Re: PostgreSQL + SSL - sun.security.validator.ValidatorException

Hi,
I have specified a connection string in my postgres-ds.xml file as

Connection string:

jdbc:postgresql://localhost:5432/mydatabase?ssl

my Driver is:
DriverVersion PostgreSQL 8.0devel JDBC3 with SSL (build 308)

Where is the driver looking for the keystore/certificate?, as I have
placed them in the root of the data folder - /usr/local/pgsql/data. If
I remove any of the certificate files from the data folder I get an
error message telling me that the files do not exist.

The error message i'm getting is:

14:12:56,779 WARN [SettingsFactory] Could not obtain connection
metadata
org.jboss.util.NestedSQLException: Could not create connection; -
nested throwable: (org.postgresql.
util.PSQLException: The connection attempt failed.); - nested
throwable: (org.jboss.resource.JBossRe
sourceException: Could not create connection; - nested throwable:
(org.postgresql.util.PSQLException
: The connection attempt failed.))
at
org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperD
ataSource.java:10
6)
at
net.sf.hibernate.connection.DatasourceConnectionProvider.getConnection(D
atasourceConnecti
onProvider.java:59)
at
net.sf.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:
73)
at
net.sf.hibernate.cfg.Configuration.buildSettings(Configuration.java:
1132)
at
net.sf.hibernate.cfg.Configuration.buildSessionFactory(Configuration.jav
a:766)
at
org.jboss.hibernate.jmx.Hibernate.buildSessionFactory(Hibernate.java:
476)
at
org.jboss.hibernate.jmx.Hibernate.startService(Hibernate.java:444)
at
org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupp
ort.java:271)
at
org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBean
Support.java:221)

at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController
.java:891)
at $Proxy0.start(Unknown Source)
at
org.jboss.system.ServiceController.start(ServiceController.java:416)
at sun.reflect.GeneratedMethodAccessor6.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
at $Proxy4.start(Unknown Source)
at org.jboss.deployment.SARDeployer.start(SARDeployer.java:261)
at
org.jboss.deployment.MainDeployer.start(MainDeployer.java:935)
at
org.jboss.deployment.MainDeployer.start(MainDeployer.java:927)
at
org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:746)
at
org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:709)
at sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at
org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.
java:119)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
at
org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBea
nOperationInterce
ptor.java:131)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
at $Proxy8.deploy(Unknown Source)
at
org.jboss.deployment.scanner.URLDeploymentScanner.deploy(URLDeploymentSc
anner.java:305)
at
org.jboss.deployment.scanner.URLDeploymentScanner.scan(URLDeploymentScan
ner.java:481)
at
org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.doS
can(AbstractDeplo
ymentScanner.java:204)
at
org.jboss.deployment.scanner.AbstractDeploymentScanner.startService(Abst
ractDeploymentSca
nner.java:277)
at
org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupp
ort.java:271)
at
org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBean
Support.java:221)

at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController
.java:891)
at $Proxy0.start(Unknown Source)
at
org.jboss.system.ServiceController.start(ServiceController.java:416)
at sun.reflect.GeneratedMethodAccessor6.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
at $Proxy4.start(Unknown Source)
at org.jboss.deployment.SARDeployer.start(SARDeployer.java:261)
at
org.jboss.deployment.MainDeployer.start(MainDeployer.java:935)
at
org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:746)
at
org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:709)
at
org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:693)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at
org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.
java:119)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
at
org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBea
nOperationInterce
ptor.java:131)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
at $Proxy5.deploy(Unknown Source)
at
org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:396)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:293)
at org.jboss.Main.boot(Main.java:151)
at org.jboss.Main$1.run(Main.java:405)
at java.lang.Thread.run(Thread.java:552)
Caused by: org.jboss.resource.JBossResourceException: Could not create
connection; - nested throwabl
e: (org.postgresql.util.PSQLException: The connection attempt failed.)
at
org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory.crea
teManagedConnecti
on(LocalManagedConnectionFactory.java:161)
at
org.jboss.resource.connectionmanager.InternalManagedConnectionPool.creat
eConnectionEventL
istener(InternalManagedConnectionPool.java:508)
at
org.jboss.resource.connectionmanager.InternalManagedConnectionPool.getCo
nnection(Internal
ManagedConnectionPool.java:207)
at
org.jboss.resource.connectionmanager.JBossManagedConnectionPool$BasePool
.getConnection(JB
ossManagedConnectionPool.java:534)
at
org.jboss.resource.connectionmanager.BaseConnectionManager2.getManagedCo
nnection(BaseConn
ectionManager2.java:396)
at
org.jboss.resource.connectionmanager.TxConnectionManager.getManagedConne
ction(TxConnectio
nManager.java:299)
at
org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConn
ection(BaseConnec
tionManager2.java:448)
at
org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionMa
nagerProxy.alloca
teConnection(BaseConnectionManager2.java:838)
at
org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperD
ataSource.java:10
2)
... 98 more
Caused by: org.postgresql.util.PSQLException: The connection attempt
failed.
at
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(Connecti
onFactoryImpl.jav
a:136)
at
org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.j
ava:63)
at
org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connect
ion.java:117)
at
org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connect
ion.java:30)
at
org.postgresql.jdbc3.Jdbc3Connection.<init>(Jdbc3Connection.java:24)
at org.postgresql.Driver.connect(Driver.java:183)
at
org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory.crea
teManagedConnecti
on(LocalManagedConnectionFactory.java:151)
... 106 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No truste
d certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA12275)
at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
at
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
at org.postgresql.core.PGStream.flush(PGStream.java:486)
at
org.postgresql.core.v3.ConnectionFactoryImpl.sendStartupPacket(Connectio
nFactoryImpl.java
:243)
at
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(Connecti
onFactoryImpl.jav
a:91)
... 112 more
Caused by: sun.security.validator.ValidatorException: No trusted
certificate found
at
sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator
.java:304)
at
sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.ja
va:107)
at sun.security.validator.Validator.validate(Validator.java:202)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Das
hoA12275)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Das
hoA12275)
... 124 more

