Win a copy of Learn Spring Security (video course) this week in the Spring forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

SSLHandshake exception [ PLEASE HELP]

 
Kanu Dialani
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello all,
My situation is a lil complicated. I have apache, liferay and tomcat with liferay on a separate machine. Apache sends portal requests to liferay, liferay authenticates the user and accordingly sends authentication status to a webapplication deplyoed in tomcat. Then redirects the client to the webapplication.

Now the problem is when liferay is trying to communicate with tomcat over HTTPS i get an

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
java.io.IOException

I have tried to import the certificate into the cacerts but its still not working. Can any 1 help !!!
 
clive jordan
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Kd,

I don't knoow the full details of your setup, however, it appears whatever is your client is not finding the certificate it needs. Although you will have setup a certificate for your server, you need to import this into the keystore that your client will use.

By default, this is ${JAVA_HOME}/jre/lib/security/cacerts

You can do this with keytool.
 
clive jordan
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It looks to me like liferay needs to know about the tomcat certificate. I am unfamiliar with liferay and would *assume* that it reads the default cacerts but it may be trying to read another keystore.

Tomcat, by default puts it's certificate in ${HOME}/.keystore where ${HOME} is the user home directory tomcat uses. I guess you must have done this as tomcat would not run under HTTPS otherwise. You can always check by pointing a web-browser at it using https://machinename:httpsport

You can export the certificate from .keystore using:

keytool -export -alias tomcat -file tomcat.cert

(provided you created the certificate and gave it an alias of 'tomcat')

Then you can import this into the default cacerts using:

keytool -import -alias tomcat -keystore ${JAVA_HOME}/jre/lib/security/cacerts -trustcacerts -file tomcat.cert

If liferay does not use the default cacerts file, I guess you have to check with the document where it expects to find certificates and re-run the keytool import specifying the correct keystore.

Just a few stabs in the dark....

Clive
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic