On Java Development

All things related to Java development, from the perspective of a caveman.

SSL Support with Certificate Authority Files

without comments

Introduction

This post presents Certificate Authority files that are used to negotiate a secure HTTP connection with a web site supporting SSL (Secure Sockets Layer). SSL is an HTTP connectivity standard for establishing secured connections between web applications and the browser. SSL is commonly used to allow the safe exchange of sensitive information such as credit card numbers, social security numbers and other data. Since SSL is a security protocol, it means data is encrypted using algorithms that employ encryption schemes. Sometimes these algorithms go out of favor and are then replaced by others that are more secure. This post goes over some of the steps that are needed to update the server when that occurs.

 

Suddenly, it broke

Suddenly, your application can no longer negotiate a connection to the web service it has been using. All you know is that it can’t connect and all you have to go by is this:

Line 4 shows the fault and line 34 shows where the application was in its execution processing. While somewhat cryptic, there are some clues on line 4 and it relates to a SSL failure. This is what happens when, without informing you, the web service the application has been connecting to all along has been updated by its IT personnel to use new certificates. The result is that it renders as obsolete those that the application is using. A call to the service provider’s help desk gives this information;

It looks like you don’t have the comodo certificate loaded into the Java certificate store. The relevant part of the error message is:

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Even though you have the certificate in your web browser, java apps don’t use the web browsers certificate store. The comodo certificate needs to be add to the java certificate store separately.

Note that last part where they say “java apps don’t use the web browsers certificate store”. This can mean only one thing; the server uses them. This means Tomcat will have to be configured in some way.

The next task is to find out what Certificate Authority files or CA files, the service provider is currently using.

 

Persuading the Server to Reveal the Certificate Authority Files

A little research shows that when this argument (-Djavax.net.debug=SSL ) is added to the JVM argument list (using the JVM Argument tab in Eclipse) the following information about the certificates being loaded when a connection to the service is attempted will be written to Eclipse’s console. The stack trace already presented follows this list.

Line 6 shows that the JVM is using the standard Java trust store at the location shown. Following this is a complete inventory of CAs that are being referenced. The list below hightlights a few of the CAs by their Certificate Names | Organization.

  • SwissSign Platinum CA – G2 | SwissSign AG
  • America Online Root Certification Authority 2 | America Online Inc.
  • SwissSign Silver CA – G2 | SwissSign AG
  • Security Communication EV RootCA1 | SECOM Trust Systems CO.,LTD.
  • Equifax Secure Global eBusiness CA-1 | Equifax Secure Inc.
  • Thawte Personal Freemail CA | Thawte Consulting
  • GTE CyberTrust Global Root | GTE Corporation
  • DigiCert High Assurance EV Root CA | DigiCert Inc
  • Entrust.net Certification Authority (2048) | Entrust.net
  • Thawte Server CA | Thawte Consulting cc
  • Deutsche Telekom Root CA 2 | Deutsche Telekom AG
  • Entrust.net Secure Server Certification Authority | Entrust.net
  • GeoTrust Universal CA | GeoTrust Inc.
  • TC TrustCenter Universal CA I | TC TrustCenter GmbH
  • VeriSign Class 3 Public Primary Certification Authority – G3 | VeriSign, Inc.
  • Go Daddy Class 2 Certification Authority | The Go Daddy Group, Inc.
    :
    :

As indicated by the service provider’s help desk, Comodo is not among them. If it were, this entry would be present.

 

Getting the Comodo Certificates

The process of updating certificates begins by pointing a browser to the provider’s web page. The short story is that you go to the browser’s tools menu, select Options and from the dialog presented select the Certificates tab. From there select the button View Certificates. That presents a list of certificates used by the web site which allows you to export any one of the many certificates listed.

​After they are downloaded you need to use Java’s keytool utility to import each certificate file (.crt) thereby creating a keystore file. Shown below is the keytool utility in action, adding COMODOSSLCA.crt to KEYSTORE keystore.jks.

The keytool command imports the files into a keystore file (.jks) The only thing to do now is add this to the server’s JVM :

At this point, you might be wondering why it is being referenced as a “trustStore”. Here’s the definition of a keystore and a truststore.

A keystore contains a private key. You only need this if you are a server, or if the server requires client authentication.

A truststore contains CA certifcates to trust. If your server’s certificate is signed by a recognized CA, the default truststore that ships with the JRE will already trust it (because it already trusts trustworthy CAs), so you don’t need to build your own, or to add anything to the one from the JRE.

If you are interested in the write-up from Sun, (now Oracle) see the standard JSSE documentation on the topic.

Typically, the trust store is used to store only public keys, for verification purposes, such as with X.509 authentication. For manageability purposes, it’s quite common for admins or developers to simply conflate the two into a single store.

An alternate method is to add the properties from the Java code of the web application as shown here.

The only possible downside to this approach is that it creates a point of collision by trust store settings made by another application. This is why I believe the previous method is best.

Written by admin

October 28th, 2014 at 11:53 am

Leave a Reply

You must be logged in to post a comment.