Importing certificates into Java default truststore

Import the custom certificate to the Java truststore to enable HTTPS and remove the following error.

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This truststore is located in $JAVA_HOME/lib/security/cacerts where $JAVA_HOME is an environment variable holding the location of the Java installation running Automatic Data Lineage. (On Windows, use the %JAVA_HOME% syntax.)

The default password for the Java default truststore is changeit.

Only Importing a Custom Certificate

If you only have a certificate, you can import it directly using the keytool command installed alongside Java. To import the certificate, use the following command.

keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"

The alias is an arbitrary string, but it is a good idea to prefix it with manta so it is easy to locate if needed. The tool will prompt you for a password if needed.

If importing to the Java default truststore, the command will be:

keytool -importcert -file certificate.cer -keystore $JAVA_HOME/lib/security/cacerts -alias "manta_keycloak"

Importing the Whole Truststore

In some cases, you may not have the certificate directly, but you already have it stored in a truststore. In such cases, you can merge the contents of those two truststores using this command.

keytool -importkeystore -srckeystore custom-truststore.jks -destkeystore target.jks

In this case, -srckeystore is the truststore you already have and -destkeystore is the one you are importing the certificates into. For the truststore params, it is better to provide absolute paths to the files, to make sure the process goes smoothly. The keytool will prompt you for the passwords.

For the Java default truststore the command will be:

keytool -importkeystore -srckeystore custom-truststore.jks -destkeystore $JAVA_HOME/lib/security/cacerts

But I Can't Modify the System Truststore…

If the system truststore $JAVA_HOME/lib/security/cacerts is not writable (e.g., if Automatic Data Lineage is running in a container), there is another option.

First, get a copy of the system truststore and import your certificate into the copy of the system certificate. (See the steps above.)

To enable HTTPS support, the copied and updated truststore has to be registered in the setenv_manta scripts that are available for each component in its bin directory. Edit each script and uncomment and enter the variables below.

MANTA_AUTH_SSL_TRUSTSTORE=
MANTA_AUTH_SSL_TRUSTSTORE_PASSWORD=

MANTA_AUTH_SSL_TRUSTSTORE is the absolute path to the trustore with the server certificate.

MANTA_AUTH_SSL_TRUSTSTORE_PASSWORD is the password for the truststore.