Hello team. I am trying to move my Client server to work with SSL as part of Security POC we are running . I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options...
This is the configuration I used: I've generated Keystore & certificate using a private tool (that uses the openssl + Keytools) For client: A file containing PEM encoded X.509 certificate and PEM encoded PKCS#8 encrypted private key For server: PKCS#12 - this part works as we could see openssl s_client to return the chain On the gemfire.proerties file - I used: ssl-enabled-components=all ssl-protocols=any ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well) ssl-keystore-type=PKCS12 ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12 ssl-keystore-password=changeme ssl-truststore-type=JKS ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks ssl-truststore-password=changeit on the Client Side I used the PEM format: gfcpp1.properties: ssl-enabled=true ssl-keystore=/tmp/server4.pem ssl-keystore-password=changeme ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem this is the error I am getting from the server when client is trying to connect (locator): [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request thread[16]> tid=0x55] Exception in processing request from 192.168.2.100 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013) at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227) at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118) at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888) ... 12 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) : this are the errors I am getting from the client: ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140147953735424) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140148921374464) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140148896196352) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140148004091648) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140147978913536) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140148398352128) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140148373174016) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown Any help will be appreciated !! Thanks. This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>