Why java uses default location keystore/truststore of JAVA_HOME/lib/security/cacerts though I have supplied -Djavax.net.ssl.trustStore properties

Question

In my java application I am running with supplied -Djavax.net.ssl.trustStore System properties as below.

-Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.trustStoreType=jks -Djavax.net.debug=ssl

This is my Complete command line :

$JAVA_HOME/bin/java -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp -Xms512m -Xmx1024m -XX:MaxPermSize=192m -Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.keyStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.keyStorePassword=XXXXX -Dweblogic.security.SSL.ignoreHostnameVerification=true -Djavax.net.debug=ssl -Djavax.net.ssl.trustStoreType=jks -cp /Oracle/Middleware/Oracle_Home/wlserver/server/lib/wlfullclient.jar:/myapp/stand‌​alone/lib/asm-5.0.3.jar:/myapp/standalone/lib/castor-1.3.2-core.jar:/myapp/standa‌​lone/lib/myAPP_final.jar

But java is not using that certificate from custom keyStore from the custom path. It is by default going to $JAVA_HOME/lib/security/cacerts with that I am getting below exception :

java.net.ConnectException: t3s://myapphost.com:7500: Destination 10.243.155.222, 7900 unreachable; nested exception is:
        javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination

When i am importing and adding same certificate in the $JAVA_HOME/lib/security/cacerts it not giving any Exception.

I have refer and this post and try to configured same things in $JAVA_HOME/jre/lib/security/java.security and added following entry:

javax.net.ssl.trustStore=/myapp/app.jks
javax.net.ssl.trustStorePassword=XXXXX
javax.net.ssl.trustStoreType=jks

Still i am facing same problem.

My Question and problem here is, why java always goes java default keyStore location: $JAVA_HOME/lib/security/cacerts though i have supplied and configured my own custom keyStore using : -Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.trustStoreType=jks -Djavax.net.debug=ssl

And if i am importing same certificate in default java keyStore loation it is working fine for me.

where and what all i need to change to configure different keystore to avoid to above exception.

Answer 1

After seeing this Post I have configured and supplied following system properties -D option it resolved the problem for me. Hope it will help to others so i am posting it.

-Dweblogic.security.CustomTrustKeyStoreFileName=/myapp/app.jks 
 -Dweblogic.security.TrustKeyStore=CustomTrust 
 -Dweblogic.security.CustomTrustKeyStorePassPhrase=XXXXXPWD
 -Dweblogic.security.CustomTrustKeyStoreType=jks 

I have understood following things which i have kept in Note: of -Dweblogic.security.TrustKeyStore parameter.

Note 1: -Dweblogic.security.TrustKeyStore will have following options and internal interpretation

1. -Dweblogic.security.TrustKeyStore=JavaStandardTrust (We should use when the trusted CAs in the JDK's cacerts, specify this)
2. -Dweblogic.security.TrustKeyStore=DemoTrust (We should use when the trusted CAs in DemoTrust.jks and in the JDK's cacerts, specify this)
3. -Dweblogic.security.TrustKeyStore=CustomTrust (We should use when the trusted CAs from another keystore, specify this).

Note 2:

Any time if you got below Exception, it means your java application is not finding certificate in the specified trust-store.

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target,It is telling the same.

Note 3: Important things try to cogfigured -Djavax.net.debug=ssl for seeing more detail view of logs. Normally without that parameter we wont be able to see more details log.