How To Set Djavax Net Ssl Truststore

The content on this page relates to platforms which are not supported. Consequently, Atlassian Back up cannot guarantee providing any support for it. Please exist aware that this textile is provided for your information only and using it is done so at your ain risk.

Problem

Attempting to access applications that are encrypted with SSL (for instance HTTPS, LDAPS, IMAPS) throws an exception and the connection is refused. This can happen when attempting to found a secure connexion to any of the post-obit:

• Active Directory server, JIRA User Server or Crowd
• Post server
• Another Atlassian application using Application Links

For example, the post-obit error appears in the UI when Using the JIRA Problems Macro:

            Mistake rendering macro: java.io.IOException: Could not download: https://siteURL/jira/secure/IssueNavigator.jspa?view=rss&&blazon=12&blazon=4&type=iii&pid=10081&resolution=i&fixfor=10348&sorter/field=issuekey&sorter/order=DESC&sorter/field=priority&sorter/order=DESC&tempMax=100&reset=true&decorator=none          

While the post-obit appears in the logs:

            javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target          

Diagnosis

Utilise SSL Poke to verify connectivity

Endeavour the Java formSSLPoke to see if your truststore contains the right certificates. This will let you connect to a SSL service, transport a byte of input, and watch the output.

1. Download SSLPoke.class

2. Execute the course as per the below, irresolute the URL and port appropriately. Take intendance that yous are running the same Java as what Confluence is running with. If you used the installer you volition need to use <confluence-home>/jre/coffee

                   $JAVA_HOME/bin/java SSLPoke jira.case.com 443              

A failed connexion would produce the below:

            $JAVA_HOME/bin/java SSLPoke jira.instance.com 443 sun.security.validator.ValidatorException: PKIX path building failed: lord's day.security.provider.certpath.SunCertPathBuilderException: unable to discover valid certification path to requested target 	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) 	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.coffee:292) 	at sun.security.validator.Validator.validate(Validator.java:260) 	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) 	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) 	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.coffee:124) 	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.coffee:1351) 	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:156) 	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:925) 	at sun.security.ssl.Handshaker.process_record(Handshaker.java:860) 	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043) 	at dominicus.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343) 	at sunday.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:728) 	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) 	at dominicus.security.ssl.AppOutputStream.write(AppOutputStream.coffee:138) 	at SSLPoke.primary(SSLPoke.java:31) Caused by: lord's day.security.provider.certpath.SunCertPathBuilderException: unable to notice valid certification path to requested target 	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) 	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) 	at coffee.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) 	at sunday.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) 	... 15 more          

A successful connectedness would look like this:

            $JAVA_HOME/bin/java SSLPoke jira.case.com 443 Successfully connected          

If -Djavax.net.ssl.trustStore is present in your JVM arguments, Java will use the keystore specified with that argument. You can verify whether the -Djavax.net.ssl.trustStore parameter is causing problems by running the SSLPoke test and specifying the same JVM argument to use that keystore. For instance:

            $JAVA_HOME/bin/java -Djavax.net.ssl.trustStore=/my/custom/truststore SSLPoke jira.example.com 443          

If this fails (confirming the problem that the truststore doesn't comprise the appropriate certificates), then the certificate will need to be imported into that truststore every bit per the instructions in Connecting to SSL Services.

Cause

Whenever Java attempts to connect to another application over SSL (e.yard.: HTTPS, IMAPS, LDAPS), it willonly exist able to connect to that application if it can trust it. The manner trust is handled in the Java earth is that you have a keystore (typically$JAVA_HOME/lib/security/cacerts), also known as the truststore. This contains a listing of all known Certificate Potency (CA) certificates, and Coffee volition only trust certificates that are signed by one of those CAs or public certificates that exist within that keystore. For instance, if we look at the certificate for Atlassian, we can see that the*.atlassian.com certificate has been signed by the intermediate certificates,DigiCert High Balls EV Root CA andDigiCert Loftier Assurance CA-three. These intermediate certificates accept been signed by the root Entrust.internet Secure Server CA :

These three certificates combined are referred to as the certificate chain, and, as they are all within the Coffee keystore (cacerts), Java will trust any certificates signed by them (in this instance,*.atlassian.com).Alternatively, if the*. atlassian.com  certificate had been in the keystore, Coffee would also trust that site.

This problem is therefore acquired by a document that is self-signed (a CA did not sign information technology) or a document concatenation that does not be within the Java truststore. Java does non trust the certificate and fails to connect to the awarding.

Resolution

1. Brand sure you take imported the public document of the target instance into the truststore according to the Connecting to SSL Services instructions.
2. Make sure any certificates have been imported into the right truststore; you may have multiple JRE/JDKs. See Installing Java for this.
3. Bank check to see that the correct truststore is in apply. If -Djavax.net.ssl.trustStore has been configured, it will override the location of the default truststore, which volition need to be checked.
4. If this error results while integrating with an LDAP server over LDAPS and there is more than ane LDAP server, then deselect the Follow referrals selection within the LDAP user directory configuration per Connecting to and LDAP Directory.  Optionally, import the SSL certificates from the other LDAP servers into the Confluence truststore.
5. Bank check if your Anti Virus tool has "SSL Scanning" blocking SSL/TLS. If it does, disable this feature or set exceptions for the target addresses (check the product documentation to see if this is possible.)
6. If connecting to a mail server, such as Exchange, ensure authentication allows plain text.
7. Verify that the target server is configured to serve SSL correctly. This can exist done with the SSL Server Test tool.
8. If all else fails, your truststore might be out of engagement. Upgrade Java to the latest version supported by your application.

Important

Since the keystore only gets read one time when the JVM is initialized, please restart the source application service after importing the new certificate(south).

More on SSL Poke

Atlassian's SSL Poke source code can be found hither.

You lot can observe forked versions of SSL Poke in the customs with support for actress features like Java xi, Proxy, etc.

Proficient examples:

• https://github.com/gebi/sslpoke
• https://gist.github.com/bric3/4ac8d5184fdc80c869c70444e591d3de

Source: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html

Share this post