This page contains an archived post to the Java Answers Forum made prior to February 25, 2002. If you wish to participate in discussions, please visit the new Artima Forums.

Message:

Re: MakStripe R/W

Posted by RAJESH RADHAKRISHNAN on February 06, 2002 at 2:18 PM

> Running the servlet,the Error is javax.net.ssl.SSLException: untrusted server cert chain.
> > > In IE5.5,the Error is java.lang.NoClassDefFoundError:javax/net/ssl/SSLSocketFactory

> > > Please help me!Thank you!

-----------------------------------------------------------------++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++~
CHECK ANY OF THESE FOLLOWINGS WHICH GIVES U A CORRECT WAY

I'm creating a URLConnection in java to a httpS site....
and I get the following error javax.net.ssl.SSLException : untrusted
server cert chain
I've configured the resin.conf like this...

<-- Security providers. Adding JSSE looks like: -->

but this site gave me a file with a certificate.... I'm a little bit
confused...
Where have I to put this certificate?
I'm the client, so....
Have I to install the SSL part in my server??? I don't want to serve ssl...
I don't want to access to https://localhost !!!!!

--------------------------------

I think you need to import the certificate from that site into the Java
key store. To do this, you use the keytool utility from the JDK:
keytool -import
-keystore /jre/lib/security/cacerts
-alias
-file

(this is all on one command line)
It will prompt you for the key store password. If the password was not
changed since the JDK installation, it defaults to "changeit" (at least
in JDK 1.3).
HTH,
-----------------------------------------------------------------------

one reason might be that the server name in the cert and the server name
returned from the server is different (something like www.xyz.com and
xyz.com). There is a method, I guess in HttpsConnection where you can
add a custom check for that ...
------------------------------------------------------------------------------------------

specify keystore
but if you launch an application you can use this
command line option called -Djavax.net.ssl.trustStore=filename
to specify the keystore that has your trusted certificates. If
you don't specify the file it defaults to
/jre/lib/security/cacerts in the case of application
----------------------------------------------------------------------------------
it's very easy.

1, import the server's certificate file to a keystore
2, make it a truststore in your program
System.setProperty("javax.net.ssl.trustStore",keystore_file);
3, or use java -Djavax.net.ssl.trustStore=keystore_file to
execute your program
-------------------------------------
How can I import my existing certificate into the "trust file" for a JVM?
1. Find the trusted file "cacerts" in your JRE, e.g.
find /java_install -name "cacerts"
2. Copy that file to a backup
cp cacerts cacerts.bak
3. Install your certificate into the trust file (note: the file cacerts ships from Sun with password "changeit")
keytool -import -alias -file mycert.pem -keystore $JAVA_HOME/jre/lib/security/cacerts
4. Verify that your cert was imported:
keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
--------------------------
There is a free SSL implementation available in pure java from Sun , although it is relatively slow, especially in its creation

of the random key to start an SSL connection (about 3 seconds on a 600Mz PIII). To use this implementation, download

the JSSE package from the Sun URL above, then:
1. Add the three key jars to your JVM's "ext" (extentions) directory; e.g.
cp jcert.jar jnet.jar jsse.jar $JAVA_HOME/jre/lib/ext/

2. After the jars are in place, you must modify the file "java.security" to allow usage of the providers found within the jars.

Find the file
find $JAVA_HOME -name "java.security"

3. Add the following line to the file java.security:
security.provider.2=com.sun.net.ssl.internal.ssl.Provider

Then start using URLs like "https://myhost" within the test rig. The HTTPS protocol will automatically cause new provider

classes within the extention jars to be employed for a java.net.URL class and its related connections. Note that you should

NOT add these jars to the CLASSPATH. Javax jars are accessed by the JVM by their inclusion in the magic "ext"

folder.
-----------------------------------------------------------------
Runtime Exception: untrusted cert chains
Problem: When negotiating an SSL connection, the client or server throws
one of the following exceptions:

javax.net.ssl.SSLException: untrusted server cert chain
javax.net.ssl.SSLException: untrusted client cert chain

Cause 1: This is generally caused by the remote side sending a
certificate that is unknown to the local side.

Solution 1: The best way to debug this type of problem is to turn on
debugging (see Debugging Utilities) and watch as certificates are loaded
and when certificates are received via the network connection. Most
likely, the received certificate is unknown to the trust mechanism
because the wrong trust file was loaded.

Cause 2: The system clock is not set correctly.

Solution 2: If the clock is not set correctly, the perceived time may be
outside the validity period on one of the certificates, and unless the
certificate can be replaced with a valid one from a truststore, the
system must assume that the certificate is invalid, and therefore throw
the exception.

Cause 3: Older versions of Java 2 Enterprise Edition use earlier
versions of JSSE. In particular, some previous versions of J2EE shipped
with JSSE 1.0, which couldn't replace received expired certificates with
current ones from a truststore.

Solution 3: Be sure that the new JSSE jar files occur in the class
path(s) ahead of any older J2EE jar files.
----------------------------
im having this exception
javax.net.ssl.SSLException: untrusted server cert chain
i already have my .keystore ...yet im having this error...

did you set the env variable JSSE_HOME and
r u still getting the same stack trace?
-----------------------------------------------------
Did you registered JSSE security provider?

Look at point 4 on INSTALL.txt, in the JSSE package.
---------------------------------------------------------
I followed the instructions for JSSE installation: jsse.jar, jcert.jar, and
jnet.jar are all installed in $JAVA_HOME/jre/lib/ext, and the
$JAVA_HOME/jre/lib/security/java.security file has been modified to add support
for the SunJSSE provider.