There is java code running in websphere that opens a URL stream over SSL to another web server. During this process, I get unknown certificate error. Thanks in advance.
Here is the stack trace....
javax.net.ssl.SSLHandshakeException: unknown certificate
at com.ibm.jsse.bg.a(Unknown Source)
at com.ibm.jsse.bg.startHandshake(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.n(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.p.connect(Unknown Source)
at com.ibm.net.ssl.www.protocol.http.bw.getInputStream(Unknown Source)
at com.ibm.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream(Unknown Source)
at java.net.URL.openStream(URL.java:495)
I tried that but still I am getting this error. thanks
java.net.SocketException: Invalid keystore format
at javax.net.ssl.DefaultSSLSocketFactory.createSocket(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.b(Unknown Source)
at com.ibm.net.ssl.www.protocol.http.cb.a(Unknown Source)
at com.ibm.net.ssl.www.protocol.http.cb.p(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.<init>(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.a(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.a(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.a(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.q.c(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.q.connect(Unknown Source)
at com.ibm.net.ssl.www.protocol.http.ci.getInputStream(Unknown Source)
at com.ibm.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream(Unknown Source)
at java.net.URL.openStream(URL.java:942)
you tried what, exactly ?
I got a free certificate from verisign. I placed it on one server and I am able to connect correctly through a web browser.On the Websphere box I saved the original certificate along with the signed certificate. In Websphere Admin I tried to set up the keystore and trustedstore along with the java protocol handler.In short I have two boxes - one server running https and WebSphere (not ssl) trying to make calls to the other server.
Thanks
1. Are you able to access the service from the WebSphere box using web
browser with SSL (HTTPS)? If yes then the service is set up correctly for
SSL.
2. Install the SSL certificate used by the web service provider (you can get
it from the browser in step 1) in the $WASHOME/java/jre/security/cacerts
files. cacerts is a jks type certificate store and you should be able to
open it using ikeyman. The default password for cacerts is changeit.
Sunit
<junk...@gmail.com> wrote in message
news:371051855.1161287807...@ltsgwas010.sby.ibm.com...
I hate to disillusion you, but I am not a mind reader. Now, you can
either try being *exact* about what you did (e.g. which certificate did
you put in which keystore) or we can just forget the whole thing. You
obviously did something wrong, but as of now, I have no idea what.
Did you read the paper that I give you the link to? That is very clear
on what needs to be done for JSSE.
He never mentioned web services. As far as I know he's doing straight
HTTP(s).
>
> 1. Are you able to access the service from the WebSphere box using web
> browser with SSL (HTTPS)? If yes then the service is set up correctly for
> SSL.
>
> 2. Install the SSL certificate used by the web service provider (you can get
> it from the browser in step 1) in the $WASHOME/java/jre/security/cacerts
> files. cacerts is a jks type certificate store and you should be able to
> open it using ikeyman. The default password for cacerts is changeit.
No !!!! You do *not* touch cacerts in WAS. If you do, you may break WAS
internals.
Yes, but WAS has its own keystores and truststores to provide the
ability to manage multiple SSL configurations. Changing cacerts is not
the appropriate way to set up application level trust in WAS, at least
when you have global security enabled. You should read the JSSE paper on
websphere developer domain that I referenced earlier, and you should not
be telling people to blindly add certificates to cacerts, as that will
usually be the wrong approach.
My observation so far has been that there is nothing WAS specific in cacerts
itself. IBM does modify the security providers list for WAS but again that's
not cacerts. But this could have changed with WAS 6.x
Sunit
"Paul Ilechko" <paul.i...@us.ibm.com> wrote in message
news:eh8qag$13k54$2...@news.boulder.ibm.com...