On Mon, 6 Dec 2004, Andrew M wrote:

> Hi,
> I have specified a connection string in my postgres-ds.xml file as
>
> Connection string:
>
> jdbc:postgresql://localhost:5432/mydatabase?ssl
>
> my Driver is:
> DriverVersion PostgreSQL 8.0devel JDBC3 with SSL (build 308)
>
> Where is the driver looking for the keystore/certificate?, as I have
> placed them in the root of the data folder - /usr/local/pgsql/data. If
> I remove any of the certificate files from the data folder I get an
> error message telling me that the files do not exist.

The data folder is only for the server. The JDBC driver needs the
certificate in the JVM's truststore. Where this truststore is located is
up to your JVM. This can be set be -Djavax.net.ssl.trustStore=... or may
default to $JAVA_HOME/lib/security/cacerts.

Kris Jurka

Kris,

as the javax.net.ssl.trustStore is system property i try to do:

set javax.net.ssl.trustStore=/library/java/home/lib/security/cacert

but this is not being accepted. What am I doing wrong?

regards

Andrew
On 7 Dec 2004, at 00:01, Kris Jurka wrote:

> javax.net.ssl.trustStore=... or may
> default to $JAVA_HOME/lib/security/cacerts

Sorry,

I meant

> java -Djavax.net.ssl.trustStore = location

regards

Andrew
On 7 Dec 2004, at 00:41, Andrew M wrote:

> Kris,
>
> as the javax.net.ssl.trustStore is system property i try to do:
>
> set javax.net.ssl.trustStore=/library/java/home/lib/security/cacert
>
> but this is not being accepted. What am I doing wrong?
>
> regards
>
> Andrew
> On 7 Dec 2004, at 00:01, Kris Jurka wrote:
>
>> javax.net.ssl.trustStore=... or may
>> default to $JAVA_HOME/lib/security/cacerts
>
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
>

typing the following:

$ java -D javax.net.ssl.trustStore =
/library/java/home/lib/security/cacert

gives me the following error message

Exception in thread "main" java.lang.NoClassDefFoundError:
javax/net/ssl/trustStore

How do I resolve this issue?

regards

Andrew
On 7 Dec 2004, at 01:02, Andrew M wrote:

> Sorry,
>
> I meant
>
> > java -Djavax.net.ssl.trustStore = location
>
> regards
>
> Andrew
> On 7 Dec 2004, at 00:41, Andrew M wrote:
>
>> Kris,
>>
>> as the javax.net.ssl.trustStore is system property i try to do:
>>
>> set javax.net.ssl.trustStore=/library/java/home/lib/security/cacert
>>
>> but this is not being accepted. What am I doing wrong?
>>
>> regards
>>
>> Andrew
>> On 7 Dec 2004, at 00:01, Kris Jurka wrote:
>>
>>> javax.net.ssl.trustStore=... or may
>>> default to $JAVA_HOME/lib/security/cacerts
>>
>>
>> ---------------------------(end of
>> broadcast)---------------------------
>> TIP 6: Have you searched our list archives?
>>
>> http://archives.postgresql.org
>>
>
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 9: the planner will ignore your desire to choose an index scan if
> your
> joining column's datatypes do not match
>

On Monday 06 December 2004 20:07, Andrew M wrote:
> typing the following:
>
> $ java -D javax.net.ssl.trustStore =
> /library/java/home/lib/security/cacert
>
> gives me the following error message
>
> Exception in thread "main" java.lang.NoClassDefFoundError:
> javax/net/ssl/trustStore
>
> How do I resolve this issue?

There should be no space between "-D" and "javax.net.ssl.trustStore".
Likewise for the equal sign: there should be no space on either side of it.
Like so:

java -Djavax.net.ssl.trustStore=/library/java/home/lib/security/cacert

Vadim,

i'm doing exactly as you mentioned, but only get presented with a usage
list:

root# java
-Djavax.net.ssl.trustStore=/library/java/home/lib/security/cacert

Usage: java [-options] class [args...]
(to execute a class)
or java [-options] -jar jarfile [args...]
(to execute a jar file)

where options include:
.......
-D<name>=<value>
set a system property

I can't see what the problem is here.

regards

Andrew

On 7 Dec 2004, at 02:05, Vadim Nasardinov wrote:

