问题
In my java application I am running with supplied -Djavax.net.ssl.trustStore System properties as below.
-Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.trustStoreType=jks -Djavax.net.debug=ssl
This is my Complete command line :
$JAVA_HOME/bin/java -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp -Xms512m -Xmx1024m -XX:MaxPermSize=192m -Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.keyStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.keyStorePassword=XXXXX -Dweblogic.security.SSL.ignoreHostnameVerification=true -Djavax.net.debug=ssl -Djavax.net.ssl.trustStoreType=jks -cp /Oracle/Middleware/Oracle_Home/wlserver/server/lib/wlfullclient.jar:/myapp/standalone/lib/asm-5.0.3.jar:/myapp/standalone/lib/castor-1.3.2-core.jar:/myapp/standalone/lib/myAPP_final.jar
But java is not using that certificate from custom keyStore from the custom path. It is by default going to $JAVA_HOME/lib/security/cacerts with that I am getting below exception :
java.net.ConnectException: t3s://myapphost.com:7500: Destination 10.243.155.222, 7900 unreachable; nested exception is:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination
When i am importing and adding same certificate in the $JAVA_HOME/lib/security/cacerts it not giving any Exception.
I have refer and this post and try to configured same things in $JAVA_HOME/jre/lib/security/java.security and added following entry:
javax.net.ssl.trustStore=/myapp/app.jks
javax.net.ssl.trustStorePassword=XXXXX
javax.net.ssl.trustStoreType=jks
Still i am facing same problem.
My Question and problem here is, why java always goes java default keyStore location: $JAVA_HOME/lib/security/cacerts though i have supplied and configured my own custom keyStore using : -Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.trustStoreType=jks -Djavax.net.debug=ssl
And if i am importing same certificate in default java keyStore loation it is working fine for me.
where and what all i need to change to configure different keystore to avoid to above exception.
回答1:
After seeing this Post I have configured and supplied following system properties -D option it resolved the problem for me. Hope it will help to others so i am posting it.
-Dweblogic.security.CustomTrustKeyStoreFileName=/myapp/app.jks
-Dweblogic.security.TrustKeyStore=CustomTrust
-Dweblogic.security.CustomTrustKeyStorePassPhrase=XXXXXPWD
-Dweblogic.security.CustomTrustKeyStoreType=jks
I have understood following things which i have kept in Note: of -Dweblogic.security.TrustKeyStore parameter.
Note 1: -Dweblogic.security.TrustKeyStore will have following options and internal interpretation
-Dweblogic.security.TrustKeyStore=JavaStandardTrust(We should use when the trusted CAs in the JDK's cacerts, specify this)-Dweblogic.security.TrustKeyStore=DemoTrust(We should use when the trusted CAs in DemoTrust.jks and in the JDK's cacerts, specify this)-Dweblogic.security.TrustKeyStore=CustomTrust(We should use when the trusted CAs from another keystore, specify this).
Note 2:
Any time if you got below Exception, it means your java application is not finding certificate in the specified trust-store.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target,It is telling the same.
Note 3:
Important things try to cogfigured -Djavax.net.debug=ssl for seeing more detail view of logs. Normally without that parameter we wont be able to see more details log.
来源:https://stackoverflow.com/questions/33821785/why-java-uses-default-location-keystore-truststore-of-java-home-lib-security-cac