I'm trying to authorize an old JBoss 5 running on JRockit 6 to access to a CAS server using a Let's encrypt certificate.
The problem is that Let's encrypt is not supported on JDK6 so I added the root certificate to the cacerts file.
Now the problem is that JDK 6 does not understand such big key (java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)) so I tried to switch to Bouncy Castle JCE/JCA by adding bcprov-jdk15on-1.61.jar & bctls-jdk15on-1.61.jar to the $JAVA_HOME/jre/lib/ext folder & added org.bouncycastle.jce.provider.BouncyCastleProvider & org.bouncycastle.jsse.provider.BouncyCastleJsseProvider as first security providers in $JAVA_HOME/jre/lib/security/java.security file as explained partly here.
After a java.lang.ArrayIndexOutOfBoundsException: 64 I switched from SunX509 to X.509 value for ssl.KeyManagerFactory.algorithm key in java.security file.
Now I have the following error (I think the same as this thread on Oracle forum):
java.security.NoSuchAlgorithmException: Algorithm ECDH not available
javax.crypto.KeyAgreement.getInstance(DashoA13*..)
org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createKeyAgreement(Unknown Source)
org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto.calculateKeyAgreement(Unknown Source)
org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDomain.calculateECDHAgreement(Unknown Source)
org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDH.calculateSecret(Unknown Source)
org.bouncycastle.tls.TlsECDHEKeyExchange.generatePreMasterSecret(Unknown Source)
org.bouncycastle.tls.TlsProtocol.establishMasterSecret(Unknown Source)
org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(Unknown Source)
org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source)
org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:167)
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)
But by looking at org.bouncycastle.jcajce.provider.asymmetric.EC's sources such KeyAgreement should be correctly set by org.bouncycastle.jce.provider.BouncyCastleProvider.
But effectively, as it is the org.bouncycastle.jsse.provider.BouncyCastleJsseProvider which is used when creating a https client, this provider doesn't register this algorithm and I don't know how to do this.
Someone knows how to workaround this?
I have also tried to declare those jars as dependencies to my war and explicitely instanciate them like this:
static {
org.bouncycastle.jce.provider.BouncyCastleProvider bcp = new org.bouncycastle.jce.provider.BouncyCastleProvider();
java.security.Security.insertProviderAt(bcp, 1);
org.bouncycastle.jsse.provider.BouncyCastleJsseProvider bcjp = new org.bouncycastle.jsse.provider.BouncyCastleJsseProvider(bcp);
java.security.Security.insertProviderAt(bcjp, 1);
}
But then, I have this stack that seems to be linked to a problem in JBoss:
java.lang.SecurityException: JCE cannot authenticate the provider BC
javax.crypto.Cipher.getInstance(DashoA13*..)
org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createCipher(Unknown Source)
org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto.hasEncryptionAlgorithm(Unknown Source)
org.bouncycastle.tls.TlsUtils.isSupportedCipherSuite(Unknown Source)
org.bouncycastle.tls.TlsUtils.getSupportedCipherSuites(Unknown Source)
org.bouncycastle.jsse.provider.ProvTlsClient.getSupportedCipherSuites(Unknown Source)
org.bouncycastle.tls.AbstractTlsClient.init(Unknown Source)
org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:167)
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)
Caused by: java.util.jar.JarException: Cannot parse jar:file:/opt/jboss-5.1.0.GA/server/default/deploy/myapp.war/WEB-INF/lib/bcprov-jdk15on-1.61.jar!/
javax.crypto.SunJCE_c.a(DashoA13*..)
javax.crypto.SunJCE_b.b(DashoA13*..)
javax.crypto.SunJCE_b.a(DashoA13*..)
javax.crypto.Cipher.getInstance(DashoA13*..)
org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createCipher(Unknown Source)
org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto.hasEncryptionAlgorithm(Unknown Source)
org.bouncycastle.tls.TlsUtils.isSupportedCipherSuite(Unknown Source)
org.bouncycastle.tls.TlsUtils.getSupportedCipherSuites(Unknown Source)
org.bouncycastle.jsse.provider.ProvTlsClient.getSupportedCipherSuites(Unknown Source)
org.bouncycastle.tls.AbstractTlsClient.init(Unknown Source)
org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:167)
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)
In case, I have opened the issue #514 on BouncyCastle GitHub.
What you are seeing is consistent with the BouncyCastle JCE Provider not being registered. Hence the search for the ECDH Agreement is not finding it in the JCE search path.
To register the Provider dynamically simply add the following lines to your code
Security.addProvider(new BouncyCastleProvider());
Security.addProvider(new BouncyCastleJsseProvider());
as per the BouncyCastle Specifications section 6.1 and the test sample code BouncyCastle JSSE Test Code
I suspect that you are not correctly initiating the environment
This problem was solved in https://github.com/bcgit/bc-java/issues/514 by anthony-o as it was caused by a re-packaging issue.
