Andy Ee wrote:
Dear all,
I am stuck with this problem for over a month now, and I have tried all ways
but to no avail.
My Tomcat 6.0.32 is running in Solaris 10 and the JDK version is 1.6.0_21. I deployed a java program in Tomcat webapps/ which will post some results to a web server via a HTTPS url.
So it is *this webapp* which is creating a HTTPS connection to some other webserver, and
sending it some data, right ?
I received the following error in the catalina.out log.
[12-05-04 00:57:20] INFO [http-8080-1] Sending to
(https://abc.test.com/payment/test.jsp) - timeout: 30000
[12-05-04 00:57:22] ERROR [http-8080-1] Encounter exception while send status
to merchant status url! sun.security.validator.ValidatorException: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
and this is a log message *from the webapp*, right ?
I downloaded and imported the required CA chain certificates into the java truststore cacerts but it does not help.
Next, I tried to set JAVA_OPTS to point Tomcat to the cacerts as the truststore
and it doesn’t help either.
bash-3.00# /usr/ucb/ps -auxwww | grep tomcat
root 25578 0.1 11.01145892903712 pts/8 S 00:55:57 2:14
/usr/java/bin/java
-Djava.util.logging.config.file=/usr/local/apache-tomcat-6.0.32/conf/logging.properties
-Xms512m -Xmx1024m -XX:MaxPermSize=512m -XX:+DisableExplicitGC
-Djavax.net.ssl.trustStore=/usr/java/jre/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit -Dsun.net.inetaddr.ttl=0
-Djavax.net.ssl.keyStore=/usr/java/jre/lib/security/cacerts
-Djavax.net.ssl.keyStorePassword=changeit
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.endorsed.dirs=/usr/local/apache-tomcat-6.0.32/endorsed -classpath
/usr/local/apache-tomcat-6.0.32/bin/bootstrap.jar
-Dcatalina.base=/usr/local/apache-tomcat-6.0.32
-Dcatalina.home=/usr/local/apache-tomcat-6.0.32
-Djava.io.tmpdir=/usr/local/apache-tomcat-6.0.32/temp
org.apache.catalina.startup.Bootstrap start
The CA certificates were imported into cacerts using the following keytool
command.
keytool -import -trustcacerts -keystore cacerts -file root.cer -alias
BuiltinObjectToken-GoDaddyClass2CA
keytool -import -trustcacerts -keystore cacerts -file inter.cer -alias
GoDaddySecureCertificationAuthority
I also tried to verify by using TestSSL.java and InstallCert.java and both could locate the CA certificates in cacerts.
Therefore I am suspecting that Tomcat is not using cacerts properly.
And this is probably where you are making the wrong analysis.
According to your own description above, the only thing in common between your webapp and
Tomcat, is that they are run by the same JVM.
Tomcat per se has nothing to do with whatever your webapp makes as connections to anything
else. Tomcat does not even know about this. No Tomcat code is involved in setting up that
connection or using it.
It is matter for your webapp and the JVM alone.
In other words, if your webapp was a stand-alone Java program instead of being a webapp,
you would get exactly the same error.
I have no idea what the problem really is, but it seems to me that by mentally leaving
Tomcat out of the equation, you may be able to figure it out by yourself quicker.
For example, extract out of that webapp the code which is setting up that HTTPS
connection, and make it into a standalone program. Then run it with the same Java options
as you do with Tomcat above, and see what you get.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
