Topic
  • 7 replies
  • Latest Post - ‏2010-11-16T12:20:01Z by JoshuaImmanuel
Jorgamundus
Jorgamundus
4 Posts

Pinned topic No X509TrustManager implementation available in WAS 6.1 Server Environment

‏2008-05-19T20:02:14Z |
I have a most peculiar of problems that has had me stumped for a little while now. I'm attempting to setup SSL communication between a client running WAS 6.1 and a third-party encryption appliance. I have created a local CA on the third-party appliance and exported that public key (.cer format) to the client box. I used the Java keytool utility to add the CA cert to the trust store at: /was/was61/WebSphere/AppServer/java/jre/lib/security/cacerts. I set that as the trust store on an app server I created on my local client (javax.net.ssl.trustStore, javax.net.ssl.trustStorePassword). I then installed an EAR into the app server. The EAR has a web component and a Java component. However, everytime I try to establish a connection over SSL to the third-party appliance, I get the following exception:

java.security.cert.CertificateException: No X509TrustManager implementation available
at com.ibm.jsse2.hb.checkServerTrusted(hb.java:18)
at com.ibm.jsse2.eb.a(eb.java:240)
... 38 more

Next, I used the Admin Console on my local client to add the CA certificate to my cell trust store (located at /was/was61/WebSphere/AppServer/profiles/appsrv01/config/trust.p12) (my local client has both a DM and the app server on it, so I used the DM to push the changes out). I set the cell trust store as my default in the app server through the javax.net.ssl properties and tested it. Same exception.

Strangely enough, I wrote a stand-alone Java application that I packaged into a JAR. All it does is use the JCE provider given to us by the third-party vendor to do a simple encryption over SSL. I ran the JAR using the WAS 6.1 JRE (/was/was61/WebSphere/AppServer/java/bin/java/jre/bin/java) and the SSL connection (and subsequently the encryption) worked just fine.

Is there something different that is happening in a managed server environment that would prevent the SSL communication from being established? I note the exception says the X509TrustManager implementation could not be found. Does this mean that IBM's X509 TrustManager is not available in a server environment?

Can anyone provide any insight into what might be going wrong here and how to resolve it?

Any help is greatly appreciated.

Thanks.
Updated on 2010-11-16T12:20:01Z at 2010-11-16T12:20:01Z by JoshuaImmanuel
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: No X509TrustManager implementation available in WAS 6.1 Server Environm

    ‏2008-05-21T13:31:44Z  
    The TrustManager is used to initialize the SSL Context. Somehow, it has been overridden to be null. Check the java.security file to see what the ssl.TrustManagerFactory.algorithm is set to. WebSphere may also have a place where you can specify what TrustManager is to be used.

    Usually on JVM 5.0 the default TrustManager is PKIX. Although you can supply your own.
  • Jorgamundus
    Jorgamundus
    4 Posts

    Re: No X509TrustManager implementation available in WAS 6.1 Server Environm

    ‏2008-05-21T13:43:31Z  
    The TrustManager is used to initialize the SSL Context. Somehow, it has been overridden to be null. Check the java.security file to see what the ssl.TrustManagerFactory.algorithm is set to. WebSphere may also have a place where you can specify what TrustManager is to be used.

    Usually on JVM 5.0 the default TrustManager is PKIX. Although you can supply your own.
    Thank you for your reply.

    I checked the java.security file at <WAS61-INSTALL-ROOT>/base_v61/java/jre/lib/security, and this file had the algorithm defined as IbmPKIX (as you had mentioned in your reply). However, my problem still persists. I believe this may be the case because I'm not entirely certain the server is referencing this file. I also added a new JCE provider to this file; however, when testing the application, it did not find my new provider. I had to programmatically add it (Security.addProvider). Do you know if the WAS 6.1 server is pulling its security information from a different file?

    I appreciate any assistance you can offer in this.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: No X509TrustManager implementation available in WAS 6.1 Server Environm

    ‏2008-05-22T19:23:33Z  
    Thank you for your reply.

