Forum Discussion
NimbostratusNo trusted certificate found
1) Before running the test I created a self-signed certificate on the BIG-IP setting the fully qualified host name of the BIG-IP admin facility as the CN of the certificate.
2) I then copied the .crt file to my local machine and imported it into the keystore file using the keytool utilty.
3) When I ran the code I received the following error:
May 4, 2005 1:55:47 PM org.apache.axis.utils.JavaUtils isAttachmentSupported
WARNING: Unable to find required classes (javax.activation.DataHandler and javax
.mail.internet.MimeMultipart). Attachment support is disabled.
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.Valida
torException: No trusted certificate found
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeExcept
ion: sun.security.validator.ValidatorException: No trusted certificate found
What do I need to do to resolve this problem?
Thanks,
David
16 Replies
Sunit_Tailor_11Joe,
Since "XTrustProvider.java" is not working for me on WebSphere running on Solaris Box. I want to try "installCert.java".
Once we mannually install certificate on BigIP and same Certificate on our Solaris box from where we are trying to connect to BigIP, What changes do I need to make in my code.?
Currently my code is using "XTrustProvider.java". I am calling "XTrustProvider.install()" in GetBigIPData.java constructor.
I would appreciate if you let me know what steps do I need to take to use "installCert.java" or Can I use same existing code and it will use mannually installed certificate?
Thanks,- Sunit_Tailor_11Hi dnewman,
I am using XtrusProvider running with Axis. I am running my application on WebSphere. When I test my application in WebSphere Studio Application Developer (WSAD) running on my Desktop it working fine. But When I deploy my same application to our DEV environment which has WebSphere Application server running on Solaris, Same application complains about "unknown Certificate".
I would appreciate if you let us know your configuration if you also use Websphere on Solaris.
Thanks - As I said, XTrustProvider and installCert are two different options. You don't need to use them both. If for some reason you are having problems with XTrustProvider working in real-time, then here's how installCert works.
Run java installCert bigip_address keystore_password keystore_alias
Where
bigip_address is the ip address of the BIG-IP
keystore_password is the password of your local keystore {user.home}/.keystore
keystore_alias is the alias for the new entry in your keystore.
If you need help creating a keystore, take a look a the documentation for sun's keytool command.
Then in your client code you will need to specify the location of the keystore.System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home") + "/.keystore");
Here is probably where a potential problem could lie. If your "user.home" variable is different in the context of running the installCert command and the context of your web application, then this will not work. You might want to hardcode a location in your app to the real location of the keystore.System.setProperty("javax.net.ssl.trustStore", "/full/path/to/.keystore");
And make sure that the identity your webserver is running under has access to that file.
-Joe - Sunit_Tailor_11Hi Joe,
Thanks for the reply. I didn't have any ".keystore" file in my {user.home} directory. I created this file. Now I don't know what password I should provide.
Please let me know what will be the password.
I have tried following as passwords:
"changeit"
""
Both of them doesn't work.
Please help...
Thanks - This is a special kind of file similar to a vault. You cannot create an empty file. You must use the keytool command to create the file. The keystore_password is the password you specified for the file when you created it with keytool.
After the empty password protected keystore is created, you can use installCert to install server certificates in there.
Check the keytool man page for it's usage. Reading through that should give you a good overview of keystores. Or, do a google search on keytool and that should point you in the right direction.
-Joe 
Prakash_KrishnaHi Joe,
I tried with XtrustProvider, but I am getting the below exception now. Is there any solution to come across.
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl) at java.security.Provider$Service.newInstance(Provider.java:1245) at sun.security.jca.GetInstance.getInstance(GetInstance.java:220) at sun.security.jca.GetInstance.getInstance(GetInstance.java:147) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125) at javax.net.ssl.SSLContext.getDefault(SSLContext.java:68) at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:102) at org.apache.axis.components.net.JSSESocketFactory.initFactory(JSSESocketFactory.java:87) at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:105) at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191) at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:2443) at org.apache.axis.client.Call.invoke(Call.java:2366) at org.apache.axis.client.Call.invoke(Call.java:1812) at iControl.SystemSessionBindingStub.set_recursive_query_state(SystemSessionBindingStub.java:778) at com.cloupia.lib.cIaaS.loadBalancers.F5LoadBalancerAPI.(F5LoadBalancerAPI.java:90) at com.cloupia.lib.cIaaS.loadBalancers.F5LoadBalancerAPI.getF5LBAPI(F5LoadBalancerAPI.java:118) at com.cloupia.feature.f5LoadBalancer.F5LBAccountTestConnectivityHandler.testConnection(F5LBAccountTestConnectivityHandler.java:35) ... 17 more Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38) at java.security.KeyStore.load(KeyStore.java:1185) at com.sun.net.ssl.internal.ssl.TrustManagerFactoryImpl.getCacertsKeyStore(TrustManagerFactoryImpl.java:202) at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultTrustManager(DefaultSSLContextImpl.java:70) at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.(DefaultSSLContextImpl.java:40) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at java.lang.Class.newInstance0(Class.java:355) at java.lang.Class.newInstance(Class.java:308) at java.security.Provider$Service.newInstance(Provider.java:1221) ... 40 more Caused by: java.security.UnrecoverableKeyException: Password verification failed
Regards, PRakash.K
