I have a most peculiar of problems that has had me stumped for a little while now. I'm attempting to setup SSL communication between a client running WAS 6.1 and a third-party encryption appliance. I have created a local CA on the third-party appliance and exported that public key (.cer format) to the client box. I used the Java keytool utility to add the CA cert to the trust store at: /was/was61/WebSphere/AppServer/java/jre/lib/security/cacerts. I set that as the trust store on an app server I created on my local client (javax.net.ssl.trustStore, javax.net.ssl.trustStorePassword). I then installed an EAR into the app server. The EAR has a web component and a Java component. However, everytime I try to establish a connection over SSL to the third-party appliance, I get the following exception:
java.security.cert.CertificateException: No X509TrustManager implementation available
... 38 more
Next, I used the Admin Console on my local client to add the CA certificate to my cell trust store (located at /was/was61/WebSphere/AppServer/profiles/appsrv01/config/trust.p12) (my local client has both a DM and the app server on it, so I used the DM to push the changes out). I set the cell trust store as my default in the app server through the javax.net.ssl properties and tested it. Same exception.
Strangely enough, I wrote a stand-alone Java application that I packaged into a JAR. All it does is use the JCE provider given to us by the third-party vendor to do a simple encryption over SSL. I ran the JAR using the WAS 6.1 JRE (/was/was61/WebSphere/AppServer/java/bin/java/jre/bin/java) and the SSL connection (and subsequently the encryption) worked just fine.
Is there something different that is happening in a managed server environment that would prevent the SSL communication from being established? I note the exception says the X509TrustManager implementation could not be found. Does this mean that IBM's X509 TrustManager is not available in a server environment?
Can anyone provide any insight into what might be going wrong here and how to resolve it?
Any help is greatly appreciated.
NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
This topic has been locked.
7 replies Latest Post - 2010-11-16T12:20:01Z by JoshuaImmanuel
Pinned topic No X509TrustManager implementation available in WAS 6.1 Server Environment
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2010-11-16T12:20:01Z at 2010-11-16T12:20:01Z by JoshuaImmanuel
SystemAdmin 110000D4XK2262 PostsACCEPTED ANSWER
Re: No X509TrustManager implementation available in WAS 6.1 Server Environm2008-05-21T13:31:44Z in response to JorgamundusThe TrustManager is used to initialize the SSL Context. Somehow, it has been overridden to be null. Check the java.security file to see what the ssl.TrustManagerFactory.algorithm is set to. WebSphere may also have a place where you can specify what TrustManager is to be used.
Usually on JVM 5.0 the default TrustManager is PKIX. Although you can supply your own.
Re: No X509TrustManager implementation available in WAS 6.1 Server Environm2008-05-21T13:43:31Z in response to SystemAdminThank you for your reply.
I checked the java.security file at <WAS61-INSTALL-ROOT>/base_v61/java/jre/lib/security, and this file had the algorithm defined as IbmPKIX (as you had mentioned in your reply). However, my problem still persists. I believe this may be the case because I'm not entirely certain the server is referencing this file. I also added a new JCE provider to this file; however, when testing the application, it did not find my new provider. I had to programmatically add it (Security.addProvider). Do you know if the WAS 6.1 server is pulling its security information from a different file?
I appreciate any assistance you can offer in this.
SystemAdmin 110000D4XK2262 Posts
Re: No X509TrustManager implementation available in WAS 6.1 Server Environm2008-05-22T21:16:38Z in response to SystemAdminPer your suggestion, I changed the code from:
Security.insertProviderAt(new MyProvider(), Security.getProviders().length);
However, the issue still persists.
Thank you for your follow-up and assistance.
Message was edited by: JorgamundusUpdated on 2014-03-24T22:11:23Z at 2014-03-24T22:11:23Z by iron-man
Re: No X509TrustManager implementation available in WAS 6.1 Server Environm2008-06-18T19:59:31Z in response to JorgamundusI have discovered the solution to this. Turns out, when you are pointing to a trust store of type PKCS12, you need to set a third system property (aside from the usual javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword): javax.net.ssl.trustStoreType. Setting this to pkcs12 resolved the issue.
Message was edited by: JorgamundusUpdated on 2008-06-18T19:59:31Z at 2008-06-18T19:59:31Z by Jorgamundus
Gomsy 110000QB5A1 PostACCEPTED ANSWER
Re: No X509TrustManager implementation available in WAS 6.1 Server Environm2009-11-30T18:56:20Z in response to JorgamundusI am getting the same exception and set the system javax.net.ssl.trustStoreType to pkcs12, but to no help.
Where is the TrustManagerFactory looking for the X509TrustManager implementation?
JoshuaImmanuel 270003PKRD1 PostACCEPTED ANSWER
Re: No X509TrustManager implementation available in WAS 6.1 Server Environm2010-11-16T12:20:01Z in response to GomsyI'm getting the same error too. I have set all the -D options(javax.net.ssl.trustStore, javax.net.ssl.trustStorePassword and javax.net.ssl.trustStoreType).
This is running fine in my local windows machine. But when trying in Webshpere 6.1 it is failing with the exception
"Could not write key info request Cause: java.security.cert.CertificateException: No X509TrustManager implementation available"