authentication error.
I see this is usually fixed by re-installing the certificate but that hasn't worked. Many suggestions to fix this error recommended installing Certman in CF Admin. We installed it and imported the certificates, but still the same error. Our workaround is rolling back to Java 7 version 75 so this web service works, but we need to update to the latest version of Java soon so our charts can work again and obviously for security reasons. Any suggestions?
Stats:
Java Dev Kit 8 v 60,
ColdFusion 10 hotfix 17,
Windows Server 8
****UPDATE*****
After reading Sean Coyne's answer below I talked to our Network Admin's. They had already copied the tools.jar file into the lib folder. They deleted the stubs folder and restarted the CF server, but we still got the same error. I visited with them and they showed me that the certificates were indeed in the keystore.
As described here: https://helpx.adobe.com/coldfusion/kb/coldfusion-mx-troubleshooting-scheduled-tasks.html
We added some debugging to jvim.config as I ran the web service. The debugging pointed out that the handshake with one of the certificates was invalid. What the heck!
I asked if we could see the certs in the Certificate Manager in CF Admin. It was NOT installed after all. So the NA installed the CertMan add on in CF Admin. After importing the certificates using CertMan and restarting the CF server, the web service worked after that.
I think doing what Sean Coyne suggested below AND making sure CertMan was installed so we could import the certificates was what fixed it for us.
You may need to delete the stubs. These are in [cfroot]/cfusion/stubs. Just stop CF, delete all the files in that directory and start CF again.
Also, you will want to copy the tools.jar file from your JDK installation into the lib folder at [cfroot]/cfusion/lib/tools.jar. Backup the existing tools.jar file first then copy from [jdk root]/lib/tools.jar.
Reference: http://blogs.coldfusion.com/post.cfm/coldfusion-10-and-11-support-with-java-8
I want to install bamboo agent on my working computer. I have downloaded the jar file and try to run it with following syntax
java -jar atlassian-bamboo-agent-installer-5.7.0.jar https://bamboo.xxxxx.org/agentServer/
I got error javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
The source of this error is clear to me - we have a self-signed SSL sertificate. I tried to run with following parameters
java -Dbamboo.agent.ignoreServerCertName=true -jar atlassian-bamboo-agent-installer-5.7.0.jar https://bamboo.xxxxx.org/agentServer/
but it does not work as well.
I tried to add the certificate using this link Java keytool easy way to add server cert from url/port
The sertificate seems to be installed, but it does not help. I still have the following error.
Do you know how can I fix it?
The problem was that bamboo did not obtained (for some reason) the keystorage created by keytool.
I needed to manually set the keystore in the bamboo configuration. In config/wrapper.conf you need to add following lines
wrapper.java.additional.3=-Djavax.net.ssl.keyStore=/#MODIFY_ME_TO_MY_HOME#/bamboo-agent-home/keystores/client.ks
wrapper.java.additional.4=-Djavax.net.ssl.keyStorePassword=#MY_AWESOME_PASSWORD#
wrapper.java.additional.5=-Djavax.net.ssl.trustStore=/#MODIFY_ME_TO_MY_HOME#/bamboo-agent-home/keystores/client.ts
This can be caused if you are running Bamboo behind Apache with SSL, if your default SSL VirtualHost is not returning the same SSLCertificate as your Bamboo VirtualHost. We had a similar problem, because I didn't know /etc/httpd/conf.d/ssl.conf created a VirtualHost.
We have signed a JAR file using a certificate generated by MS Active Directory Certificate Services. However, when accessing it via Java Web Start we are getting the prompt that the digital signature cannot be verified even though we've installed the root CA into the certificate store on the client machine.
Now trying to look at the root CA on the client machine, using "keytool -list", I'm seeing an exception (invalid URI:file://\my_msadcs_server\path\to\CRL.crl). So now I'm not sure exactly what is going wrong.
Anyone have a suggestion or sample Java code on how I can test the downloaded JAR file's signature on the client machine in an attempt to figure out exactly why JWS is complaining? It could be that the root CA certificate has a problem (and I will chase down that avenue when my AD admin gets in) but I'd like to rule out other possibilities first. Currently the only thing I have to go on is the exception from "keytool -list", but keytool had no issues importing the root CA certificate in the first place.
Thanks in advance!,
mG.
I use jarsigner with the -verify, -verbose and -certs options. You may have to specify your -keystore, too.
I think the invalid URI message is a clue. Java file URI takes the following form: file://host/path
Does anyone know how to solve this java error?
java.io.IOException: Invalid keystore format
I get it when I try and access the certificate store from the Java option in control panels. It's stopping me from loading applets that require elevated privileges.
Error Image
I was able to reproduce the error by mangling the trusted.certs file at directory
C:\Documents and Settings\CDay\Application Data\Sun\Java\Deployment\security.
Deleting the file fixed the problem.
Do not include special characters in organization name and unit
Seems to be a missing certificate or an invalid format.
Did you already generate a certificate with keytool?
for me it meant that my key file I was trying to import was invalid (it was actually a 404 page not a valid key)
For you guys who can't find the 'Documents and Settings' (whatever reason there may be) here is another path where the trusted.certs can be found:
C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\security
Hope this helps!