RE: Certificate is not signed by a trusted certificate authority - java error

We are running this on the iseries just straight java. We have been fighting
with this all day. We have done the keytool and added the certificate to
\qiBM\ProdData\Java400\jdk14\lib\security\cacerts. But we still get this
error:
com.taylor.docgate.DocgateException: DocgateDAOAImpl.Login.IOException:
javax.net.ssl.SSLHandshakeException: Certificate is not signed by a trusted
certificate authority.


What are we missing? Am I doing this wrong? Is there an IBM person out there
that can get in conatact with some help?


Mike Wills
Lawson Programmer/Administrator
Taylor Development
Email: mnwills@xxxxxxxxxxxxxx
Direct Line: (507) 625-3187

-----Original Message-----
From: Pete Helgren [mailto:pete@xxxxxxxxxx] 
Sent: Tuesday, November 11, 2003 1:49 PM
To: Midrange Systems Technical Discussion
Subject: RE: Certificate is not signed by a trusted certificate authority -
java error

Mike, we had an internal e-mail that dealt with a customer who had a
certificate in IIS which they had to export to have Tomcat recognize it.
These are the instructions which may or may not help but perhaps give you a
clue:

Export the certificate from IIS as follows:

Start Internet Services Manager on your 2000 Server Open the default web
site properties (or a virtual directory's properties, if the certificate is
associated with that) Click the Directory Security tab Click "View
Certificate"
Click the Details tab
Click "Copy to File"
In the wizard, choose "Yes, export the private key"
Choose PKCS #12 format without the strong protection (an IIS thing only)
Assign a private key password (example: secret1) Pick a destination file -
like \win2k\mycert.pfx

A keystore file must already exist in order to move the certificate in the
pfx file to the Java keystore file.  If you don't already have one, here's
how you can create a keystore file:

cd \j2sdk1.4.2\bin
keytool -genkey -alias junk -keyalg RSA -keystore \tomcat\keystore Example
of a password to assign when prompted: secret2

Here's how to copy the pfx file to the keystore file:

Copy the attached files to \j2sdk1.4.2\bin cd \j2sdk1.4.2\bin java keymove
pkcs12 \win2k\mycert.pfx secret1 jks \tomcat\keystore secret2

If you created a "junk" key pair just to build the keystore file, you can
get rid of it by doing the following:

cd \j2sdk1.4.2\bin
keytool -delete -alias junk -keystore \tomcat\keystore


Once that is done, the \tomcat\keystore file can be referenced in Tomcat's
server.xml configuration in the 8443 connector's XML tag/attributes.  An
example of that is:

    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->

    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
              port="8443" minProcessors="5" maxProcessors="75"
              enableLookups="true"
              acceptCount="100" debug="0" scheme="https" secure="true"
              useURIValidationHack="false" disableUploadTimeout="true">
      <Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
               clientAuth="false" protocol="TLS"
               keystoreFile="c:\Tomcat\keystore"
               keystorePass="secret2"/>
    </Connector>


Not sure what server you are running but this might get the "creative
juices" flowing.

Pete Helgren
Timp Tech/Ed Tech Labs



> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx
> [mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of Wills, Mike N. 
> (TC)
> Sent: Tuesday, November 11, 2003 10:49 AM
> To: Midrange Systems Technical Discussion
> Subject: Certificate is not signed by a trusted certificate authority 
> - java error
>
>
> I am posting it here to hopefully get a quicker response. I have 
> received none so far from either java list.
>
> I am trying to connect to an internal SSL site with java and keep on 
> getting this error:
> com.taylor.docgate.DocgateException: DocgateDAOAImpl.Login.IOException:
> javax.net.ssl.SSLHandshakeException: Certificate is not signed by a 
> trusted certificate authority.
>
> How do get java to accept our SSL site as a trusted site? We do have a 
> "root certificate" for the company.
>
> What we are beginning to think is that java is either not using the 
> right cacerts file or it doesn't like the new entry in the file. Can 
> anyone at all help me out?
>
> Mike Wills
> Lawson Programmer/Administrator
> Taylor Corporation
> Email: mnwills AT taylorcorpNOSPAM DOT com
> AIM: iSeriesCodePoet
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
> list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, 
> unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take 
> a moment to review the archives at 
> http://archive.midrange.com/midrange-l.
>

_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.