Hello Knox users!
I’d like to use Knox with LDAPS, but with corporate certificate.
I don’t want to add this cert to Java trustStore. I have another one.
How to tell Knox (shiro) to use my truststore?
All my experiments failed with:
Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
Then I’ve enabled -Djavax.net.debug=all and was able to see this:
SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
handling exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
And finally this:
trustStore is: /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
Also I’ve tried to add -Djavax.net.ssl.keyStore=my_truststore_path
-Djavax.net.ssl.keyStorePassword=my_truststore_password after
-Djavax.net.debug=all.
Result - trustStore is: /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts
I’ve also told knox to use my truststore using this:
gateway.truststore.path
Fully qualified path to the trust store to use. Default is the gateway.jks.
And this
knoxcli.sh create-alias gateway-truststore-password --value {pwd}
Result - trustStore is: /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts
So now I’m out of ideas…
I’ve also wanted to tell right shiro where my trustStore is, but got this:
2017-12-29 18:21:33,091 ERROR env.EnvironmentLoader
(EnvironmentLoader.java:initEnvironment(146)) - Shiro environment
initialization failed
org.apache.shiro.config.ConfigurationException: Property 'trustStore' does not
exist for object of type org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.
So, how to tell Shiro to use my truststore?
Best regards,
Andrey
