Hello Andrey, Sorry, missed your email somehow. Using the gateway.truststore.path property should have worked, also I have had success with -Djavax.net.ssl.trustStore (note, truststore).
I think there is something funny going on, gateway.truststore.path should work, check gateway.log with DEBUG enabled, I believe it should log the keystore/truststore location used by Knox. can you try with -Djavax.net.ssl.trustStore =my_truststore_path when you start gateway (updating gateway.sh) ? and share the logs, that should help troubleshooting. Best, Sandeep On Fri, Jan 5, 2018 at 12:41 PM, Markovich <[email protected]> wrote: > Any ideas? > > Regards, > Andrey > > 2017-12-30 2:37 GMT+03:00 Андрей Ривкин <[email protected]>: > >> Hello Knox users! >> >> >> >> I’d like to use Knox with LDAPS, but with corporate certificate. >> >> I don’t want to add this cert to Java trustStore. I have another one. >> >> How to tell Knox (shiro) to use my truststore? >> >> >> >> All my experiments failed with: >> >> >> >> *Root exception is javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification path to requested target* >> >> >> >> Then I’ve enabled *-Djavax.net.debug=all* and was able to see this: >> >> >> >> SEND TLSv1.2 ALERT: fatal, description = certificate_unknown >> >> handling exception: javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to >> find valid certification path to requested target >> >> >> >> And finally this: >> >> >> >> trustStore is: /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts >> >> trustStore type is : jks >> >> trustStore provider is : >> >> init truststore >> >> >> >> Also I’ve tried to *add -Djavax.net.ssl.keyStore=my_truststore_path >> -Djavax.net.ssl.keyStorePassword=my_truststore_password* after >> *-Djavax.net.debug=all. >> * >> >> Result - trustStore is: /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts >> >> >> >> I’ve also told knox to use my truststore using this: >> >> >> >> gateway.truststore.path >> >> Fully qualified path to the trust store to use. Default is the >> gateway.jks. >> >> >> >> And this >> >> knoxcli.sh create-alias gateway-truststore-password --value {pwd} >> >> >> >> Result - trustStore is: /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts >> >> >> >> >> >> So now I’m out of ideas… >> >> I’ve also wanted to tell right shiro where my trustStore is, but got this: >> >> >> >> 2017-12-29 18:21:33,091 ERROR env.EnvironmentLoader >> (EnvironmentLoader.java:initEnvironment(146)) - Shiro environment >> initialization failed >> >> org.apache.shiro.config.ConfigurationException: Property 'trustStore' >> does not exist for object of type org.apache.hadoop.gateway.shir >> orealm.KnoxLdapRealm. >> >> >> >> >> >> So, how to tell Shiro to use my truststore? >> >> >> >> Best regards, >> >> Andrey >> > >