> On Monday 06 December 2004 20:07, Andrew M wrote:
>> typing the following:
>>
>> $ java -D javax.net.ssl.trustStore =
>> /library/java/home/lib/security/cacert
>>
>> gives me the following error message
>>
>> Exception in thread "main" java.lang.NoClassDefFoundError:
>> javax/net/ssl/trustStore
>>
>> How do I resolve this issue?
>
> There should be no space between "-D" and "javax.net.ssl.trustStore".
> Likewise for the equal sign: there should be no space on either side
> of it.
> Like so:
>
> java -Djavax.net.ssl.trustStore=/library/java/home/lib/security/cacert
>
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to
> majordomo(at)postgresql(dot)org
>

Ok,
I need to specify a class with property. What class!!??

java -Djavax.net.ssl.trustStore=/library/java/home/lib/security/cacert
class

I am using OS X java 1.4.2

regards

Andrew

On 7 Dec 2004, at 08:52, Andrew M wrote:

> Vadim,
>
> i'm doing exactly as you mentioned, but only get presented with a
> usage list:
>
> root# java
> -Djavax.net.ssl.trustStore=/library/java/home/lib/security/cacert
>
> Usage: java [-options] class [args...]
> (to execute a class)
> or java [-options] -jar jarfile [args...]
> (to execute a jar file)
>
> where options include:
> .......
> -D<name>=<value>
> set a system property
>
> I can't see what the problem is here.
>
> regards
>
> Andrew
>
> On 7 Dec 2004, at 02:05, Vadim Nasardinov wrote:
>
>> On Monday 06 December 2004 20:07, Andrew M wrote:
>>> typing the following:
>>>
>>> $ java -D javax.net.ssl.trustStore =
>>> /library/java/home/lib/security/cacert
>>>
>>> gives me the following error message
>>>
>>> Exception in thread "main" java.lang.NoClassDefFoundError:
>>> javax/net/ssl/trustStore
>>>
>>> How do I resolve this issue?
>>
>> There should be no space between "-D" and "javax.net.ssl.trustStore".
>> Likewise for the equal sign: there should be no space on either side
>> of it.
>> Like so:
>>
>> java -Djavax.net.ssl.trustStore=/library/java/home/lib/security/cacert
>>
>>
>> ---------------------------(end of
>> broadcast)---------------------------
>> TIP 1: subscribe and unsubscribe commands go to
>> majordomo(at)postgresql(dot)org
>>
>
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to
> majordomo(at)postgresql(dot)org
>

Ok,
I need to explain my setup here. I'm running a website via Jboss
application server. I have specified in Jboss, via an postgres-ds.xml
map, my jdbc connection like so:

<datasources>
<local-tx-datasource>
<jndi-name>PostgresDS</jndi-name>
<connection-url>jdbc:postgresql://localhost:5432/mydatabase?ssl</
connection-url>
<driver-class>org.postgresql.Driver</driver-class>
<user-name>x</user-name>
<password>x</password>
</local-tx-datasource>
</datasources>

Via jndi, I have a number of hibernate persistence classes, none of
which have a main(), which have access to the driver. I launch jboss
like so:

>cd /jboss/bin
/jboss/bin> ./run.sh

So how do I tell the driver where to find the keystore in this
instance, as I am not running a stand alone java application?

regards

Andrew

On 7 Dec 2004, at 09:58, Andrew M wrote:

> Ok,
> I need to specify a class with property. What class!!??
>
> java -Djavax.net.ssl.trustStore=/library/java/home/lib/security/cacert
> class
>
> I am using OS X java 1.4.2
>
> regards
>
> Andrew
>
> On 7 Dec 2004, at 08:52, Andrew M wrote:
>
>> Vadim,
>>
>> i'm doing exactly as you mentioned, but only get presented with a
>> usage list:
>>
>> root# java
>> -Djavax.net.ssl.trustStore=/library/java/home/lib/security/cacert
>>
>> Usage: java [-options] class [args...]
>> (to execute a class)
>> or java [-options] -jar jarfile [args...]
>> (to execute a jar file)
>>
>> where options include:
>> .......
>> -D<name>=<value>
>> set a system property
>>
>> I can't see what the problem is here.
>>
>> regards
>>
>> Andrew
>>
>> On 7 Dec 2004, at 02:05, Vadim Nasardinov wrote:
>>
>>> On Monday 06 December 2004 20:07, Andrew M wrote:
>>>> typing the following:
>>>>
>>>> $ java -D javax.net.ssl.trustStore =
>>>> /library/java/home/lib/security/cacert
>>>>
>>>> gives me the following error message
>>>>
>>>> Exception in thread "main" java.lang.NoClassDefFoundError:
>>>> javax/net/ssl/trustStore
>>>>
>>>> How do I resolve this issue?
>>>
>>> There should be no space between "-D" and "javax.net.ssl.trustStore".
>>> Likewise for the equal sign: there should be no space on either side
>>> of it.
>>> Like so:
>>>
>>> java
>>> -Djavax.net.ssl.trustStore=/library/java/home/lib/security/cacert
>>>
>>>
>>> ---------------------------(end of
>>> broadcast)---------------------------
>>> TIP 1: subscribe and unsubscribe commands go to
>>> majordomo(at)postgresql(dot)org
>>>
>>
>>
>> ---------------------------(end of
>> broadcast)---------------------------
>> TIP 1: subscribe and unsubscribe commands go to
>> majordomo(at)postgresql(dot)org
>>

On Tuesday 07 December 2004 07:38, Andrew M wrote:
> I need to explain my setup here. I'm running a website via Jboss
> application server.
...
> I launch jboss like so:
>
> >cd /jboss/bin
> /jboss/bin> ./run.sh
>
> So how do I tell the driver where to find the keystore in this
> instance, as I am not running a stand alone java application?

