Archived

This forum has been archived. Please start a new discussion on GitHub.

Problems configuring IceSSL for Java

I'm having problems configuring IceSSL for Java. I'm following the RSA instructions in section 39.5.4 of the Ice manual exactly, but keep getting an exception when I run my client program. The .jks files provided by ZeroC in [ICE_HOME]/certs work fine. So it seems I'm doing something wrong when generating my own. Here's what I did:
D:\ssl>keytool -genkey -keyalg rsa -keystore cpriv.jks -alias cpriv
Enter keystore password:  password
What is your first and last name?
  [Unknown]:  Christopher Bartley
What is the name of your organizational unit?
  [Unknown]:  Robotics Institute
What is the name of your organization?
  [Unknown]:  Carnegie Mellon University
What is the name of your City or Locality?
  [Unknown]:  Pittsburgh
What is the name of your State or Province?
  [Unknown]:  PA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Christopher Bartley, OU=Robotics Institute, O=Carnegie Mellon University, L=Pittsburgh, ST=PA, C=US correct?
  [no]:  yes

Enter key password for <cpriv>
        (RETURN if same as keystore password):

D:\ssl>keytool -genkey -keyalg rsa -keystore spriv.jks -alias spriv
Enter keystore password:  password
What is your first and last name?
  [Unknown]:  Christopher Bartley
What is the name of your organizational unit?
  [Unknown]:  Robotics Institute
What is the name of your organization?
  [Unknown]:  Carnegie Mellon University
What is the name of your City or Locality?
  [Unknown]:  Pittsburgh
What is the name of your State or Province?
  [Unknown]:  PA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Christopher Bartley, OU=Robotics Institute, O=Carnegie Mellon University, L=Pittsburgh, ST=PA, C=US correct?
  [no]:  yes

Enter key password for <spriv>
        (RETURN if same as keystore password):

D:\ssl>keytool -export -keystore spriv.jks -alias spriv -file cert.tmp
Enter keystore password:  password
Certificate stored in file <cert.tmp>

D:\ssl>keytool -import -keystore spub.jks -file cert.tmp
Enter keystore password:  password
Owner: CN=Christopher Bartley, OU=Robotics Institute, O=Carnegie Mellon University, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Christopher Bartley, OU=Robotics Institute, O=Carnegie Mellon University, L=Pittsburgh, ST=PA, C=US
Serial number: 43ecb169
Valid from: Fri Feb 10 10:29:45 EST 2006 until: Thu May 11 11:29:45 EDT 2006
Certificate fingerprints:
         MD5:  AA:E3:1A:50:69:93:CE:51:1E:A9:CD:27:BF:01:7C:5D
         SHA1: 1D:D3:D2:11:FF:FD:25:82:92:91:B0:69:A2:1D:D5:ED:C6:48:06:74
Trust this certificate? [no]:  yes
Certificate was added to keystore

D:\ssl>

I then reference the .jks files in my Ice properties file as directed in the manual:
Ice.Plugin.IceSSL=IceSSL.PluginFactory
Ice.ThreadPerConnection=1
IceSSL.Client.Keystore=cpriv.jks
IceSSL.Client.Password=password
IceSSL.Client.Certs=spub.jks
IceSSL.Server.Keystore=spriv.jks
IceSSL.Server.Password=password
IceSSL.Trace.Security=1

However, when I run the client app, I get the following stack trace:
[ RobotClient: Security: enabling ciphersuites for ssl socket
  local address = 128.2.211.7:1338
  remote address = 128.2.211.7:10005:
    SSL_RSA_WITH_RC4_128_MD5
    SSL_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    SSL_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    SSL_RSA_WITH_DES_CBC_SHA
    SSL_DHE_RSA_WITH_DES_CBC_SHA
    SSL_DHE_DSS_WITH_DES_CBC_SHA
    SSL_RSA_EXPORT_WITH_RC4_40_MD5
    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA ]
Robot: Ice.SocketException
    error = 0
Ice.SocketException
    error = 0
        at IceSSL.SslConnector.connect(SslConnector.java:252)
        at IceInternal.OutgoingConnectionFactory.create(OutgoingConnectionFactory.java:308)
        at IceInternal.DirectReference.getConnection(DirectReference.java:178)
        at Ice._ObjectDelM.setup(_ObjectDelM.java:257)
        at Ice.ObjectPrxHelperBase.__getDelegate(ObjectPrxHelperBase.java:700)
        at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:56)
        at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:44)
        at Glacier2.RouterPrxHelper.checkedCast(RouterPrxHelper.java:185)
        at edu.cmu.ri.mrpl.terk.robot.Robot.run(Robot.java:41)
        at Ice.Application.main(Application.java:71)
        at Ice.Application.main(Application.java:36)
        at edu.cmu.ri.mrpl.terk.robot.Robot.main(Robot.java:185)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
        at IceSSL.SslConnector.connect(SslConnector.java:213)
        ... 11 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
        at sun.security.validator.Validator.validate(Validator.java:203)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
        at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)
        ... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
        ... 23 more

Any ideas?

thanks heaps,

chris

Comments

  • mes
    mes California
    Hi Chris,

    I tried to reproduce this error using the hello demo while following your instructions for generating the keystores, and everything worked fine. Then I looked closer at your exception stack trace and saw this line:

    at Glacier2.RouterPrxHelper.checkedCast(RouterPrxHelper.java:185)

    It looks like your client is attempting to connect to Glacier2 over SSL. Since Glacier2 is written in C++ (and therefore uses OpenSSL), you're going to need compatible certificates for both OpenSSL and JSSE.

    The keystores included in the Ice for Java distribution were converted from the OpenSSL certificates and keys found in Ice for C++. This allows us to use C++ services such as Glacier2 and IceGrid over SSL from our Java tests and demos. The Java distribution includes the shell script certs/makecerts, which performs this conversion. I'd recommend taking a look at this script.

    Hope that helps,
    - Mark
  • Hi Mark,
    It looks like your client is attempting to connect to Glacier2 over SSL. Since Glacier2 is written in C++ (and therefore uses OpenSSL), you're going to need compatible certificates for both OpenSSL and JSSE.

    [sigh]...geeez do I feel dumb. That makes perfect sense. Glad it's friday--I'll try to be smarter next week.
    The Java distribution includes the shell script certs/makecerts, which performs this conversion.

    Cool, I'll check it out. BTW, makecerts appears to only be included in the source distribution of Ice for Java 3.0.1. Might be nice to include it in the binary distro, too.

    Thanks for all your help (and patience for when I'm being extra dumb).

    chris
    P.S. Thanks also for the great Dynamic Ice article in the latest Connections! The problem it solves sure looks familiar! ;)