WebSphere Application Server & Liberty

 View Only
  • 1.  SSL connectivity error to GitHUB server using the spring boot cloud config server

    Posted Mon February 03, 2020 09:30 AM
      |   view attached
    Hi,

      We have deployed the spring boot application on WAS app server and experiencing with SSL hand shake error (please find attached text file with the detailed error stack trace) with usage of the  keystore.p12 and truststore.p12 files (i.e. through WAS admin console using

    SSL certificate and key management > Key stores and certificates  imported the remote github server self sign certificate). 



     Works as expected if we add remote server (GitHUB server) self sign certificate to the <WAS_INSTALL_ROOT>/java/jre/lib/security/cacerts

    As per our company security guidelines we would like to leverage the trusstore.p12 option instead of the cacerts.   Could you provide us the help on this regard.. appreciated any help on these lines..

    Target Environment :  WAS 8.5.5.15
    Deployed Artifact :  Spring boot cloud configuration server (i.e. spring-boot-starter-parent (2.0.6.RELEASE) 

    ERROR :
    [1/30/20 16:05:38:786 EST] 000000d0 SystemOut O WebContainer : 0, SEND TLSv1 ALERT: fatal, description = certificate_unknown
    [1/30/20 16:05:38:786 EST] 000000d0 SystemOut O WebContainer : 0, WRITE: TLSv1 Alert, length = 2
    [1/30/20 16:05:38:786 EST] 000000d0 SystemOut O [Raw write]: length = 7
    [1/30/20 16:05:38:786 EST] 000000d0 SystemOut O 0000: 15 03 01 00 02 02 2e .......

    [1/30/20 16:05:38:786 EST] 000000d0 SystemOut O WebContainer : 0, called closeSocket()
    [1/30/20 16:05:38:786 EST] 000000d0 SystemOut O WebContainer : 0, handling exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
    java.security.cert.CertPathValidatorException: The certificate issued by CN=RDC Certificate Authority, DC=XXX-XX-ABC-Z001, DC=com is not trusted; internal cause is:
    java.security.cert.CertPathValidatorException: Certificate chaining error
    [1/30/20 16:05:38:815 EST] 000000d0 SystemOut O 2020-01-30 16:05:38.788 ERROR 13362 --- [ebContainer : 0] o.h.n.c.s.h.PropertySearchController : Cannot clone or checkout repository: https://github.server.name/sx-development/sx-configuration.git

    org.springframework.cloud.config.server.environment.NoSuchRepositoryException: Cannot clone or checkout repository: https://github.server.name/sx-development/sx-configuration.git
    at org.springframework.cloud.config.server.environment.JGitEnvironmentRepository.refresh(JGitEnvironmentRepository.java:292) ~[spring-cloud-config-server-2.0.1.RELEASE.jar:2.0.1.RELEASE]

    ------------------------------
    Subba Reddy Bogathi

    java/j2ee developer
    ------------------------------

    Attachment(s)



  • 2.  RE: SSL connectivity error to GitHUB server using the spring boot cloud config server

    Posted Tue February 04, 2020 07:07 AM
    Hello Subbareddy,
    which class uses the application to obtain the SSL Socket? Afaik the class "SSLSocketFactory" is bypassing the WAS SSL layer and uses the plain Java SSL infrastructure (keystores etc.). I'm not a developer but I think you need to obtain the socket via class "SSLServerSocketFactory" to utilize WAS SSL infrastructure (I remember I had a similar case some years ago). Hope this helps.

    ------------------------------
    Hermann Huebler

    #IBMChampion
    ------------------------------



  • 3.  RE: SSL connectivity error to GitHUB server using the spring boot cloud config server

    Posted Tue February 04, 2020 08:20 AM
    You need to review same thread upward to see which SSL configuration used - I am thinking that since its third party code it may not be using IBM JSSE WSAS (WebSphere Application Server) SSL configuration, it defaulting socket factory so you will have to add signer to java layer CACERTS file. 

    Exception just means that client side trustStore does not have valid signer ---
    CN=RDC Certificate Authority, DC=XXX-XX-ABC-Z001, DC=com is not trusted

    You need to add in CACERTS or whatever trustStore loaded by thread id 000000d0 

    [1/30/20 16:05:38:786 EST] 000000d0 SystemOut O WebContainer : 0, handling exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
    java.security.cert.CertPathValidatorException: The certificate issued by CN=RDC Certificate Authority, DC=XXX-XX-ABC-Z001, DC=com is not trusted; internal cause is:
    java.security.cert.CertPathValidatorException: Certificate chaining error
    [1/30/20 16:05:38:815 EST] 000000d0 SystemOut O 2020-01-30 16:05:38.788 ERROR 13362 --- [ebContainer : 0] o.h.n.c.s.h.PropertySearchController : Cannot clone or checkout repository: github.server.name/sx-development/sx-configuration.git

    org.springframework.cloud.config.server.environment.NoSuchRepositoryException: Cannot clone or checkout repository: github.server.name/sx-development/sx-configuration.git
    at org.springframework.cloud.config.server.environment.JGitEnvironmentRepository.refresh(JGitEnvironmentRepository.java:292) ~[spring-cloud-config-server-2.0.1.RELEASE.jar:2.0.1.RELEASE]

    ------------------------------
    Ajit Jariwala
    ------------------------------



  • 4.  RE: SSL connectivity error to GitHUB server using the spring boot cloud config server

    Posted Tue February 04, 2020 09:54 AM
    Hello Ajit,
    " ... it may not be using IBM JSSE WSAS (WebSphere Application Server) SSL configuration ..." --> that's what I'm suspecting as well. However this depends on the application coding and nothing you can do here (except adding the signer to cacerts as a signer). You might get in touch with the application provider to clarify that.

    ------------------------------
    Hermann Huebler

    #IBMChampion
    ------------------------------



  • 5.  RE: SSL connectivity error to GitHUB server using the spring boot cloud config server

    Posted Wed April 01, 2020 06:25 PM
    Hi,
      After removing the jars (i.e. httpclient-4.5.5.jar and httpcore-4.4.9.jar) from our spring boot application  shared lib, it started working. 

    Even self signer certificate whats been configured  (IBM JSSE WSAS (WebSphere Application Server) SSL configuration ..." --) is also been considered.

    thanks 
    Subba



    ------------------------------
    Subbareddy Bogathi
    ------------------------------