JBoss's run.sh likely provides a way to pass command-line options to
the JRE. This is needed so can you specify the maximum heap and stack
size, among other things. The standard way of doing this is to allow
the user to set an enviroment variable called JAVA_OPTS or some
such. So, once you know what this variable is named in your
particular case, you should be able to do something along the
following lines:

$ cd /jboss/bin
$ export JAVA_OPTS="-Djavax.net.ssl.trustStore=/library/java/home/lib/security/cacert"
$ ./run.sh

The script is then responsible for splicing this additional option
onto the command line that it uses to invoke java.

See
http://www.google.com/search?q=jboss+run.sh+JAVA_OPTS&btnI=

Ok,
I'm nearly there but not yet.....

I can ascertain what is in my keystore by doing:

$ keytool -list

Enter keystore password: mypassword

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

beyarecords.com, Dec 7, 2004, keyEntry,
Certificate fingerprint (MD5):
32:44:5B:78:85:BA:BA:96:C1:CF:DF:A2:6A:0E:78:CB

I specify properties in jboss like so:

javax.net.ssl.keyStore=/library/java/home/lib/security/cacerts
javax.net.ssl.keyStorePassword=changeit
javax.net.ssl.keyStoreType= JKS

The error message I get back is:

sun.security.validator.ValidatorException: No trusted certificate found

If I say :
javax.net.ssl.keyStore=/library/java/home/lib/security/cacerts/
beyarecords.com
javax.net.ssl.keyStorePassword=mypassword

I get the following error:

java.net.SocketException: Default SSL context init failed: null

I am of the understanding that once a certificate has been imported
into the keystore and associated via an alias(beyarecords.com) with a
key (32:44:5B:78:85:BA:BA:96:C1:CF:DF:A2:6A:0E:78:CB) that it is then
trusted? What am I missing here?

regards

Andrew

On 7 Dec 2004, at 16:37, Vadim Nasardinov wrote:

> On Tuesday 07 December 2004 07:38, Andrew M wrote:
>> I need to explain my setup here. I'm running a website via Jboss
>> application server.
> ...
>> I launch jboss like so:
>>
>>> cd /jboss/bin
>> /jboss/bin> ./run.sh
>>
>> So how do I tell the driver where to find the keystore in this
>> instance, as I am not running a stand alone java application?
>
> JBoss's run.sh likely provides a way to pass command-line options to
> the JRE. This is needed so can you specify the maximum heap and stack
> size, among other things. The standard way of doing this is to allow
> the user to set an enviroment variable called JAVA_OPTS or some
> such. So, once you know what this variable is named in your
> particular case, you should be able to do something along the
> following lines:
>
>
> $ cd /jboss/bin
> $ export
> JAVA_OPTS="-Djavax.net.ssl.trustStore=/library/java/home/lib/security/
> cacert"
> $ ./run.sh
>
> The script is then responsible for splicing this additional option
> onto the command line that it uses to invoke java.
>
> See
> http://www.google.com/search?q=jboss+run.sh+JAVA_OPTS&btnI=
>
>
>

On Wednesday 08 December 2004 05:06, Andrew M wrote:
> I'm nearly there but not yet.....
...
> I specify properties in jboss like so:
>
> javax.net.ssl.keyStore=/library/java/home/lib/security/cacerts
> javax.net.ssl.keyStorePassword=changeit
> javax.net.ssl.keyStoreType= JKS

This is starting to look increasingly like a JBoss-specific issue that
you may have better luck finding a solution to if you direct your
questions to the JBoss crowd. I, for one, haven't done anything with
keycerts in a long time.

> The error message I get back is:
> sun.security.validator.ValidatorException: No trusted certificate found
...
> I get the following error:
> java.net.SocketException: Default SSL context init failed: null

It is generally more informative to post the entire stack trace.

Vadim,
I have posted this message to the jboss forum, and in the meantime here
is the complete stack trace:

