WMS ID 11461 (#184)

* changed "Java" to JDK Done in the descriptions and titles. * updates to javasecurity * minor updates * updated video link * Update sprint-javasecurity.md * small tweaks * Update sprint-javasecurity.md * started jcmd * updates to jcmd workshop * Update sprint-jcmd.md fixed brackets * fixed acknolwedgements * beginnings of keytool sprint * Update sprint-keytool.md * fixed titles * fixed spacing * Update sprint-tzupdater.md Removed note about the -XshowSettings:all flag because that issue has been fixed. * fixed Last Update date * added pkixexception * updates to pkixexception * Update sprint-pkixexception.md
oracle-livelabs · Dec 4, 2024 · 9b6c6d0 · 9b6c6d0
1 parent ed122eb
commit 9b6c6d0
Show file tree

Hide file tree

Showing 3 changed files with 191 additions and 0 deletions.
diff --git a/java/sprint-pkixexception/index.html b/java/sprint-pkixexception/index.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="description" content="Oracle LiveLabs gives you access to Oracle's products to run a wide variety of labs and workshops; allowing you to experience our best technology, live!">
+    <title>Oracle LiveLabs</title>
+
+    <script src="https://oracle-livelabs.github.io/common/redwood-hol/js/jquery-1.11.0.min.js"></script>
+    <script src="https://oracle-livelabs.github.io/common/redwood-hol/js/jquery-ui-1.10.4.custom.js"></script>
+    <script src="https://oracle-livelabs.github.io/common/redwood-hol/js/main.min.js"></script>
+
+    <link rel="stylesheet" href="https://oracle-livelabs.github.io/common/redwood-hol/css/style.min.css" />
+    <link rel="shortcut icon" href="https://oracle-livelabs.github.io/common/redwood-hol/img/favicon.ico" />
+</head>
+
+<body>
+    <header class="hol-Header" role="banner">
+        <div class="hol-Header-wrap">
+            <div class="hol-Header-logo"><span>Oracle LiveLabs</span></div>
+            <a href="https://livelabs.oracle.com" target="_blank" id="livelabs" title="Oracle LiveLabs"></a>
+            <div class="hol-Header-actions">
+                <button id="openNav" class="hol-Header-button hol-Header-button--menu rightNav" aria-label="Open Menu"
+                    title="Open Menu">
+                    <span class="hol-Header-toggleIcon"></span>
+                </button>
+            </div>
+        </div>
+    </header>
+
+    <div id="container">
+        <div id="leftNav">
+            <div id="toc"></div>
+        </div>
+        <div id="contentBox">
+            <main class="hol-Content" id="module-content"></main>
+        </div>
+    </div>
+
+      <footer class="hol-Footer">
+        <a class="hol-Footer-topLink" href="#top">Return to Top</a>
+        <div id="footer-banner"><div class="footer-row">
+          <div class="footer-content"><ul class="footer-links">
+              <li><a href="https://docs.oracle.com/pls/topic/lookup?ctx=en/legal&id=cpyr" target="_blank" aria-label="Open a new window to Oracle legal notices" data-lbl="copyright">© Oracle</a></li>
+              <li><a href="https://www.oracle.com/corporate/index.html" target="_blank" aria-label="Open a new window to learn more about oracle" data-lbl="about-oracle">About Oracle</a></li>
+              <li><a href="https://www.oracle.com/corporate/contact/" target="_blank" aria-label="Open a new window to contact oracle" data-lbl="contact-us">Contact Us</a></li>
+              <li class="footer-links-break"></li>
+              <li><a href="https://docs.oracle.com/en/browseall.html" target="_blank" aria-label="Open a new window to products a-z" data-lbl="products-a-z">Products A-Z</a></li>
+              <li><a href="https://www.oracle.com/legal/privacy/" target="_blank" aria-label="Open a new window to read more about Oracle terms of use and privacy" data-lbl="terms-of-use-and-privacy">Terms of Use & Privacy</a></li>
