Hi, Thanks for all the inputs. I found that another war file in webapps/ has set environment to point to it's own keystore, thus it overwrites the JAVA_OPTS somehow. Now that I have imported the certificates into that "keystore" as well, everything works!
Regards, Andii --- André Warnier <a...@ice-sa.com> wrote: > Andy Ee wrote: > > Dear all, > > > > I am stuck with this problem for over a month now, and I have > tried all ways but to no avail. > > > > My Tomcat 6.0.32 is running in Solaris 10 and the JDK version is > 1.6.0_21. I deployed a java program in Tomcat webapps/ which will > post some results to a web server via a HTTPS url. > > So it is *this webapp* which is creating a HTTPS connection to some > other webserver, and > sending it some data, right ? > > > I received the following error in the catalina.out log. > > > > [12-05-04 00:57:20] INFO [http-8080-1] Sending to > (https://abc.test.com/payment/test.jsp) - timeout: 30000 > > [12-05-04 00:57:22] ERROR [http-8080-1] Encounter exception while > send status to merchant status url! > sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > > and this is a log message *from the webapp*, right ? > > > > > I downloaded and imported the required CA chain certificates into > the java truststore cacerts but it does not help. > > > > Next, I tried to set JAVA_OPTS to point Tomcat to the cacerts as > the truststore and it doesnt help either. > > > > bash-3.00# /usr/ucb/ps -auxwww | grep tomcat > > root 25578 0.1 11.01145892903712 pts/8 S 00:55:57 2:14 > /usr/java/bin/java > -Djava.util.logging.config.file=/usr/local/apache-tomcat-6.0.32/conf/logging.properties > -Xms512m -Xmx1024m -XX:MaxPermSize=512m -XX:+DisableExplicitGC > -Djavax.net.ssl.trustStore=/usr/java/jre/lib/security/cacerts > -Djavax.net.ssl.trustStorePassword=changeit -Dsun.net.inetaddr.ttl=0 > -Djavax.net.ssl.keyStore=/usr/java/jre/lib/security/cacerts > -Djavax.net.ssl.keyStorePassword=changeit > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > -Djava.endorsed.dirs=/usr/local/apache-tomcat-6.0.32/endorsed > -classpath /usr/local/apache-tomcat-6.0.32/bin/bootstrap.jar > -Dcatalina.base=/usr/local/apache-tomcat-6.0.32 > -Dcatalina.home=/usr/local/apache-tomcat-6.0.32 > -Djava.io.tmpdir=/usr/local/apache-tomcat-6.0.32/temp > org.apache.catalina.startup.Bootstrap start > > > > The CA certificates were imported into cacerts using the following > keytool command. > > > > keytool -import -trustcacerts -keystore cacerts -file root.cer > -alias BuiltinObjectToken-GoDaddyClass2CA > > keytool -import -trustcacerts -keystore cacerts -file inter.cer > -alias GoDaddySecureCertificationAuthority > > > > I also tried to verify by using TestSSL.java and InstallCert.java > and both could locate the CA certificates in cacerts. > > Therefore I am suspecting that Tomcat is not using cacerts > properly. > > And this is probably where you are making the wrong analysis. > > According to your own description above, the only thing in common > between your webapp and > Tomcat, is that they are run by the same JVM. > Tomcat per se has nothing to do with whatever your webapp makes as > connections to anything > else. Tomcat does not even know about this. No Tomcat code is > involved in setting up that > connection or using it. > It is matter for your webapp and the JVM alone. > In other words, if your webapp was a stand-alone Java program > instead of being a webapp, > you would get exactly the same error. > > I have no idea what the problem really is, but it seems to me that > by mentally leaving > Tomcat out of the equation, you may be able to figure it out by > yourself quicker. > > For example, extract out of that webapp the code which is setting up > that HTTPS > connection, and make it into a standalone program. Then run it with > the same Java options > as you do with Tomcat above, and see what you get. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