org.jboss.resource.JBossResourceException: Could not create connection;
- nested throwable: (org.postgresql.util.PSQLException: The connection
attempt failed.)
at
org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory.crea
teManagedConnection(LocalManagedConnectionFactory.java:161)
at
org.jboss.resource.connectionmanager.InternalManagedConnectionPool.creat
eConnectionEventListener(InternalManagedConnectionPool.java:508)
at
org.jboss.resource.connectionmanager.InternalManagedConnectionPool.getCo
nnection(InternalManagedConnectionPool.java:207)
at
org.jboss.resource.connectionmanager.JBossManagedConnectionPool$BasePool
.getConnection(JBossManagedConnectionPool.java:534)
at
org.jboss.resource.connectionmanager.BaseConnectionManager2.getManagedCo
nnection(BaseConnectionManager2.java:396)
at
org.jboss.resource.connectionmanager.TxConnectionManager.getManagedConne
ction(TxConnectionManager.java:299)
at
org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConn
ection(BaseConnectionManager2.java:448)
at
org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionMa
nagerProxy.allocateConnection(BaseConnectionManager2.java:838)
at
org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperD
ataSource.java:102)
at
net.sf.hibernate.connection.DatasourceConnectionProvider.getConnection(D
atasourceConnectionProvider.java:59)
at
net.sf.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:
73)
at
net.sf.hibernate.cfg.Configuration.buildSettings(Configuration.java:
1132)
at
net.sf.hibernate.cfg.Configuration.buildSessionFactory(Configuration.jav
a:766)
at
org.jboss.hibernate.jmx.Hibernate.buildSessionFactory(Hibernate.java:
476)
at
org.jboss.hibernate.jmx.Hibernate.startService(Hibernate.java:444)
at
org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupp
ort.java:271)
at
org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBean
Support.java:221)
at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController
.java:891)
at $Proxy0.start(Unknown Source)
at
org.jboss.system.ServiceController.start(ServiceController.java:416)
at sun.reflect.GeneratedMethodAccessor6.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
at $Proxy4.start(Unknown Source)
at org.jboss.deployment.SARDeployer.start(SARDeployer.java:261)
at
org.jboss.deployment.MainDeployer.start(MainDeployer.java:935)
at
org.jboss.deployment.MainDeployer.start(MainDeployer.java:927)
at
org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:746)
at
org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:709)
at sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at
org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.
java:119)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
at
org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBea
nOperationInterceptor.java:131)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
at $Proxy8.deploy(Unknown Source)
at
org.jboss.deployment.scanner.URLDeploymentScanner.deploy(URLDeploymentSc
anner.java:305)
at
org.jboss.deployment.scanner.URLDeploymentScanner.scan(URLDeploymentScan
ner.java:481)
at
org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.doS
can(AbstractDeploymentScanner.java:204)
at
org.jboss.deployment.scanner.AbstractDeploymentScanner.startService(Abst
ractDeploymentScanner.java:277)
at
org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupp
ort.java:271)
at
org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBean
Support.java:221)
at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController
.java:891)
at $Proxy0.start(Unknown Source)
at
org.jboss.system.ServiceController.start(ServiceController.java:416)
at sun.reflect.GeneratedMethodAccessor6.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
at $Proxy4.start(Unknown Source)
at org.jboss.deployment.SARDeployer.start(SARDeployer.java:261)
at
org.jboss.deployment.MainDeployer.start(MainDeployer.java:935)
at
org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:746)
at
org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:709)
at
org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:693)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at
org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.
java:119)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
at
org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBea
nOperationInterceptor.java:131)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
at $Proxy5.deploy(Unknown Source)
at
org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:396)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:293)
at org.jboss.Main.boot(Main.java:151)
at org.jboss.Main$1.run(Main.java:405)
at java.lang.Thread.run(Thread.java:552)
Caused by: org.postgresql.util.PSQLException: The connection attempt
failed.
at
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(Connecti
onFactoryImpl.java:136)
at
org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.j
ava:63)
at
org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connect
ion.java:117)
at
org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connect
ion.java:30)
at
org.postgresql.jdbc3.Jdbc3Connection.<init>(Jdbc3Connection.java:24)
at org.postgresql.Driver.connect(Driver.java:183)
at
org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory.crea
teManagedConnection(LocalManagedConnectionFactory.java:151)
... 106 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA12275)
at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
at
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
at org.postgresql.core.PGStream.flush(PGStream.java:486)
at
org.postgresql.core.v3.ConnectionFactoryImpl.sendStartupPacket(Connectio
nFactoryImpl.java:243)
at
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(Connecti
onFactoryImpl.java:91)
... 112 more
Caused by: sun.security.validator.ValidatorException: No trusted
certificate found
at
sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator
.java:304)
at
sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.ja
va:107)
at sun.security.validator.Validator.validate(Validator.java:202)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Das
hoA12275)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Das
hoA12275)
... 124 more
11:05:26,464 WARN [SettingsFactory] Could not obtain connection
metadata
org.jboss.util.NestedSQLException: Could not create connection; -
nested throwable: (org.postgresql.util.PSQLException: The connection
attempt failed.); - nested throwable:
(org.jboss.resource.JBossResourceException: Could not create
connection; - nested throwable: (org.postgresql.util.PSQLException: The
