This page contains an archived post to the Java Answers Forum made prior to February 25, 2002.
If you wish to participate in discussions, please visit the new
Artima Forums.
Message:
Re: MakStripe R/W
Posted by RAJESH RADHAKRISHNAN on February 06, 2002 at 2:18 PM
> Running the servlet,the Error is javax.net.ssl.SSLException: untrusted server cert chain. > > > In IE5.5,the Error is java.lang.NoClassDefFoundError:javax/net/ssl/SSLSocketFactory > > > Please help me!Thank you! -----------------------------------------------------------------++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++~ CHECK ANY OF THESE FOLLOWINGS WHICH GIVES U A CORRECT WAY
I'm creating a URLConnection in java to a httpS site.... and I get the following error javax.net.ssl.SSLException : untrusted server cert chain I've configured the resin.conf like this...
<-- Security providers. Adding JSSE looks like: --> but this site gave me a file with a certificate.... I'm a little bit confused... Where have I to put this certificate? I'm the client, so.... Have I to install the SSL part in my server??? I don't want to serve ssl... I don't want to access to https://localhost !!!!! -------------------------------- I think you need to import the certificate from that site into the Java key store. To do this, you use the keytool utility from the JDK: keytool -import -keystore /jre/lib/security/cacerts -alias -file (this is all on one command line) It will prompt you for the key store password. If the password was not changed since the JDK installation, it defaults to "changeit" (at least in JDK 1.3). HTH, ----------------------------------------------------------------------- one reason might be that the server name in the cert and the server name returned from the server is different (something like www.xyz.com and xyz.com). There is a method, I guess in HttpsConnection where you can add a custom check for that ... ------------------------------------------------------------------------------------------ specify keystore but if you launch an application you can use this command line option called -Djavax.net.ssl.trustStore=filename to specify the keystore that has your trusted certificates. If you don't specify the file it defaults to /jre/lib/security/cacerts in the case of application ---------------------------------------------------------------------------------- it's very easy. 1, import the server's certificate file to a keystore 2, make it a truststore in your program System.setProperty("javax.net.ssl.trustStore",keystore_file); 3, or use java -Djavax.net.ssl.trustStore=keystore_file to execute your program ------------------------------------- How can I import my existing certificate into the "trust file" for a JVM? 1. Find the trusted file "cacerts" in your JRE, e.g. find /java_install -name "cacerts" 2. Copy that file to a backup cp cacerts cacerts.bak 3. Install your certificate into the trust file (note: the file cacerts ships from Sun with password "changeit") keytool -import -alias -file mycert.pem -keystore $JAVA_HOME/jre/lib/security/cacerts 4. Verify that your cert was imported: keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts -------------------------- There is a free SSL implementation available in pure java from Sun , although it is relatively slow, especially in its creation of the random key to start an SSL connection (about 3 seconds on a 600Mz PIII). To use this implementation, download the JSSE package from the Sun URL above, then: 1. Add the three key jars to your JVM's "ext" (extentions) directory; e.g. cp jcert.jar jnet.jar jsse.jar $JAVA_HOME/jre/lib/ext/ 2. After the jars are in place, you must modify the file "java.security" to allow usage of the providers found within the jars. Find the file find $JAVA_HOME -name "java.security" 3. Add the following line to the file java.security: security.provider.2=com.sun.net.ssl.internal.ssl.Provider Then start using URLs like "https://myhost" within the test rig. The HTTPS protocol will automatically cause new provider classes within the extention jars to be employed for a java.net.URL class and its related connections. Note that you should NOT add these jars to the CLASSPATH. Javax jars are accessed by the JVM by their inclusion in the magic "ext" folder. ----------------------------------------------------------------- Runtime Exception: untrusted cert chains Problem: When negotiating an SSL connection, the client or server throws one of the following exceptions: javax.net.ssl.SSLException: untrusted server cert chain javax.net.ssl.SSLException: untrusted client cert chain Cause 1: This is generally caused by the remote side sending a certificate that is unknown to the local side. Solution 1: The best way to debug this type of problem is to turn on debugging (see Debugging Utilities) and watch as certificates are loaded and when certificates are received via the network connection. Most likely, the received certificate is unknown to the trust mechanism because the wrong trust file was loaded. Cause 2: The system clock is not set correctly. Solution 2: If the clock is not set correctly, the perceived time may be outside the validity period on one of the certificates, and unless the certificate can be replaced with a valid one from a truststore, the system must assume that the certificate is invalid, and therefore throw the exception. Cause 3: Older versions of Java 2 Enterprise Edition use earlier versions of JSSE. In particular, some previous versions of J2EE shipped with JSSE 1.0, which couldn't replace received expired certificates with current ones from a truststore. Solution 3: Be sure that the new JSSE jar files occur in the class path(s) ahead of any older J2EE jar files. ---------------------------- im having this exception javax.net.ssl.SSLException: untrusted server cert chain i already have my .keystore ...yet im having this error... did you set the env variable JSSE_HOME and r u still getting the same stack trace? ----------------------------------------------------- Did you registered JSSE security provider? Look at point 4 on INSTALL.txt, in the JSSE package. --------------------------------------------------------- I followed the instructions for JSSE installation: jsse.jar, jcert.jar, and jnet.jar are all installed in $JAVA_HOME/jre/lib/ext, and the $JAVA_HOME/jre/lib/security/java.security file has been modified to add support for the SunJSSE provider.
Replies:
|