Java - Path to Truststore - Set Property Doesn't Work

java - path to trustStore - set property doesn't work?

You have a typo - it is trustStore.

Apart from setting the variables with System.setProperty(..), you can also use

-Djavax.net.ssl.keyStore=path/to/keystore.jks

Cacerts file path to javax.net.ssl.trustStore does not work in .war

A .war file is a single compressed archive; its contents are not files and cannot be directly referenced in the javax.net.ssl.trustStore property.

You can, however, use Class.getResourceAsStream to copy the certificates to a new file:

Path keystore = Files.createTempFile(null, null);
try (InputStream stream = getClass().getResourceAsStream("/cacerts")) {
    Files.copy(stream, keystore, StandardCopyOption.REPLACE_EXISTING);
}

System.setProperty("javax.net.ssl.trustStore", keystore.toString());

how to change default truststore path

Try

-Djavax.net.ssl.trustStore=/real-path/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=jks

As documented here:
https://docs.oracle.com/javase/8/docs/technotes/guides/troubleshoot/envvars002.html, you can also export / set the environment variable:

JAVA_TOOL_OPTIONS="-Djavax.net.ssl.trustStore=/real-path/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=jks"

How to set keystore and truststore without using System.setProperty()

This example can help you:

import java.io.File;
import java.io.FileInputStream;
import java.net.InetAddress;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;

import java.security.KeyStore;

import org.java_websocket.server.DefaultSSLWebSocketServerFactory;

public class EventWebSocketSecureServer extends EventWebSocketServer {

    private static EventWebSocketSecureServer instance;

    public static EventWebSocketSecureServer instance() {
        return instance;
    }

    public EventWebSocketSecureServer(int port, InetAddress ip) {
        this(port, null, null, ip);
    }

    public EventWebSocketSecureServer(int port, String keystorepath, String keystorepassword, InetAddress ip) {
        super(port, ip);

        try {
            SSLContext sslContext = SSLContext.getInstance("TLS");
            char ksPassword[] = keystorepassword.toCharArray();
            if (!keystorepath.equals("")) {
                KeyStore ks = KeyStore.getInstance("JKS");
                ks.load(new FileInputStream(new File(keystorepath)), ksPassword);

                KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                kmf.init(ks, ksPassword);
                TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
                tmf.init(ks);

                sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
            } else {
                sslContext.init(null, null, null);
            }
            this.setWebSocketFactory(new DefaultSSLWebSocketServerFactory(sslContext));
        } catch (Exception e) {
            com.gmt2001.Console.out.println("Secure EventSocketServer failed: " + e);
            e.printStackTrace();
        }
    }
}

https://www.programcreek.com/java-api-examples/?code=GloriousEggroll/quorrabot/quorrabot-master/src/com/simeonf/EventWebSocketSecureServer.java

How to set different truststore keystore with setProperty

Finally I found the solution:

    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());

    String path1 = ..absolute path of keystore..
    path1 = path1.replaceAll("%20", " ");
    InputStream trustStore1 = new FileInputStream(path1);
    keyStore.load(trustStore1, new String(..keystore password..).toCharArray());
    trustStore1.close();

    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
    keyManagerFactory.init(keyStore, new String(..keystore password..).toCharArray());

    TrustManagerFactory tmf =  TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(keyStore);
    SSLContext ctx = SSLContext.getInstance("SSL");
    ctx.init(keyManagerFactory.getKeyManagers(), tmf.getTrustManagers(), null);
    HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());

It's possibile to change at runtime the keystore simply using the method "init" of object SSLContext. The parameters of this function are KeyManager and TrustManager, initialized like in the script. So, in this way it's possible to simulate System.setProperty.
Thank you to everyone!

How to configure trustStore for javax.net.ssl.trustStore on windows?

You should first check what certificate server is sending you.To do it:

  1. Turn on ssl debug: -Djavax.net.debug=all
  2. Find the following lines in log: *** Certificate chain ...
  3. Find who the issuer of certificate
  4. Add issuer certificate to some trust store (actually if you receive cert. chain you can add root certificate)
  5. Rerun with -Djavax.net.ssl.trustStore=path/to/new/truststore and -Djava.net.ssl.trustStorePassword=...

BTW:

  1. You don't need to explicitly specify java trust store
  2. every setting of same system property overrides previous value
  3. you have strange line: DEBUG: trying to connect to host "10.53.151.183", port 143, isSSL false

Setting file content instead of path for truststore

In general it would be possible to load a certificate from memory, for example as outlined here, however in current context we are limited by what Oracle driver supports.

Configuration of the driver is described here and it does not look like anything besides file based trust stores is supported. It is hard to provide more definite answer as Oracle driver is closed source.

Does javax.net.ssl.trustStore override or add to cacerts

If a custom Trust Store is specified by the javax.net.ssl.trustStore - then the default one (default JDK cacerts) won't be used.

Not sure if term "override" is 100% correct here. The defauld JDK cacerts remains, you don't update it or something. But your custom one is used.

I'd say it is not recommended that you modify the default Trust Store, given that it is shipped with your JVM and will be updated with it.

Instead you could make a copy and add your certificates to the copy and set this copy as the custom one (using javax.net.ssl.trustStore).

For instance:

  1. Copy the default one (simply copy the file)

  2. Use keytool to add some specific certificates to the copy

    keytool -import -file /path/to/certificate.pem -alias NameYouWantToGiveOfYourCertificate -keystore /path/to/copy/of/default/truststore.jks -storepass changeit

This is just an example. You might want to use some other tool, but hope the idea is clear :)


Related Topics

What Are the Main Uses of Yield(), and How Does It Differ from Join() and Interrupt()

How to Create a Custom Exception Type in Java

Is Polymorphism Possible Without Inheritance

Hamcrest Compare Collections

Are There Inline Functions in Java

How to Bind an Object List with Thymeleaf

How to Update an Entity Using Spring-Data-Jpa

Understanding Jsf as a MVC Framework

Generate Uml Class Diagram from Java Project

Is Memory Leak? Why Java.Lang.Ref.Finalizer Eat So Much Memory

Fast Algorithm for Searching for Substrings in a String

Kill -3 to Get Java Thread Dump

Utf-8 Byte[] to String

How to Get Whole and Fractional Parts from Double in Jsp/Java

Hibernate Sessionfactory VS. JPA Entitymanagerfactory

Use Java and Regex to Convert Casing in a String

Intellij Cannot Resolve Symbol on Import

Named Parameter Idiom in Java


Leave a reply



Submit