connection attempt failed.))
at
org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperD
ataSource.java:106)
at
net.sf.hibernate.connection.DatasourceConnectionProvider.getConnection(D
atasourceConnectionProvider.java:59)
at
net.sf.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:
73)
at
net.sf.hibernate.cfg.Configuration.buildSettings(Configuration.java:
1132)
at
net.sf.hibernate.cfg.Configuration.buildSessionFactory(Configuration.jav
a:766)
at
org.jboss.hibernate.jmx.Hibernate.buildSessionFactory(Hibernate.java:
476)
at
org.jboss.hibernate.jmx.Hibernate.startService(Hibernate.java:444)
at
org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupp
ort.java:271)
at
org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBean
Support.java:221)
at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController
.java:891)
at $Proxy0.start(Unknown Source)
at
org.jboss.system.ServiceController.start(ServiceController.java:416)
at sun.reflect.GeneratedMethodAccessor6.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
at $Proxy4.start(Unknown Source)
at org.jboss.deployment.SARDeployer.start(SARDeployer.java:261)
at
org.jboss.deployment.MainDeployer.start(MainDeployer.java:935)
at
org.jboss.deployment.MainDeployer.start(MainDeployer.java:927)
at
org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:746)
at
org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:709)
at sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at
org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.
java:119)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
at
org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBea
nOperationInterceptor.java:131)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
at $Proxy8.deploy(Unknown Source)
at
org.jboss.deployment.scanner.URLDeploymentScanner.deploy(URLDeploymentSc
anner.java:305)
at
org.jboss.deployment.scanner.URLDeploymentScanner.scan(URLDeploymentScan
ner.java:481)
at
org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.doS
can(AbstractDeploymentScanner.java:204)
at
org.jboss.deployment.scanner.AbstractDeploymentScanner.startService(Abst
ractDeploymentScanner.java:277)
at
org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupp
ort.java:271)
at
org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBean
Support.java:221)
at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController
.java:891)
at $Proxy0.start(Unknown Source)
at
org.jboss.system.ServiceController.start(ServiceController.java:416)
at sun.reflect.GeneratedMethodAccessor6.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
at $Proxy4.start(Unknown Source)
at org.jboss.deployment.SARDeployer.start(SARDeployer.java:261)
at
org.jboss.deployment.MainDeployer.start(MainDeployer.java:935)
at
org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:746)
at
org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:709)
at
org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:693)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.
java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at
org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.
java:119)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
at
org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBea
nOperationInterceptor.java:131)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.jav
a:242)
at
org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at
org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
at $Proxy5.deploy(Unknown Source)
at
org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:396)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:293)
at org.jboss.Main.boot(Main.java:151)
at org.jboss.Main$1.run(Main.java:405)
at java.lang.Thread.run(Thread.java:552)
Caused by: org.jboss.resource.JBossResourceException: Could not create
connection; - nested throwable: (org.postgresql.util.PSQLException: The
connection attempt failed.)
at
org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory.crea
teManagedConnection(LocalManagedConnectionFactory.java:161)
at
org.jboss.resource.connectionmanager.InternalManagedConnectionPool.creat
eConnectionEventListener(InternalManagedConnectionPool.java:508)
at
org.jboss.resource.connectionmanager.InternalManagedConnectionPool.getCo
nnection(InternalManagedConnectionPool.java:207)
at
org.jboss.resource.connectionmanager.JBossManagedConnectionPool$BasePool
.getConnection(JBossManagedConnectionPool.java:534)
at
org.jboss.resource.connectionmanager.BaseConnectionManager2.getManagedCo
nnection(BaseConnectionManager2.java:396)
at
org.jboss.resource.connectionmanager.TxConnectionManager.getManagedConne
ction(TxConnectionManager.java:299)
at
org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConn
ection(BaseConnectionManager2.java:448)
at
org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionMa
nagerProxy.allocateConnection(BaseConnectionManager2.java:838)
at
org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperD
ataSource.java:102)
... 98 more
Caused by: org.postgresql.util.PSQLException: The connection attempt
failed.
at
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(Connecti
onFactoryImpl.java:136)
at
org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.j
ava:63)
at
org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connect
ion.java:117)
at
org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connect
ion.java:30)
at
org.postgresql.jdbc3.Jdbc3Connection.<init>(Jdbc3Connection.java:24)
at org.postgresql.Driver.connect(Driver.java:183)
at
org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory.crea
teManagedConnection(LocalManagedConnectionFactory.java:151)
... 106 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA12275)
at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
at
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
at org.postgresql.core.PGStream.flush(PGStream.java:486)
at
org.postgresql.core.v3.ConnectionFactoryImpl.sendStartupPacket(Connectio
nFactoryImpl.java:243)
at
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(Connecti
onFactoryImpl.java:91)
... 112 more
Caused by: sun.security.validator.ValidatorException: No trusted
certificate found
at
sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator
.java:304)
at
sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.ja
va:107)
at sun.security.validator.Validator.validate(Validator.java:202)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Das
hoA12275)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Das
hoA12275)
... 124 more