However, that solution did not work for me as my bouncycastle jars are not repackaged into shade/fat jars
Here is how I solved the issue: https://stackoverflow.com/a/59845413/497378
(I am not sure of the etiquette of posting link to answers from another stackoverflow question so please delete if not appropriate)
java.lang.SecurityException: JCE cannot authenticate the provider BC
I get the same error (and the JAR was directly from Maven, no repackaging was in place), I think because starting in BC 1.61 release JARs are signed using a more recent signature algorithm (or root certificate) that Java 6 is unable to verify.
By downgrading BC to 1.60 I managed to connect to a SNI-enabled TLS server (which wasn't reachable usually by Java 6). I used the following Maven dependency:
<dependency groupId="org.bouncycastle" artifactId="bctls-jdk15on" version="1.60"/>
Related
The application is currently running in java version build 1.7.0_79-b15 and the third party application upgraded its TLS to 1.3 version. We can't easily upgrade java version that will support TLS 1.3 and so we decided to use Bouncy Castle in order for us comply with the third party. We were able to connect to the third party system after using Bouncy Castle but, the existing mail service that is working on previous default java security is no longer working due to the error below.
Caused by: javax.mail.MessagingException: IOException while sending message;
nested exception is:
org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:625)
at javax.mail.Transport.send0(Transport.java:169)
at javax.mail.Transport.send(Transport.java:98)
at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1232)
... 72 more
Caused by: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.checkServerTrusted(Unknown Source)
at org.bouncycastle.jsse.provider.ProvTlsClient$1.notifyServerCertificate(Unknown Source)
at org.bouncycastle.tls.TlsUtils.processServerCertificate(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.handleServerCertificate(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1301)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at java.net.URL.openStream(URL.java:1037)
at javax.activation.URLDataSource.getInputStream(URLDataSource.java:107)
at javax.activation.DataHandler.writeTo(DataHandler.java:304)
at javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:1350)
at javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:845)
at javax.mail.internet.MimeMultipart.writeTo(MimeMultipart.java:361)
at com.sun.mail.handlers.multipart_mixed.writeTo(multipart_mixed.java:85)
at javax.activation.ObjectDataContentHandler.writeTo(DataHandler.java:883)
at javax.activation.DataHandler.writeTo(DataHandler.java:316)
at javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:1350)
at javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:845)
at javax.mail.internet.MimeMultipart.writeTo(MimeMultipart.java:361)
at com.sun.mail.handlers.multipart_mixed.writeTo(multipart_mixed.java:85)
at javax.activation.ObjectDataContentHandler.writeTo(DataHandler.java:883)
at javax.activation.DataHandler.writeTo(DataHandler.java:316)
at javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:1350)
at javax.mail.internet.MimeMessage.writeTo(MimeMessage.java:1683)
at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:585)
... 75 more
Caused by: java.security.cert.CertificateException: Unable to find certificate chain.
at org.bouncycastle.jsse.provider.ProvX509TrustManager.validateChain(Unknown Source)
at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkTrusted(Unknown Source)
at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkServerTrusted(Unknown Source)
Are there any way to disable Bouncy Castle or processing certificate when sending message through SMTP? Or any way to fix it?
Any suggestions or help are highly appreciated. thanks!
We are trying to run https request in Jmeter 3.1.
But while executing getting following error.
javax.net.ssl.SSLException: Received fatal alert: protocol_version
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at org.apache.jmeter.protocol.http.sampler.HTTPHC3Impl.sample(HTTPHC3Impl.java:269)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:74)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1166)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1155)
at org.apache.jmeter.threads.JMeterThread.executeSamplePackage(JMeterThread.java:475)
at org.apache.jmeter.threads.JMeterThread.processSampler(JMeterThread.java:418)
at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:249)
at java.lang.Thread.run(Unknown Source)
We tried following solutions but did't solved the issue:
added "https.default.protocol=TLSv1" in "jmeter.properties" file
Tried solution provided in
http://rajanmanoj.blogspot.in/2011/02/how-to-test-ssl-using-jmeter.html
this link
We are Using Jmeter 3.1, Java Jdk 1.7, Windows 7
Https default protocol may vary depending on the version of JVM.
You can change it. Go to jmeter home directory. Open jmeter.properties file. Uncomment line:
https.default.protocol=SSLv3
May be you need to restart jmeter after change. Not sure about that.
This is highly due to protocol version mismatch. There is mismatch between SSL protocol version used by the client and the server.
Make sure that you have latest version of Java and JMeter installed in your system. Also check for the security certificate in JMETER_HOME\bin folder.
