Java Consultant Tip: SSL Certificates and Man in the Middle SSL Proxy
It’s your first day at your new gig. Everything is new and you have to adjust quickly to the environment. However, you notice your favorite Java applications are barking with exceptions about certificates.
Here’s a sample Exception:
...
sun.security.validator.ValidatorExeption: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...This was because the company you are working with has installed an SSL proxy that intercepts all HTTPS calls and hand out its own certficates. This allows the company to intercept the SSL certificates, monitor and audit all network traffic.
This is all fair and square (after all, we are using the company’s property). However, some Java-based applications have trouble trusting that certificate because Java does not read the OS’s trust store by default and thus the exceptions.
Solution #1: Use Platform Specific Security Provider
On Windows
The first fix is easy and should be your first attempt if you are using Windows. Java uses two special environment variables to control where to read certificates. If you are on Windows, you can instruct Java to read from the Windows’s Trust Store by using the following VM arguments:
-Djavax.net.ssl.trustStore=NUL
-Djavax.net.ssl.trustStoreType=Windows-ROOTThis fix will only work if your JDK has the SunMSCAPI. You can check that by looking at the list of security provides in the <Java Home>/jre/lib/security/java.security file.
On macOS
Although I haven’t tested it, based on the documentation, if you are using macOS and have the Apple provider in your java.security file, you should be able to set javax.net.ssl.trustStoreType to Apple to make your JVM read the macOS Keychain.
Solution #2: Update Java Keystore with SSL proxy Certificates
If the first fix doesn’t work, you need to import the certificates into the JVM’s keystore. The steps are more involved but should work with any JDK on any platform. The drawback of this approach is that you will need to do this for every JVM that requires a secure connection.
Extract the Certificate (Windows)
First, we have to extract the SSL proxy certificate. I am showing the screenshots for the Windows OS.
- Open up your browser and go to https://www.google.com.
- If you’re on Chrome, click the Lock icon 🔒 at the top left-hand corner
3. Click on “Connection is secure”
4. Finally, click on “Certificate is valid” and the “Certification Path” tab:
5. Trusting the Root certificates will also trust all intermediate certificates. So, select the certificate that is highest in the chain and is issued by your company and click “View Certificate”.
The image below shows the certificate without an SSL Proxy. If your company uses an SSL Proxy, the “Issued by:” line will likely be your company’s name.
6. Click on the “Details” tab.
7. Click on “Copy to File…”
8. Select the option “Base-64 encoded X.509 (.CER)” and click “Next”.
9. Give it a file name to export the certificate.
Extract the Certificate (macOS)
On macOS, the steps are similar, except that you simply drag the Certificate icon to your Finder window to export the certificate.
Import Certificates
Once you have the certificates from the previous steps, you can import them into your JVM. This is done by using the keytool Java utility program.
Typically, Java stores the certificates in <Java Home>/jre/lib/security/cacerts . So, the following command will let you import the certificates into the store.
% keytool -import -file <certfile> -alias <any alias> -keystore <Java Home>/jre/lib/security/cacertsIf you are prompted for a password, use changeit, which is the default password for the Java trust store.
WebSphere Profile
A WebSphere profile uses its trust store instead of the cacerts file in the JVM directory. The trust store is created upon profile creation and is called trust.p12. The default password for it is WebAS. The file is located in <WebSphere Dir>/profiles/<Profile Name>/config/cells/<Cell Name>/nodes/<Node Name>/.
Conclusion
As Java consultants, we often need to deal with new IT environments. One of the most common issues was certificate exceptions due to untrusted SSL Proxy certificates. In this article, I showed a couple of ways where we can instruct the JVM to trust the certificates. I hope you will find it useful.
