CODEWITHSUNDEEP
java-8migrationglassfishglassfish-5
Bruno Tchaikovsky
Bruno Tchaikovsky

Reputation: 1

SSLHandshakeException - PKIX - After migrate Glassfish 2 to 5

I've got an application that was running on Glassfish 2.1. After a migration to use Glassfish 5.1 i'm facing a problem. Everytime that my application is making any request to an external API or Amazon SQS, for example, i'm getting the following error:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Before the migration, all the requests was working successfully.

I've already tried to set this propreties:

System.setProperty("com.sun.net.ssl.checkRevocation", "false"); System.setProperty("javax.net.ssl.trustStore","clientTrustStore.key"); System.setProperty("javax.net.ssl.trustStorePassword","qwerty");

And added into the domain.xml

<jvm-options>-Djava.net.preferIPv4Stack=true</jvm-options>

And also, i've already tried to create a custom class implementing X509TrustManager

Can anyone help me to solve this issue?

Already try all the solutions above and the error still the same.

Upvotes: 0

Views: 105

Answers (1)

Ondro Mih&#225;lyi
Ondro Mih&#225;lyi

Reputation: 7740

This is because you call the external API via HTTPS a GlassFish only allows such connections if the external services presents a cerrtificate that GlassFish can trust.

GlassFish only trusts certificates that are in the trust store file cacerts.jks in the GlassFish domain. It's possible that GlassFish 2 didn't have this requirement and it allowed connections to any external service.

There's a discussion about this on the GlassFish issue tracker: https://github.com/eclipse-ee4j/glassfish/issues/24523#issuecomment-1657651280

A solution is to download the certificate presented by the external API and install it into the cacerts.jks file, which is in config directory of GlassFish domain. You can use the keytool command line tool available in the JDK.

Alternatively, you can import all certificates from your JDK into the cacerts.jks file. It's likely that it's enough if the external services present certificates isgned by trusted public authorities.

Upvotes: 0

Related Questions