You can check this question for more details.
Sahi OS V5.0 throws a Handshake failure exception after the application server being upgraded to TLS1.1. Using the sahi driver, I'm not able to navigate to any url's of this upgraded server. But the older one works fine.
Does anyone know how to configure this?
Here is the stacktrace:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at net.sf.sahi.RemoteRequestProcessor.processHttp(RemoteRequestProcessor.java:151)........
I'm currently not sure how Sahi OS 5 does it, but we changed the SSL implementation in the code and changed the parameters in the browser.xml to prevent phantomjs from using SSLv3
Have a look at https://github.com/headissue/Sahi/commit/84c45f99f920893a7dfd39e2565819afd91c858e for reference and have a look at your browsers, if they still use SSLv3
Regards
globalworming
Two things fixed this issue:
Passing an argument to JVM to set the version of TLS to be used.
-Dhttps.protocols=TLSv1,TLSv1.1
Using the Java of same version in both client and server.
I want to read a xml stream over HTTPS. The webserver has a certificate that was signed by our own-created inoffical CA.
I know I need to import the CA cert to make my Groovy Job DSL Script work.
Where do I need to import the ca cert or how can I define my own trustStore to make it work?
What I tried before:
Importing CA cert with keytool to C:\Program Files (x86)\Java\jre1.8.0_40\lib\security\cacert
Importing CA cert with keytool to C:\Program Files (x86)\jenkins\jre\lib\security\cacert
When I try the connection with groovyConsole after importing the CA cert to cacert trustStore everything work, but in Jenkins not.
So I tried to set a trustStore in my Job DSL script without success. Still recieving the cert chain error exception:
def addr = "https://example.com:8443/svn/"
def authString = "user:pass".getBytes().encodeBase64().toString()
def jobNamePrefix = "Job"
println("${WORKSPACE}\\epedev.keystore")
System.setProperty("javax.net.ssl.trustStore", "${WORKSPACE}\\epedev.keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
def conn = addr.toURL().openConnection()
Console-Snippet:
Processing provided DSL script
C:\Jenkins\ps\seed\Seed PS Projects from SVN\workspace\epedev.keystore
FATAL: Unable to run script
java.io.IOException: Unable to run script
at javaposse.jobdsl.dsl.DslScriptLoader.runDslEngineForParent(DslScriptLoader.java:92)
at javaposse.jobdsl.dsl.DslScriptLoader.runDslEngine(DslScriptLoader.java:123)
at javaposse.jobdsl.plugin.ExecuteDslScripts.perform(ExecuteDslScripts.java:216)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:779)
at hudson.model.Build$BuildExecution.build(Build.java:205)
at hudson.model.Build$BuildExecution.doRun(Build.java:162)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537)
at hudson.model.Run.execute(Run.java:1741)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:98)
at hudson.model.Executor.run(Executor.java:408)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90)
at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:233)
at groovy.lang.MetaClassImpl$GetBeanMethodMetaProperty.getProperty(MetaClassImpl.java:3500)
at org.codehaus.groovy.runtime.callsite.GetEffectivePojoPropertySite.getProperty(GetEffectivePojoPropertySite.java:61)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGetProperty(AbstractCallSite.java:227)
at script.run(script:12)
at javaposse.jobdsl.dsl.DslScriptLoader.runDslEngineForParent(DslScriptLoader.java:80)
... 11 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 35 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 41 more
Started calculate disk usage of build
Finished Calculation of disk usage of build in 0 seconds
Started calculate disk usage of workspace
Finished Calculation of disk usage of workspace in 0 seconds
Finished: FAILURE
UPDATE:
I also started groovyConsole with Jenkins JRE. It's also working. So the cacerts keystore contains the working ca cert. But why does it not work in Jenkins script console or Job DSL Plugin. What's wrong here?
I got this working after I restarted the Jenkins windows service. Before that I always restartet Jenkins in the application itself. It seems like there is a difference between restarting the service and reboot Jenkins in the console.
After that the CA cert I imported to C:\Program Files (x86)\jenkins\jre\lib\security\cacert was found.
I have a http adapter which retrieves a XML file from a website through HTTPS. The SSL certificate is a real and valid certificate, not self-signed one. It used to be fine and working for over a year.
I recently upgraded to Worklight 6.2.0.01.20150129-1911 and the adapter now failed.
