Any ideas? Regards, Andrey
2017-12-30 2:37 GMT+03:00 Андрей Ривкин <[email protected]>: > Hello Knox users! > > > > I’d like to use Knox with LDAPS, but with corporate certificate. > > I don’t want to add this cert to Java trustStore. I have another one. > > How to tell Knox (shiro) to use my truststore? > > > > All my experiments failed with: > > > > *Root exception is javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target* > > > > Then I’ve enabled *-Djavax.net.debug=all* and was able to see this: > > > > SEND TLSv1.2 ALERT: fatal, description = certificate_unknown > > handling exception: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > > > > And finally this: > > > > trustStore is: /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts > > trustStore type is : jks > > trustStore provider is : > > init truststore > > > > Also I’ve tried to *add -Djavax.net.ssl.keyStore=my_truststore_path > -Djavax.net.ssl.keyStorePassword=my_truststore_password* after > *-Djavax.net.debug=all. > * > > Result - trustStore is: /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts > > > > I’ve also told knox to use my truststore using this: > > > > gateway.truststore.path > > Fully qualified path to the trust store to use. Default is the gateway.jks. > > > > And this > > knoxcli.sh create-alias gateway-truststore-password --value {pwd} > > > > Result - trustStore is: /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts > > > > > > So now I’m out of ideas… > > I’ve also wanted to tell right shiro where my trustStore is, but got this: > > > > 2017-12-29 18:21:33,091 ERROR env.EnvironmentLoader > (EnvironmentLoader.java:initEnvironment(146)) - Shiro environment > initialization failed > > org.apache.shiro.config.ConfigurationException: Property 'trustStore' > does not exist for object of type org.apache.hadoop.gateway. > shirorealm.KnoxLdapRealm. > > > > > > So, how to tell Shiro to use my truststore? > > > > Best regards, > > Andrey >
