CODEWITHSUNDEEP
javamongodbrestssl
Kelper
Kelper

Reputation: 91

How to authenticate between a Java 11 Client - MongoDB 4.4 (SSL)?

I've been asked to migrate a Java 8 (spring) micro-service to a Java 11 microservice (Quarkus framework). The microservice uses a X509 certificate to authenticate to a MongoDB 4.4 database. This works well for the Java 8 version without any error or issue. Nevertheless the Java 11 version won't work and it displays the following Stack Trace when deployed:

  com.mongodb.MongoSocketWriteException: Exception sending message
        at com.mongodb.internal.connection.InternalStreamConnection.translateWriteException(InternalStreamConnection.java:619)
        at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:497)
        at com.mongodb.internal.connection.InternalStreamConnection.sendCommandMessage(InternalStreamConnection.java:328)
        at com.mongodb.internal.connection.InternalStreamConnection.sendAndReceive(InternalStreamConnection.java:278)
        at com.mongodb.internal.connection.CommandHelper.sendAndReceive(CommandHelper.java:83)
        at com.mongodb.internal.connection.CommandHelper.executeCommand(CommandHelper.java:33)
        at com.mongodb.internal.connection.InternalStreamConnectionInitializer.initializeConnectionDescription(InternalStreamConnectionInitializer.java:107)
        at com.mongodb.internal.connection.InternalStreamConnectionInitializer.initialize(InternalStreamConnectionInitializer.java:62)
        at com.mongodb.internal.connection.InternalStreamConnection.open(InternalStreamConnection.java:144)
        at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.lookupServerDescription(DefaultServerMonitor.java:188)
        at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:144)
        at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

Relevant Source Code:

package everest.onecd.config;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;

import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.mongodb.ConnectionString;
import com.mongodb.MongoClientSettings;
import com.mongodb.client.MongoClient;
import com.mongodb.client.MongoClients;
import com.mongodb.client.MongoDatabase;

public class MongoConfiguration  {
    
    private static final String PATH = "/usr/share/easy-rsa/keys/java11/mongo.jks";
    
    private static final Logger LOG = LoggerFactory.getLogger(MongoConfiguration.class);
            
    private static final String IP = "XX.XX.XX.XX";
    
    private static final String PORT = "27017";

    public static MongoDatabase getDatabase() {
        SSLContext context = getSSLContext();
        MongoClientSettings.Builder settings = MongoClientSettings.builder();
        settings.applyToSslSettings(builder -> { builder.context(context); builder.invalidHostNameAllowed(true); builder.enabled(true); });
        settings.applyConnectionString(new ConnectionString("mongodb://" + IP +  ":" + PORT + "/test?ssl=true&authMechanism=MONGODB-X509&connectTimeoutMS=60000&socketTimeoutMS=60000&retryWrites=true&maxIdleTimeMS=60000"));                      
        MongoClient client = MongoClients.create(settings.build());     
        MongoDatabase database = client.getDatabase("test");        
        return database;
    }

    private static SSLContext getSSLContext() {
        SSLContext sslContext = null;
            try (FileInputStream fis = new FileInputStream(new File(PATH))) {                               
                KeyStore keyStore = KeyStore.getInstance("JKS");
                keyStore.load(fis, ".sevenzip".toCharArray());
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                trustManagerFactory.init(keyStore);
                sslContext = SSLContext.getInstance("SSL");
                sslContext.init(null, trustManagerFactory.getTrustManagers(), null);        
                LOG.info("Se ejecuto SSLContext exitosamente");
            } catch (CertificateException | NoSuchAlgorithmException | KeyStoreException | IOException | KeyManagementException e) {
                LOG.error(e.toString(), e);         
            } 
        return sslContext;
    }
}

I already tried this: Java 11 and 12 SSL sockets fail on a handshake_failure error with TLSv1.3 enabled So, I generated the new JKS with -keyalg RSA but it didn't work either. I also changed the TLS version to 1.2 and 1.3 and got the same exception.

Upvotes: 0

Views: 777

Answers (1)

Kelper
Kelper

Reputation: 91

This is the solution, after all the struggle. In Quarkus, it is required to fully inicialize all trust stores and key stores. So, aparently, it ignores both JVM args -Djavax.net.ssl.keyStore and -Djavax.net.ssl.trustStore.

private static SSLContext getSSLContext() {
    SSLContext sslContext = null;
        try (FileInputStream fis = new FileInputStream(new File(TPATH))) {                              
            KeyStore trustStore = KeyStore.getInstance("JKS");
            trustStore.load(fis, ".sevenzip".toCharArray());
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(trustStore);
            
            FileInputStream fKS = new FileInputStream(new File(PATH));
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(fKS, ".sevenzip".toCharArray());
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, ".sevenzip".toCharArray());
            
            sslContext = SSLContext.getInstance("SSL");
            sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
            
            LOG.info("Se ejecuto SSLContext exitosamente");
        } catch (CertificateException | NoSuchAlgorithmException | KeyStoreException | IOException | KeyManagementException e) {
            LOG.error(e.toString(), e);         
        } catch (UnrecoverableKeyException e) {
            LOG.error(e.toString(), e);             
        } 
    return sslContext;
}

Upvotes: 1

Related Questions