+              <li><a href="https://www.oracle.com/legal/privacy/privacy-policy.html#11" target="_blank" aria-label="Open a new window to read more about managing Oracle cookie preferences" data-lbl="cookie-preferences">Cookie Preferences</a></li>
+              <li><a href="https://www.oracle.com/legal/privacy/marketing-cloud-data-cloud-privacy-policy.html#adchoices" target="_blank" aria-label="Open a new window to ad choices" data-lbl="ad-choices">Ad Choices</a></li>
+              <li class="footer-links-break"></li><li class="last"><a href="https://docs.oracle.com/pls/topic/lookup?ctx=en/legal&id=cpyr" target="_blank" aria-label="Open a new window to Oracle legal notices" data-lbl="copyright">© Oracle</a></li>
+            </ul>
+          </div>
+        </div>
+      </div>
+    </footer>
+</body>
+
+</html>
diff --git a/java/sprint-pkixexception/manifest.json b/java/sprint-pkixexception/manifest.json
@@ -0,0 +1,13 @@
+{
+   "workshoptitle": "Troubleshoot SSL Exceptions in Java: ‘sun.security.validator.ValidatorException: PKIX path building failed’",
+   "help": "[email protected]",
+   "tutorials": [
+      {
+         "title": "Troubleshoot ‘sun.security.validator.ValidatorException: PKIX path building failed’ Excetions",
+         "description": "Learn how to troubleshoot ‘sun.security.validator.ValidatorException: PKIX path building failed’ exceptions.",
+         "filename": "sprint-pkixexception.md"
+
+      }
+   ],
+   "task_type": "Sections"
+}
diff --git a/java/sprint-pkixexception/sprint-pkixexception.md b/java/sprint-pkixexception/sprint-pkixexception.md
@@ -0,0 +1,116 @@
+# Troubleshoot SSL Exceptions in Java: ‘sun.security.validator.ValidatorException: PKIX path building failed’
+Duration: 7 minutes
+
+This sprint covers possible causes of a 'sun.security.validator.ValidatorException: PKIX path building failed' exception, and how to resolve them.
+
+## Troubleshooting ‘sun.security.validator.ValidatorException: PKIX path building failed’ Exceptions
+
+[Troubleshooting SSL Exceptions](videohub:1_3848m5e3)
+
+### 1. Introduction
+
+The TLS (Transport Layer Security) handshake is a crucial process that establishes a secure connection between a client and a server.
+
+To establish a successful TLS handshake, it is essential to create a trusted chain of trust. Typically, TLS servers possess an X.509 certificate, which is issued and digitally signed by a trusted root Certificate Authority (CA). This certificate serves as proof of the server's identity, ensuring that the client can verify the server's authenticity and establish a secure connection.
+
+For the client to establish a connection, it must trust the same root Certificate Authority (CA) that issued the server's certificate. This is achieved by configuring a trust store, a repository of trusted CA certificates. In Java environments, the default trust store is often located at `$JAVA_HOME/lib/security/cacerts`.
+
+If the client is unable to validate the certificate chain presented by the server, it will throw an exception such as:
+
+```
+caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
+```
+
+### 2. Common Causes
+
+**Multiple JRE/JDK Versions:** Having multiple JRE/JDK installations in the client can result in the certificate being imported into the wrong `cacerts` file, leading to trust issues.
+
+**Using a Custom Trust Store:** If a custom trust store is specified using `-Djavax.net.ssl.trustStore`, ensure the application is correctly pointing to it. Misconfiguration can override the default trust store (`cacerts`) and cause validation errors even if the root CA certificate is present.
+
+**Using Self-Signed Certificates:** Java applications attempting to connect to a server using a self-signed certificate will encounter trust issues, as Java does not recognize self-signed certificates unless specifically configured to do so.
