We are using the JAX-RS 2.0 Client in our WebSphere Liberty Profile application to call an external service. It works fine on WLP 16.0.0.4 with Java 8.0. When I try to run the same application on 17.0.0.4, we are getting certificate errors on the truststore.
After a lot of trial and error, it seems that WLP is no longer loading the truststore from the following property (this is from my jvm.options file):
-Djavax.net.ssl.trustStore=../../shared/resources/security/trust_yourIBM_TEST.jks
The above worked in 16.0.0.4, but the javax.net.ssl.trustStore property is no longer being used to point to the truststore (if I point the property to a missing file in 16.0.0.4, I get an error that the file is not found, but in 17.0.0.4, I don't get the error). So I added the following:
-Djavax.net.ssl.trustStore=../../shared/resources/security/trust_yourIBM_TEST.jks
-Dcom.ibm.ssl.trustStore=../../shared/resources/security/trust_yourIBM_TEST.jks
This is still not working. I cannot find WLP release notes anywhere that explain that JAX-RS behaves differently in WLP 17.x.
Does anyone know how I can point to the truststore in WLP 17.0.0.4?
==========================================
UPDATE #1 - 2018/01/24
I am using the exact same JDK, server.xml, bootstrap.properties, and jvm.options files, as well as the same application files. The only difference is the WLP instance. I am also using the same entries for the default truststore, which is pointing to the same file as I am pointing to in the jvm.properties I pasted above. Here are the startup log entries:
17.0.0.4
product = WebSphere Application Server 17.0.0.4 (wlp-1.0.19.201712061531)
wlp.install.dir = C:/IBM/WLP_17.0.0.4/
java.home = C:\IBMJava80\jre
java.version = 1.8.0_151
java.runtime = Java(TM) SE Runtime Environment (8.0.5.7 - pwa6480sr5fp7-20171216_01(SR5 FP7))
16.0.0.4
product = WebSphere Application Server 16.0.0.4 (wlp-1.0.15.cl160420161113-0206)
wlp.install.dir = C:/IBM/WLP_16.0.0.4/
java.home = C:\IBMJava80\jre
java.version = 1.8.0_151
java.runtime = Java(TM) SE Runtime Environment (8.0.5.7 - pwa6480sr5fp7-20171216_01(SR5 FP7))
Here is the error I get in 16.0.0.4 when I change the truststore to a non-existent file:
[1/24/18 10:50:06:025 EST] 0000006e id= uribm.services.expensesaggregator.ejb.ExpensesEjbCommonUtils E callUnifiedProfile() Exception has occurred Exception encountered during call to UP: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://w3-services1.w3-969.ibm.com/myw3/unified-profile/v1/docs/instances/masterByEmail?email=dlwester%40us.ibm.com: java.security.cert.CertificateException: No X509TrustManager implementation available for [userId=dlwester@us.ibm.com] : javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://w3-services1.w3-969.ibm.com/myw3/unified-profile/v1/docs/instances/masterByEmail?email=dlwester%40us.ibm.com: java.security.cert.CertificateException: No X509TrustManager implementation available
And here are my keystore/truststore entries (the truststore points to the same file as the jvm.options):
<!-- default keystore -->
<keyStore id="defaultKeyStore"
location="${keystoreLocation}"
password="${keystorePassword}" />
<!-- default truststore -->
<keyStore id="defaultTrustStore"
location="${truststoreLocation}"
password="${truststorePassword}" />
<ssl id="sslConfig"
keyStoreRef="defaultKeyStore"
trustStoreRef="defaultTrustStore"
sslProtocol="SSL_TLSv2"
serverKeyAlias="${serverKeyAlias}" />
================
UPDATE #2
I added the transportSecurity-1.0 feature to WLP, and now I am getting an error in 17.0.0.4 if I point to a non-existing file. If I point to the correct truststore file, I am now getting a different error:
[1/24/18 12:03:19:905 EST] 0000003d id= com.ibm.w3.security.tai.OAuthDownStreamTAI E getSslSocketFactoryWithTrustStore() exception encountered on sslContext.init() for truststore C:/IBM/WLP_17.0.0.4/usr/shared/resources//security/trust_yourIBM_TEST.jks - java.security.KeyManagementException: Default SSLContext is initialized automatically
I need to look into this error.
