You need to specify the keystore in conf\server.xml. I assume that you've
set up the SSL connector. Do a search on the string "keystoreFile" and set
the value to the correct keystore.
- Original Message -
From: "Ert" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 05, 2003 5:10 PM
Subject: Debugging outbound SSL communications?
I'm using a poorly-supported external service that interacts over SSL.
I can connect fine to their production environment, but their developer
environment apparently uses a less-well-known certifying authority, and
when I try to use it I am thwarted:
> javax.net.ssl.SSLException: Connection has been shutdown:
> javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: Could not find trusted
> certificate
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.d(DashoA6275)
> at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
> at
> sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:406)
> at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:446)
> at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
> at java.io.InputStreamReader.read(InputStreamReader.java:167)
The vendor informs me that I merely need to add the appropriate key:
> The Equifax Key is not in Java by default. You need to add it.
> Example:
>
> 1) cd $JAVA_HOME/jre/lib/security/cacerts
>
> 2) copy the GeoTrust root from here:
>
> http://www.geotrust.com/resources/roots/
> Equifax_Secure_Certificate_Authority.cer
> to the file geotrustroot.cer in this directory
>
> 3) Run this command:
> keytool -import -trustcacerts -alias geotrustroot -keystore cacerts
> -file geotrustroot.cer -storepass changeit
I've imported this key to every keystore I can find or think of on my
Mac OS X system (keytool's default one,
/Library/Java/Home/lib/security/cacerts, ~/.keystore, ~root/.keystore)
and I continue to get the same error.
So now I'm trying to figure out if a default Tomcat 4.1.24 install uses
its own keystore. If not I'm hoping to find some way I can figure out
what key the SSL connection is being presented with, and what keystore
it's attempting to find a matching key in. I don't know if I just have
the wrong certificate, or if I've put it in the wrong place.
Any thoughts from the gallery?
- Ert
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]