Solved

uninitialized keystore error with SSL connection

Posted on 2012-12-21
10
1,624 Views
Last Modified: 2013-01-23
I wish I could award 1,000,000 points to anyone that can help me figure out an intermittent problem.  We have a system interface to an external company's server.  The connection uses SSL.  We have a key in our keystore and a certificate from the company.  In some cases the interface works fine.  In other cases we get a handshake failure.  The error message is "Uninitialized keystore." The code is written in Java.  We are using Java 1.6. I have SSL debug output where I can see the handshake failure.  But I don't know enough to understand why we are getting the handshake failure.  Can you help me track down the source of this intermittent problem?
0
Comment
Question by:david_m_jacobson
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 86

Expert Comment

by:CEHJ
ID: 38714618
We have a system interface to an external company's server.  
It's conceivable they are the source of the error, and that it doesn't reside in your code
0
 

Author Comment

by:david_m_jacobson
ID: 38714634
They have many, many customers accessing their system and they say that we are the only one running into this error.  The strange thing is that sometimes it works and sometimes it does not work. The problem seems to be on our side.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 38714653
Might be worthwhile posting an obfuscated ssl debug log

Have you tried a different runtime?
Does it happen on different boxes on your side or just one?
0
 
LVL 1

Expert Comment

by:vkphoenixfr
ID: 38715450
Sure an ssl debug log would definitely help.
Hard to help without this.

It would also help to know which kind of cases work and which do not.

Also you could use this class to test your SSL connection.
Using it with your keystore to access your secured server would show you if the SSL connection is ok or not. And it would show you the certificate sent by the server.

Here is the class : http://code.google.com/p/java-use-examples/source/browse/trunk/src/com/aw/ad/util/InstallCert.java

May be you could try it and show us the result.

Another thing i'm wondering.
Do you configure your keystore in the code and actually load it? Something like :
keyStore.load(...) ?
Is there a line of code before the load call that could raise an exception, causing the load method not being executed ?
0
 
LVL 6

Expert Comment

by:yats
ID: 38715686
Are you getting this problem in some particular scenario?
I use to get Handshake problem while using Https url's, but I think this is not the case with you.

If you are using Distributed system then there might be the chance that it is failing for one particular server.

If the same certificate is used by other application on the same server, then there might be chances that it is getting initialized because of other application.

Are you facing this problem after restarting the application/server or it is coming intermittently without restarting it.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:david_m_jacobson
ID: 38747294
This is still an issue.  Is it possible that using the Url class is overwriting the values of the java.ssl session variables?  Our code is using the session variables to set the keystore and certificate file names. Is there another class that would overwrite these session variable values?
0
 
LVL 1

Accepted Solution

by:
vkphoenixfr earned 500 total points
ID: 38747387
Possibly tomcat may have an environment setting specifying a keystore, but if a class inside the code overrides it, the latest should be used.

One good way to see if your keystore is used is to turn on ssl debug. Add -Djavax.net.debug=all to your launch config. Then when your app is launched, you should see a lot of things related to ssl in the log. One thing is the loaded keystore, and all the certificates and keys it contains. If your keystore contains a few certificates, you should see them. If, instead, you have a lot of certificates listed in the log, chances are that your keystore is not loaded, and that instead, the jdk default one is used.

Furthermore, with this debug enabled, you'll see the ssl debug log when your problem appears. It will show the certificates compared to the one you receive from server, and an error message if no matching certificate is found.

Once again, if possible, an ssl debug log would definitely help us to diagnose (at least try :) ) your problem. Oh and of course, the ssl debug log of a succesful connection would also help. Comparing these fail/success debugs would give a hint i guess.
0
 

Author Comment

by:david_m_jacobson
ID: 38747416
Is there a way to send you the ssl debug log privately? I am very reluctant to post the log file to the public as this file belongs to my client.
0
 
LVL 1

Expert Comment

by:vkphoenixfr
ID: 38747436
I don't know if it's allowed by the site policy, but i didn't see this in the rules.
So send it to darkgixxer (at) yahoo dot fr
0
 

Author Closing Comment

by:david_m_jacobson
ID: 38810885
I did not resolve this yet.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Squid Connection Pools 3 44
shell script or linux command to upload a directory to artifactory? 2 83
Schannel Error in Event Viewer 3 32
CentOS 7 Installation 7 58
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Viewers will learn one way to get user input in Java. Introduce the Scanner object: Declare the variable that stores the user input: An example prompting the user for input: Methods you need to invoke in order to properly get  user input:
This tutorial will introduce the viewer to VisualVM for the Java platform application. This video explains an example program and covers the Overview, Monitor, and Heap Dump tabs.

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now