many thanks

Andrew

On 8 Dec 2004, at 13:37, Vadim Nasardinov wrote:

> On Wednesday 08 December 2004 05:06, Andrew M wrote:
>> I'm nearly there but not yet.....
> ...
>> I specify properties in jboss like so:
>>
>> javax.net.ssl.keyStore=/library/java/home/lib/security/cacerts
>> javax.net.ssl.keyStorePassword=changeit
>> javax.net.ssl.keyStoreType= JKS
>
>
> This is starting to look increasingly like a JBoss-specific issue that
> you may have better luck finding a solution to if you direct your
> questions to the JBoss crowd. I, for one, haven't done anything with
> keycerts in a long time.
>
>
>> The error message I get back is:
>> sun.security.validator.ValidatorException: No trusted certificate
>> found
> ...
>> I get the following error:
>> java.net.SocketException: Default SSL context init failed: null
>
> It is generally more informative to post the entire stack trace.
>
>

Hi,
at last, success! i will update the list with my findings in due course.

regards

Andrew

On 8 Dec 2004, at 13:37, Vadim Nasardinov wrote:

> On Wednesday 08 December 2004 05:06, Andrew M wrote:
>> I'm nearly there but not yet.....
> ...
>> I specify properties in jboss like so:
>>
>> javax.net.ssl.keyStore=/library/java/home/lib/security/cacerts
>> javax.net.ssl.keyStorePassword=changeit
>> javax.net.ssl.keyStoreType= JKS
>
>
> This is starting to look increasingly like a JBoss-specific issue that
> you may have better luck finding a solution to if you direct your
> questions to the JBoss crowd. I, for one, haven't done anything with
> keycerts in a long time.
>
>
>> The error message I get back is:
>> sun.security.validator.ValidatorException: No trusted certificate
>> found
> ...
>> I get the following error:
>> java.net.SocketException: Default SSL context init failed: null
>
> It is generally more informative to post the entire stack trace.
>
>

Ok chaps,
last and final questions with all this. One the server side postgreSQL
expects the following docs in the /data folder:

1. server.crt, server.key, root.crt, root.key

Now for the for handshaking to be successful with the root docs in the
/data folder, postgresql expects the client to return a certificate. So
my question is:

Where is postgresql expecting the certificate to come from, and what
format does the certificate take (in terms of postgresql knowing that
the client is a valid one)?

regards

Andrew

On 8 Dec 2004, at 13:37, Vadim Nasardinov wrote:

> On Wednesday 08 December 2004 05:06, Andrew M wrote:
>> I'm nearly there but not yet.....
> ...
>> I specify properties in jboss like so:
>>
>> javax.net.ssl.keyStore=/library/java/home/lib/security/cacerts
>> javax.net.ssl.keyStorePassword=changeit
>> javax.net.ssl.keyStoreType= JKS
>
>
> This is starting to look increasingly like a JBoss-specific issue that
> you may have better luck finding a solution to if you direct your
> questions to the JBoss crowd. I, for one, haven't done anything with
> keycerts in a long time.
>
>
>> The error message I get back is:
>> sun.security.validator.ValidatorException: No trusted certificate
>> found
> ...
>> I get the following error:
>> java.net.SocketException: Default SSL context init failed: null
>
> It is generally more informative to post the entire stack trace.
>
>

On Thu, 9 Dec 2004, Andrew M wrote:

> last and final questions with all this. One the server side postgreSQL
> expects the following docs in the /data folder:
>
> 1. server.crt, server.key, root.crt, root.key
>
> Now for the for handshaking to be successful with the root docs in the
> /data folder, postgresql expects the client to return a certificate. So
> my question is:
>
> Where is postgresql expecting the certificate to come from, and what
> format does the certificate take (in terms of postgresql knowing that
> the client is a valid one)?
>

Currently the JDBC driver does not implement this functionality. The only
documention on this at all is for libpq here:

http://developer.postgresql.org/docs/postgres/libpq-ssl.html

It uses specific files relative to the user's $HOME directory. I don't
think this translates well into Java and I'm unsure what code would be
needed on the driver side to set this up. It would be great if someone
more Java+SSL knowledgeable could point us in the right direction here.

Kris Jurka

> It uses specific files relative to the user's $HOME directory. I don't
> think this translates well into Java and I'm unsure what code would be
> needed on the driver side to set this up. It would be great if someone
> more Java+SSL knowledgeable could point us in the right direction here.

if the jdbc driver is using J2SE 1.4 style SecureSockets, then the certificate
store is in ${JAVA_HOME}/lib/security (%JAVA_HOME%\lib\security on Windows)

there is a keytool command in J2SE to manipuate and generate these keys.
http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

On Sat, 11 Dec 2004, John R Pierce wrote:

> > It uses specific files relative to the user's $HOME directory. I don't
> > think this translates well into Java and I'm unsure what code would be
> > needed on the driver side to set this up. It would be great if someone
> > more Java+SSL knowledgeable could point us in the right direction here.
>
> if the jdbc driver is using J2SE 1.4 style SecureSockets, then the
> certificate store is in ${JAVA_HOME}/lib/security
> (%JAVA_HOME%\lib\security on Windows)
>
> there is a keytool command in J2SE to manipuate and generate these keys.
> http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
>

Right, we know how to handle verifying the server certificate against the
client keystore, that's pretty much all handled by java's SSL
implementation. The question is how do you do the reverse, providing the
client certificate to the server. For validating the server's cert java
can just loop through all available certs in the keystore and see if any
of them match. For sending a client cert on to the server there must be
some means of selecting one particular cert you want to send.

Kris Jurka

Hi,
I have found out how the client certificates are returned to the
server. In the docs:

PostgreSQL 8.0.0beta5 Documentation
Chapter 27. libpq - C Library
27.13. SSL Support

'PostgreSQL has native support for using SSL connections to encrypt
client/server communications for increased security. See Section 16.7
for details about the server-side SSL functionality.

If the server demands a client certificate, libpq will send the
certificate stored in file .postgresql/postgresql.crt within the
user's home directory. A matching private key file
.postgresql/postgresql.key must also be present, and must not be
world-readable.

If the file .postgresql/root.crt is present in the user's home
directory, libpq will use the certificate list stored therein to
verify the server's certificate. The SSL connection will fail if the
server does not present a certificate; therefore, to use this feature
the server must also have a root.crt file.'

The only problem with this is, how do you copy an openssl {key|crt}
pair into a keytool keystore? Importing the crt into a keystore is not
a problem as long as the crt is in x509 format, but the key poses a
problem as the x509 format only handles trusted certificates.

