#truststore

Writing this down in case it's helpful for other folks (or perhaps just to remind myself later in the future :-) )

I had an interesting issue come up the other day that involved some somewhat obscure errors in a java client application trying to access a resource over HTTPS:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:345) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148) at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149) at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:561) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)

This error indicated that there was SOMETHING off with the HTTPS connection attempt but didn't elaborate. For more detail, we needed to enable a helpful Java VM parameter: -Djavax.net.debug=ssl:handshake

After doing THAT, we saw a lot more helpful details in logging but came across another seemingly obscure error:

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

The verbiage is a little complex but essentially means that the trustStore (cacerts) resource that java is trying to use either isn't found or can't be accessed.

This led to the last bit of helpful debugging -- explicitly stating the trustStore file as a JVM parameter:

java -Djavax.net.ssl.trustStore=/home/example/mycacerts

Helpful online resources:

https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty

https://stackoverflow.com/questions/6276435/why-am-i-getting-an-exception-javax-net-ssl-sslpeerunverifiedexception-peer-not

I came across a couple interesting java truststore errors the other day and want to jot down some notes before my feeble mortal brain forgets about it.

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

The error above indicates that the JRE truststore (usually a file called cacerts), can't be found or accessed. Things to check:

First off, where is the truststore file? Java normally looks for it under $JAVA_HOME/jre/lib/security/cacerts but it doesn't have to be there. You can define a different path using the param -Djavax.net.ssl.trustStore=/path/to/keystore.

Assuming that the truststore file exists and has the exact same name as expected/specified, how about permissions? Is it readable?

Here's another one:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Answer: Truststore and Keystore Definitions #solution #dev #it

Truststore and Keystore Definitions

In Java, what’s the difference between a keystore and a truststore?

Answer [by Aniket Thakur]: Truststore and Keystore Definitions

In SSL handshake purpose of trustStore is to verify credentials and purpose of keyStore is to provide credential.

keyStore in Java stores private key and certificates corresponding to there public keys and require if you are SSL…