The error from Worklight Server is as below:
FWLSE0101E: Caused by: [project MobileApp5062]javax.net.ssl.SSLPeerUnverifiedException: peer not authenticatedjava.lang.RuntimeException: Http request failed: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.worklight.adapters.http.HTTPConnectionManager.execute(HTTPConnectionManager.java:233)
at com.worklight.adapters.http.HttpClientContext.doExecute(HttpClientContext.java:185)
at com.worklight.adapters.http.HttpClientContext.execute(HttpClientContext.java:169)
at com.worklight.adapters.http.HTTP.execRequest(HTTP.java:148)
at com.worklight.adapters.http.HTTP.invoke(HTTP.java:137)
at com.worklight.integration.model.ProcedureInvoker.invokeProcedure(ProcedureInvoker.java:57)
at com.worklight.integration.model.Procedure.invoke(Procedure.java:166)
at com.worklight.integration.model.InvocationContext.call(InvocationContext.java:169)
at com.worklight.integration.model.InvocationContext.call(InvocationContext.java:38)
at java.util.concurrent.FutureTask.run(Unknown Source)
at com.worklight.integration.model.InvocationContext$DirectExecutorService.execute(InvocationContext.java:284)
at java.util.concurrent.AbstractExecutorService.submit(Unknown Source)
at com.worklight.integration.model.InvocationContext.submit(InvocationContext.java:138)
at com.worklight.integration.model.InvocationContextManager.submitInvocation(InvocationContextManager.java:58)
at com.worklight.integration.services.impl.DataAccessServiceImpl.callProcedure(DataAccessServiceImpl.java:522)
at com.worklight.integration.services.impl.DataAccessServiceImpl.access$100(DataAccessServiceImpl.java:61)
at com.worklight.integration.services.impl.DataAccessServiceImpl$3.execute(DataAccessServiceImpl.java:417)
at com.worklight.core.auth.impl.AuthenticationServiceBean.accessResource(AuthenticationServiceBean.java:76)
at com.worklight.integration.services.impl.DataAccessServiceImpl.invokeProcedureInternal(DataAccessServiceImpl.java:414)
at com.worklight.integration.services.impl.DataAccessServiceImpl.invokeDynamicProcedure(DataAccessServiceImpl.java:481)
at com.worklight.integration.services.impl.DataAccessServiceImpl.invokeDynamicProcedureWithEnclosingProcedureProperties(DataAccessServiceImpl.java:465)
at com.worklight.integration.js.JavaScriptIntegrationLibraryImplementation.invokeDynamicProcedureWithEnclosingProcedureProperties(JavaScriptIntegrationLibraryImplementation.java:142)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225)
at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
at org.mozilla.javascript.gen._integration_js_12._c_anonymous_10(/integration.js:95)
at org.mozilla.javascript.gen._integration_js_12.call(/integration.js)
at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)
at org.mozilla.javascript.gen.RateAdapter_impl_js_20._c_getRateData_3(RateAdapter-impl.js:66)
at org.mozilla.javascript.gen.RateAdapter_impl_js_20.call(RateAdapter-impl.js)
at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394)
at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091)
at org.mozilla.javascript.gen.RateAdapter_impl_js_20.call(RateAdapter-impl.js)
at com.worklight.integration.js.JavaScriptManager.callFunction(JavaScriptManager.java:240)
at com.worklight.integration.js.JavaScriptManager.invokeFunction(JavaScriptManager.java:214)
at com.worklight.integration.js.JavaScriptManager.invokeFunction(JavaScriptManager.java:194)
at com.worklight.integration.services.impl.AdapterManagerImpl.invokeFunction(AdapterManagerImpl.java:117)
at com.worklight.integration.js.JavaScriptProcedureInvoker.invoke(JavaScriptProcedureInvoker.java:42)
at com.worklight.integration.model.ProcedureInvoker.invokeProcedure(ProcedureInvoker.java:57)
at com.worklight.integration.model.Procedure.invoke(Procedure.java:166)
at com.worklight.integration.model.InvocationContext.call(InvocationContext.java:169)
at com.worklight.integration.model.InvocationContext.call(InvocationContext.java:38)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at com.worklight.server.util.ProjectLocal$1RunnableWrapper.run(ProjectLocal.java:261)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at com.worklight.adapters.http.HTTPConnectionManager.execute(HTTPConnectionManager.java:231)
... 50 more
I've tested the adapter with two different hosts, one having a valid SSL cert issued by VeriSign (IIS) and another host having a valid SSL cert issued by Starcom (Apache). Both failed.
Supplement accordingly to Idan's comment
The issued happened on both local development environment with worklight studio and UAT server, both running same WL server version.
Web server and worklight server are hosted on different server. Not on same machine.
You do not explain in the question how was the certificate set-up on the server side. It could be that the certificate configuration was set to expire after 365 days (1 year).
The following are Worklight 6.2 user documentation topics that you should read through thoroughly and then see if you need to adjust your certificate set-up:
SSL configuration
SSL certificate keystore setup
Configuring SSL between Worklight adapters and back-end servers (note the example with setting up validity days)