    I checked the java.security file at <WAS61-INSTALL-ROOT>/base_v61/java/jre/lib/security, and this file had the algorithm defined as IbmPKIX (as you had mentioned in your reply). However, my problem still persists. I believe this may be the case because I'm not entirely certain the server is referencing this file. I also added a new JCE provider to this file; however, when testing the application, it did not find my new provider. I had to programmatically add it (Security.addProvider). Do you know if the WAS 6.1 server is pulling its security information from a different file?

    I appreciate any assistance you can offer in this.
    Make sure you put non-IBM provider at the end of the provider list. Do not put it before the IBMJCE provider.
  • Jorgamundus
    Jorgamundus
    4 Posts

    Re: No X509TrustManager implementation available in WAS 6.1 Server Environm

    ‏2008-05-22T21:16:38Z  
    Make sure you put non-IBM provider at the end of the provider list. Do not put it before the IBMJCE provider.
    Per your suggestion, I changed the code from:

    Security.addProvider(new MyProvider());
    


    To:

    Security.insertProviderAt(new MyProvider(), Security.getProviders().length);
    


    However, the issue still persists.

    Thank you for your follow-up and assistance.

    Message was edited by: Jorgamundus
    Updated on 2014-03-24T22:11:23Z at 2014-03-24T22:11:23Z by iron-man
  • Jorgamundus
    Jorgamundus
    4 Posts

    Re: No X509TrustManager implementation available in WAS 6.1 Server Environm

    ‏2008-06-18T19:59:31Z  
    Per your suggestion, I changed the code from:

    <pre class="java dw" data-editor-lang="java" data-pbcklang="java" dir="ltr">Security.addProvider(new MyProvider()); </pre>

    To:

    <pre class="java dw" data-editor-lang="java" data-pbcklang="java" dir="ltr">Security.insertProviderAt(new MyProvider(), Security.getProviders().length); </pre>

    However, the issue still persists.

    Thank you for your follow-up and assistance.

    Message was edited by: Jorgamundus
    I have discovered the solution to this. Turns out, when you are pointing to a trust store of type PKCS12, you need to set a third system property (aside from the usual javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword): javax.net.ssl.trustStoreType. Setting this to pkcs12 resolved the issue.

    Message was edited by: Jorgamundus
    Updated on 2008-06-18T19:59:31Z at 2008-06-18T19:59:31Z by Jorgamundus
  • Gomsy
    Gomsy
    1 Post

    Re: No X509TrustManager implementation available in WAS 6.1 Server Environm

    ‏2009-11-30T18:56:20Z  
    I have discovered the solution to this. Turns out, when you are pointing to a trust store of type PKCS12, you need to set a third system property (aside from the usual javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword): javax.net.ssl.trustStoreType. Setting this to pkcs12 resolved the issue.

    Message was edited by: Jorgamundus
    I am getting the same exception and set the system javax.net.ssl.trustStoreType to pkcs12, but to no help.
    Where is the TrustManagerFactory looking for the X509TrustManager implementation?
  • JoshuaImmanuel
    JoshuaImmanuel
    1 Post

    Re: No X509TrustManager implementation available in WAS 6.1 Server Environm

    ‏2010-11-16T12:20:01Z  
    • Gomsy
    • ‏2009-11-30T18:56:20Z
    I am getting the same exception and set the system javax.net.ssl.trustStoreType to pkcs12, but to no help.
    Where is the TrustManagerFactory looking for the X509TrustManager implementation?
    I'm getting the same error too. I have set all the -D options(javax.net.ssl.trustStore, javax.net.ssl.trustStorePassword and javax.net.ssl.trustStoreType).

    This is running fine in my local windows machine. But when trying in Webshpere 6.1 it is failing with the exception
    "Could not write key info request Cause: java.security.cert.CertificateException: No X509TrustManager implementation available"