Login/Register
Springboot ssl truststore properties not working
Asked Answered
javaspring-bootssltruststore
S

1

5

I am running a spring boot application which is a webservice client and sends requests to a webservice on a Jboss.

A certificate was added on the jboss and since then i started having exception:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)

So i searched on google on how to communicate with a cert based Jboss and came up with the idea that I needed to create a trust store from the jboss cert and then use that in my application.yaml

    server:
      port: 7887
      address: 127.0.0.1
      ssl:
  #      enabled: true
        trust-store: file:config/myapp.truststore
        trust-store-password: myappdomain

These didnt work. So i went with more manual and on the grounds approach

I just did the below and this worked. ( for any one having the same issue this works;I added the truststore in the config directory and the config directory was at the same level as the myapp.jar) 

java  -Djavax.net.ssl.trustStore=config/myapp.truststore -jar myapp.jar

My question: why did the application.yaml configs didnt work. was i missing something.

the above approach works without a password ( may be because the password is the same on keystore and cert in jboss as the trust store password).

Is there any security issue or any kind of issue with the approach that worked. and for future how can i make the yaml configs work.

Sutphin answered 28/5, 2018 at 5:5 Comment(3)
I looked a github.com/codependent/spring-boot-ssl-mutual-authentication and this example used the same way i did but mine never worked. I am still lostSutphin
I'm just facing the same problem ... I don't want SSL configured, while I have some HTTPS requests to 3rd parties ... and the properties are ignored :/ Have you found the reason?Drizzle
I too faced similar issue. don't know why the keystore property works, but not the truststore.Cupboard
J
9

It is correct as you wrote it, you need to use javax.net.ssl.trustStore and his pair prop javax.net.ssl.trustStorePassword to check the validity of the remote service you are calling.

I understand the 3 options the following way:

  • server.ssl.key-store => use to authenticate yourself (the server) to other clients calling you
  • javax.net.ssl.trustStore => use to authenticate servers you are calling as a client from your Spring Boot app.
  • server.ssl.trust-store => use only if you are using 2-way ssl with Spring, where you authenticate yourself as a client towards other SSL secured server. Probably you will not use this so often when implementing SSL (one way ssl). So stick with the first two and you are good.
Jaffe answered 24/6, 2020 at 8:28 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.