Let me explain quickly what I’m trying to do. I’m trying to build my own Apple’s Push Notification service in java (for testing purposes). This service works thanks to TLS socket.
I have a java client to create a TLS socket to send push notifications to the APNs. I changed the host url to redirect the socket to localhost:2195. Now I’m trying to write a java socket server to get the notification request.
However, I get an exception during the handshake and can’t find how to fix it.
Note : I’m using the same certificate on both sides, it’s a standard .p12 file that works to send push notifications to the APNs.
Here is the client (simplified) :
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(new FileInputStream(certificatePath), password.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("sunx509");
kmf.init(ks, password.toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("sunx509");
tmf.init((KeyStore)null);
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
SSLSocketFactory ssf = sc.getSocketFactory();
SSLSocket socket = (SSLSocket) ssf.createSocket(InetAddress.getLocalHost(), 2195);
socket.startHandshake();
Here is the server :
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(new FileInputStream(certificatePath), password.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("sunx509");
kmf.init(ks, password.toCharArray());
SSLContext context = SSLContext.getInstance("TLS");
context.init(kmf.getKeyManagers(), null, null);
SSLServerSocketFactory ssf = context.getServerSocketFactory();
serverSocket = (SSLServerSocket) ssf.createServerSocket(2195);
And here is the exception :
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
I guess the client isn’t trusting the server’s certificate. I tryed to set the client’s TrustManager to accept the server’s p12 and it worked, however I need this to work without editing the client (since it’s working that way with the real APNs).
What kind of certificate needs the server to be trusted by the client ?
Thanks in advance.
- Общий
-
Ошибки
0
Не ошибка
Добрый день.
Используем API сервис подсказок.
Но при обращении к сервису вот такое сообщение
un.security.validator.ValidatorException: No trusted certificate found
Причем только с одного компа, с других все ок.
Windows server 2008R2 Enterprise 64 бит.
Спасибо!
PS. Я это сообщение сначала написал не войдя в аккаунт (и поместил его в вопросы), поэтому решил переписать его как полагается ))
Так что то можно удалить ))
Ответ
Сервис поддержки клиентов работает на платформе UserEcho
The JDK & JRE ship with their own collection of trusted certificates. This file is named ‘cacerts’, and it can be found under JDK_HOME/jre/lib/security. readlink -f /bin/java should indicate where the JDK_HOME directory is located.
The cacerts file contains a list of all certificates from trusted Certificate Authorities (CAs). The file is in the JKS format, so you can manipulate it with keytool (another command that is part of the JDK). You will need root permissions to modify the file.
Most well-known CAs are already part of the cacerts file. Since you’re encountering an exception, the CA certificate used by your HTTPS endpoints must be missing from this file. You’ll need to extract the CA certificate from the remote endpoint and add it to the cacerts file. Restart your application afterwards, and it should work as expected.
In case you don’t want to modify the cacerts file, it is also possible to set up your own truststore. In this approach, you create a truststore containing the certificates you want to trust, and then use the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties to point your application to it.
We might experience the following error code “no trusted certificate found” while opening the iDRAC console via chrome browser using java.
In this case the issue might get fixed while we try to open iDRAC console via Internet Explorer and there are few cases were opening via internet explorer too might not work and in this situation the following below mentioned steps will help to resolve the issue
Solution:
Please follow the below steps to resolve the issue
- Note the iDRAC console URL from browser
- Go to Start menu or Windows Search bar and type Configure Java and open the application
- Configure Java will open Java Control panel were we could see different tabs like General, Update, Java, Security and Advanced panel
- Go to Security tab and click Edit site list and add the iDRAC console URL in the popup exception site list and click OK
- Now try to open iDRAC console and validate whether everything works fine.
If you face any issue in following the same or if you have any other tips, feel free to let us know via comments session below.
Problem Description
You received the error, «javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found».
Cause
This error indicates your application does not trust the root CA (Certifying Authority) and/or the intermediate CAs of the CyberSource SSL server certificate
Resolution
To resolve this issue, you must download the root and intermediate certificates and import them into the Java KeyStore used by your application.
Note: These instructions assume you are using Internet Explorer as your web browser.
Download the Root and Intermediate Certificates
There are 3 certificates that need to be downloaded:
- Entrust,
- Entrust Root Certification Authority,
- Entrust Certification Authority — L1E.
- Navigate to the host your application is trying to communicate with:
For the Simple Order and SOAP Toolkit APIs
For Batch Upload (Offline Transaction File Submission)
- Select your .p12 key when prompted.
If you haven’t imported your .p12 key into Internet Explorer, go to Tools > Internet Options > Content > Certificates > Import > then import your .p12 key.
Root certificate (Entrust.net Secure Server Certification Authority)
- Click Next > Finish.
- specify a filename
- Click View Certificate > Details > Copy to File > next > next >
- Click on (Select) Entrust
- Click on File > Properties > Certificates > Certification Path
First intermediate certificate (Entrust Root Certification Authority)
- Click File > Properties > Certificates > certification path
- select Entrust Root Certification Authority
- Click View Certificate > Details > Copy to File > next > next
- specify a filename
- Click next > and finish.
Second intermediate certificate (Entrust Certification Authority — L1E)
- Click on File > Properties > Certificates > certification path
- select Entrust Certification Authority — L1E > View Certificate > Details > Copy to File > next > next
- Specify a filename
- Click next > and finish.
- Import the certificate into your keystore. Below are *definitions followed by instructions.
*cybsCert Any alias of your choice. Note that aliases are unique in the keystore, so you must choose a different alias for each certificate. Suggested aliases: CybsEntrustRoot, CybsEntrustIntermediate, CybsEntrustL1E. *JAVA_HOME Path to your Java installation *PATH_TO_MERCHANT_KEYSTORE Path to the keystore that you generated during the batch upload implementation *MERCHANT_KEYSTORE Name of the keystore that you generated during the batch upload implementation *cybsCert.cer Certificate you exported from step 2 *keytool Utility included in the Java SDK *cacerts Default Java keystore
For the Simple Order or SOAP Toolkit APIs
Type the following command without line breaks:
keytool -import -alias cybsCert -keystore JAVA_HOME/jre/lib/security/cacerts -file cybsCert.cer
For Batch Upload
Type the following command without line breaks:
keytool -import -alias cybsCert -keystore PATH_TO_MERCHANT_KEYSTORE/MERCHANT_KEYSTORE.jks -file cybsCert.cer
- Enter password for keystore. The default password is ‘changeit’ for cacerts (Simple Order and SOAP Toolkit APIs). Note that if you’ve changed the default password of cacerts then use that password instead of ‘changeit’. For the batch file upload, the password is your merchant ID.
- Repeat steps 3 and 4 for the remaining two certificates.
You have successfully imported the certificates. If the error persists, you have updated the wrong keystore (i.e. cacerts file). Execute a ‘java -version’ to verify you’ve updated the keystore for the correct version of java you’re currently running.
Many applications use a keystore different than the default cacerts file. For example, the Cybersource Batch Upload API uses a self-generated keystore following the format of .jks. The location of this keystore is specified in the properties file for the batch upload solution. Make sure this keystore is updated if you’re implementing the batch upload solution.