Saturday, September 17, 2011

Java Error InvalidAlgorithmParameterException: the trustAnchors on EC2 Amazon Jenkins

InvalidAlgorithmParameterException: the trustAnchors on EC2 Amazon

This error is due to the fact that gmail cert is not included in the JAVA HOME cacerts or else when the apache tomcat is not knowing as to where to pick the trusted cacerts file in any of the case here the complete procedure to do the same.


[root@server1 ~]# echo $JAVA_HOME
/usr/lib/jvm/java

[root@server1 ~]$ openssl s_client -connect smtp.gmail.com:465 > /tmp/smtp.cert

( openssl can be available by install openssl package )

It will generate a certificate

Edit /tmp/smtp.cert and remove everything before or after the following tags(both begin certificate and end certificate should be included)
—–BEGIN CERTIFICATE—–
—–END CERTIFICATE—–

Now import the file /tmp/smtp.cert to JAVA_HOME cacerts

[root@server1 ~]# $JAVA_HOME/bin/keytool -import -alias smtp.gmail.com -keystore $JAVA_HOME/jre/lib/security/cacerts -file /tmp/smtp_gmail.cert

It will ask for password first time, make sure you remember this password.

you can check the list in cacerts, which increases by number, to check it

[root@server1 ~]# $JAVA_HOME/bin/keytool -list -keystore # $JAVA_HOME/jre/lib/security/cacerts

Now if you are using tomcat or any other application based on tomcat, just include the following paths in catalina.sh or if you have a startup-script for your apps then include it.

-Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=password

5 comments:

  1. I honestly spent about 10 hours trying to solve this problem and albeit being very close, I couldn't figure it out. You make it sound easy. Thanks again Jyotir.

    ReplyDelete
  2. Anonymous6:32 PM

    one thing you can do to make it so that you don't need to edit the output file is use the following command
    openssl s_client -connect smtp.gmail.com:465 | openssl x509 -outform PEM > /tmp/smtp.cert

    ReplyDelete
  3. Anonymous9:20 PM

    For someone who has never looked at a line of code in his entire life, could someone please explain how to do this? Even just how to access the bit of code I need to work with would be great.

    ReplyDelete
  4. Anonymous11:22 PM

    if this also does not solve the problem import crt to /etc/pki/java/cacerts

    ReplyDelete
  5. Anonymous9:44 AM

    This really helped me get the securityadmin.sh tool working in OpenSearch because it required a trust store to be created.

    ReplyDelete