You may want to enable ssl debugging: -Djavax.net.debug=all https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
Anthony > On Jun 11, 2018, at 3:49 PM, Udo Kohlmeyer <ukohlme...@pivotal.io> wrote: > > Hi there, > > Have you tried the following? > > https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html > > I have not tried to use a PKCS12 keystore type. Was there a particular reason > why you are using it? Could you try with a JKS? > > --Udo > > On 6/11/18 03:31, Liron Ben Ari wrote: >> Hello team. >> I am trying to move my Client server to work with SSL as part of Security >> POC we are running . >> I was moving on GEODE documents (there are a lot! :)) and there was a lot >> of different options... >> >> >> >> This is the configuration I used: >> >> I've generated Keystore & certificate using a private tool (that uses the >> openssl + Keytools) >> >> For client: >> A file containing PEM encoded X.509 certificate and PEM encoded PKCS#8 >> encrypted private key >> For server: >> PKCS#12 - this part works >> as we could see openssl s_client to return the chain >> >> >> >> On the gemfire.proerties file - I used: >> >> ssl-enabled-components=all >> ssl-protocols=any >> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as >> well) >> ssl-keystore-type=PKCS12 >> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12 >> ssl-keystore-password=changeme >> ssl-truststore-type=JKS >> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks >> ssl-truststore-password=changeit >> >> >> >> on the Client Side I used the PEM format: >> gfcpp1.properties: >> ssl-enabled=true >> ssl-keystore=/tmp/server4.pem >> ssl-keystore-password=changeme >> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem >> >> >> this is the error I am getting from the server when client is trying to >> connect (locator): >> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request >> thread[16]> tid=0x55] Exception in processing request from 192.168.2.100 >> javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification >> path to requested target >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >> at >> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906) >> at >> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233) >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) >> at >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) >> at >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) >> at >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) >> at >> org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013) >> at >> org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:748) >> Caused by: sun.security.validator.ValidatorException: PKIX path building >> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable >> to find valid certification path to requested target >> at >> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) >> at >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >> at sun.security.validator.Validator.validate(Validator.java:260) >> at >> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) >> at >> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227) >> at >> sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118) >> at >> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888) >> ... 12 more >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target >> at >> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) >> : >> >> this are the errors I am getting from the client: >> >> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL >> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown >> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL >> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown >> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL >> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown >> ACE_SSL (45715|140147953735424) error code: 336151574 - error:14094416:SSL >> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown >> ACE_SSL (45715|140148921374464) error code: 336151574 - error:14094416:SSL >> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown >> ACE_SSL (45715|140148896196352) error code: 336151574 - error:14094416:SSL >> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown >> ACE_SSL (45715|140148004091648) error code: 336151574 - error:14094416:SSL >> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown >> ACE_SSL (45715|140147978913536) error code: 336151574 - error:14094416:SSL >> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown >> ACE_SSL (45715|140148398352128) error code: 336151574 - error:14094416:SSL >> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown >> ACE_SSL (45715|140148373174016) error code: 336151574 - error:14094416:SSL >> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown >> >> >> >> >> >> >> Any help will be appreciated !! >> >> Thanks. >> >> >> This message and the information contained herein is proprietary and >> confidential and subject to the Amdocs policy statement, >> >> you may review at https://www.amdocs.com/about/email-disclaimer >> <https://www.amdocs.com/about/email-disclaimer> >> >
