0

I am unable to connect to my Compose MongoDB service from my deployed bluemix app. It seems that it cannot find the necessary certificate. I had expected that it would pick that up directly from environment variable VCAP_SERVICES.

I can run this fine from my local test environment because I imported the key into the appropriate keystore in Java.

If I look at their node.js sample on bluemix they are actually passing the certificate during the connect. However, I cannot find this anywhere on the Java API.

I believe that I either need to add this cert to the VM on bluemix (seems unlikely) or I need to pass it via the Java driver when I cannot (can't see how).

Thoughts?

For the record, this is the exception I get:

com.mongodb.MongoTimeoutException: Timed out after 30000 ms while waiting for a server that matches 
ReadPreferenceServerSelector{readPreference=primary}. Client view of 
cluster state is {type=UNKNOWN, servers=[{address=bluemix-sandbox-dal-9-portal.7.dblayer.com:26123, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}}, {address=bluemix-sandbox-dal-9-portal.6.dblayer.com:26123, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}}]
com.mongodb.connection.BaseCluster.createTimeoutException(BaseCluster.java:377)
com.mongodb.connection.BaseCluster.selectServer(BaseCluster.java:104)
com.mongodb.binding.ClusterBinding$ClusterBindingConnectionSource.<init>(ClusterBinding.java:75)
com.mongodb.binding.ClusterBinding$ClusterBindingConnectionSource.<init>(ClusterBinding.java:71)
com.mongodb.binding.ClusterBinding.getReadConnectionSource(ClusterBinding.java:63)
com.mongodb.operation.OperationHelper.withConnection(OperationHelper.java:402)
com.mongodb.operation.FindOperation.execute(FindOperation.java:510)
com.mongodb.operation.FindOperation.execute(FindOperation.java:81)
com.mongodb.Mongo.execute(Mongo.java:836)
com.mongodb.Mongo$2.execute(Mongo.java:823)
com.mongodb.FindIterableImpl$FindOperationIterable.first(FindIterableImpl.java:216)
com.mongodb.FindIterableImpl.first(FindIterableImpl.java:156)
com.ibm.smarts.experiment.UserMgr.getUserDetails(UserMgr.java:146)
com.ibm.smarts.experiment.UserMgr.authenticateUser(UserMgr.java:123)
com.ibm.smarts.experiment.servlet.LoginServlet.doPost(LoginServlet.java:31)
javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
Chris Snow
  • 23,813
  • 35
  • 144
  • 309
DungeonTiger
  • 627
  • 1
  • 9
  • 21
  • The Liberty for Java buildpack should be generating a server.xml for you with a MongoDB datasource and keystore. Can you connect that way instead of parsing VCAP_SERVICES and initializing the Java client yourself? – opiethehokie May 08 '17 at 21:25
  • I'm using tomcat rather than liberty. Is there a similar server.xml file for that? – DungeonTiger May 08 '17 at 21:56
  • I can connect from my local machine by parsing the VCAP I get firm bluemix. I added it to the local Java keystone. – DungeonTiger May 09 '17 at 00:53
  • I've added a few more options here: https://stackoverflow.com/questions/44813280/how-to-upload-ssl-certificate-to-bluemix – Chris Snow Jun 29 '17 at 06:20

1 Answers1

1

There are a few options documented here. For example:

Import the cert to Java truststore file, pack the file into Java application and specify its path via JAVA_OPTS environment variable; the truststore file can be placed under resource directory. This can be used for single applications:

By using the 'cf set-env' command:

cf set-env <app> JAVA_OPTS '-Djavax.net.ssl.TrustStore=classpath:resources/config/truststore'

By using manifest.yml:

---
applications:
- name: java-app
  ...
  env:
    JAVA_OPTS: '-Djavax.net.ssl.TrustStore=classpath:resources/config/truststore'
Chris Snow
  • 23,813
  • 35
  • 144
  • 309
  • This looks promising. I will try it and report back. – DungeonTiger May 09 '17 at 14:01
  • I cannot seem to get this to work and I'm not sure how to debug it actually. The first question is whether it is TrustStore or trustStore. I tried both. This is what I have in the manifest: `applications: - path: target/RecommenderExperiment.war .... buildpack: java_buildpack env: JAVA_OPTS: '-Djavax.net.ssl.trustStore=classpath:/resources/cacert -Djavax.net.ssl.trustStorePassword=changeit'` Now what I have in the war file structure is this: `target\WEB-INF\classes\cacerts` I also tried without 'resources' in the path. How can I figure out what's wrong? – DungeonTiger May 10 '17 at 16:49
  • Can you try to create a minimal example so I can reproduce the issue? – Chris Snow May 10 '17 at 18:38
  • Well, actually it looks like if I switch from using Tomcat to Liberty this problem goes away. I wish I could understand how to get tomcat to work but the main thing right now is to get it running. – DungeonTiger May 12 '17 at 19:27