+
+**Using a Non-popular Certificate Authority (CA):** This can happen when there are many intermediate certificate authorities involved in the chain of certificates used by the domain. In such cases, Java fails to validate authenticity unless all intermediate certificates are known to it.
+
+### 3. Resolution
+
+1. The public certificate needs to be imported into the Java trust store that your application uses. The JDK/JRE provides a tool to interact with the certificate store to administer its content. This tool is Keytool and can be found in `$JAVA_HOME/bin/keytool`.
+
+2. Manually add the certificate to `cacerts` by executing the following command:
+
+    ```
+    <copy>keytool -import -trustcacerts
+    -file [certificate-file]
+    -alias [alias]
+    -keystore $JAVA_HOME/lib/security/cacerts</copy>
+    ```
+
+3. Verify the certificates added to Java trust store by using the following command:
+
+    ```
+    <copy>
+    keytool -list -v -keystore $JAVA_HOME/lib/security/cacerts
+    </copy>
+    ```
+
+    This will return a list of all the entries. For example:
+    ```
+    Alias name: self-signed
+    Creation date: Nov 1, 2024
+    Entry type: trustedCertEntry
+
+    Owner: O=Internet Widgits Pty Ltd, ST=MA, C=US
+    Issuer: O=Internet Widgits Pty Ltd, ST=MA, C=US
+    Serial number: b69d075cfca7982fded01076b14145362acc85e
+    Valid from: Mon Nov 1 09:50:43 EST 2024 until: Tue Nov 1 09:50:43 EST 2025
+    Certificate fingerprints:
+    ```
+
+4. Use the below script to automate the whole process (example given is for Unix):
+    ```
+    <copy>
+    #!/bin/sh
+    # cacerts.sh
+
+    /usr/bin/openssl s_client -showcerts -connect $1:443 </dev/null 2>/dev/null |  /usr/bin/openssl x509 -outform PEM > /tmp/$1.pem
+
+    $JAVA_HOME/bin/keytool -import -trustcacerts -file /tmp/$1.pem -alias $1 -keystore $JAVA_HOME/lib/security/cacerts
+
+    rm /tmp/$1.pem
+    </copy>
+    ```
+    This script opens an SSL connection to the domain name system (DNS) passed as the first argument and requests it to show the certificates. The certificate information is piped through OpenSSL and is stored as a PEM file. This PEM file is then used by keytool to import the certificate into the cacerts file with the DNS as the alias.
+
+    For instance, we can try adding the certificate for https://<URL\>
+
+    ```
+    cacerts.sh <URL>
+    ```
+
+### 4. Debugging
+
+If you are still unable to resolve the issue, the following debug parameters can be used to troubleshoot further:
+```
+-Djavax.net.debug=all
+-Djava.security.debug=certpath
+```
+
+### 5. Some Less Common Causes
+
+- This error can arise from a very strict network configuration or firewall rule. To eliminate this possibility, head to your favorite browser and try to access the URL that creates problems. If the browser can process it without errors, then it means the problem is with the client application’s certificate configuration.
+
+- You may also come across this error after upgrading, reinstalling, or changing the configurations of your Java installation. At times, the certificate configurations in Java’s internal trust store may get messed up during these activities and can result in this error. So always check that your application is pointing to the right Java installation and verify the `cacerts` file is available in `$JAVA_HOME/lib/security`.
+
+- Check if your trust store is outdated. If so, upgrade Java to the latest version supported by your application.
+
+
+## Learn More
+Oracle customers can refer to [Troubleshooting "sun.security.validator.ValidatorException: PKIX path building failed" Exceptions (Doc ID 2924538.1)](https://support.oracle.com/epmos/faces/DocumentDisplay?id=2924538.1) on the My Oracle Support portal.
+
+
+## Acknowledgements
+**Video** - Anjana Sajeev, Technical Support Engineer, Java Platform Group  
+**Workshop** -  Jason Begy, Principal User Assistance Developer, Java Platform Group  
+**Last Updated By/Date** - Jason Begy,  December 2024
+
+
+