If you start from the other side, the keystore side and generate a
certificate, a {key|crt} is automatically created in the keystore. You
will then have access to the certificate as it is public but the key is
private and cannot, as far a i'm aware, be exported from a keystore.

Any ideas? If anybody knows this, please let me know.

Andrew

On 11 Dec 2004, at 08:11, John R Pierce wrote:

>> It uses specific files relative to the user's $HOME directory. I
>> don't think this translates well into Java and I'm unsure what code
>> would be needed on the driver side to set this up. It would be great
>> if someone more Java+SSL knowledgeable could point us in the right
>> direction here.
>
> if the jdbc driver is using J2SE 1.4 style SecureSockets, then the
> certificate store is in ${JAVA_HOME}/lib/security
> (%JAVA_HOME%\lib\security on Windows)
>
> there is a keytool command in J2SE to manipuate and generate these
> keys.
> http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
>
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 9: the planner will ignore your desire to choose an index scan if
> your
> joining column's datatypes do not match
>

On Sat, 11 Dec 2004, Andrew M wrote:

> The only problem with this is, how do you copy an openssl {key|crt}
> pair into a keytool keystore?

No this isn't the problem. The problem is telling the SSL implementation
that you want to use this cert for client authentication. The best I can
gather is that you would need to implement a javax.net.ssl.X509KeyManager
and make chooseClientAlias() return the alias of the cert you want to use
in the keystore. Implementing a X509KeyManager does not look like an easy
thing to do though and there doesn't seem to be a good way of only
extending part of it and falling back to the default implmentation for the
rest.

Kris Jurka

Ok,
so the best I can do at the moment, in terms of ssl on postgresql via
JDBC, is to use an unauthenticated connection!? Is man in the middle a
real concern, as the data in the tables will be encrypted?

My setup is:

{web|client}------->apache2---------<authenticted
ssl>--------->jbiss4---------<unauthenticated ssl>-------->postgresql

regards

Andrew
On 11 Dec 2004, at 14:24, Kris Jurka wrote:

>
>
> On Sat, 11 Dec 2004, Andrew M wrote:
>
>> So all I need to do is specify the alias of the certificate to return
>> from cacerts?
>
> No, you cannot use client certificates. As I mentioned in a couple of
> my
> previous emails the JDBC driver does not have any support for client
> certificates. My later emails included some speculation on what
> additional code would be necessary to implement this feature.
>
> Kris Jurka
>

> The only problem with this is, how do you copy an openssl {key|crt} pair
> into a keytool keystore? Importing the crt into a keystore is not a
> problem as long as the crt is in x509 format, but the key poses a
> problem as the x509 format only handles trusted certificates.

When I created SSL certs for a internal webserver, I created my own root
certificate with the openssl tools, installed that in the server and client
trusted stores as a trusted RA, then used that root certificate to generate all
my other keys, which were then treated as trusted. To get new browser clients
to trust this RA cert, I had it available on a link off my home page, the user
simply had to click on the link, they'd get a certificate trust message, and
they click 'always trust', and the browser adds the cert to the root authority
list.

I would have to assume something similar can be done with java, and in fact, am
about to figure it out at work, since we need to do some SSL between a
standalone java application and a tomcat server.

On Sat, 11 Dec 2004, Andrew M wrote:

> so the best I can do at the moment, in terms of ssl on postgresql via
> JDBC, is to use an unauthenticated connection!? Is man in the middle a
> real concern, as the data in the tables will be encrypted?

No, it's not unauthenticed. We authenticate the server certificate, but
not a client certificate. This is exactly like browsing to a https
website. You validate the server's certificate, checking that they are
who they say they are, but you don't send the web server a client
certificate. This means the web server, or in our case the postgresql
server, cannot verify that you are who you say are from the ssl connection
alone, but there are other means of doing this, like a password.

Kris Jurka

Kris Jurka wrote:
>
> On Thu, 9 Dec 2004, Andrew M wrote:
>
>>Now for the for handshaking to be successful with the root docs in the
>>/data folder, postgresql expects the client to return a certificate. So
>>my question is:
>>
> Currently the JDBC driver does not implement this functionality. [...]

Now that we have a sslfactory URL arg, can't you implement a
SSLSocketFactory that provides the right client-certificate-lookup
logic? You'd return a socket created via a SSLContext initialized with
an appropriate KeyManager (and TrustManager obviously).

-O

I'm not a java man, but I came across some code that may help the
cause....

http://www.mail-archive.com/axis-dev(at)xml(dot)apache(dot)org/msg06309.html

On 11 Dec 2004, at 22:54, Oliver Jowett wrote:

> Kris Jurka wrote:
>> On Thu, 9 Dec 2004, Andrew M wrote:
>>> Now for the for handshaking to be successful with the root docs in
>>> the /data folder, postgresql expects the client to return a
>>> certificate. So my question is:
>>>
>> Currently the JDBC driver does not implement this functionality.
>> [...]
>
> Now that we have a sslfactory URL arg, can't you implement a
> SSLSocketFactory that provides the right client-certificate-lookup
> logic? You'd return a socket created via a SSLContext initialized with
> an appropriate KeyManager (and TrustManager obviously).
>
> -O
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to
> majordomo(at)postgresql(dot)org
>