Tuesday, September 13, 2016

How to: websphere liberty profile and ssl trusted store

Today i was exposing a java application running on websphere liberty profile through a reverse proxy but the applications wasn't working properly.
From the browser debug tool I saw some errors 500 with the following headers errors:

com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:  java.security.cert.CertPathValidatorException: The certificate issued by CN=GeoTrust Global CA, O=GeoTrust Inc., C=US is not trusted; internal cause is:  java.security.cert.CertPathValidatorException: Certificate chaining error

The reverse proxy was configured to expose the app with TLS security so I've exported the certificate from Firefox to a file using crt format.

After the certificate response, i followed the following steps :

  • ssh to the server and copy the crt files
  • cd  /opt/was_lp/usr/servers/servername/resources/security
  • /opt/was_lp/java/java_1.7_64/bin/keytool -importcert -trustcacerts -alias AliasCert -file cert.crt

aftert the keytool you will get the folloing confirm request

Trust this certificate? [no]:  yes
Certificate was added to keystore

as last steps you have to configure the trusted stor inside the server.xml that is usually in a path similar 


here check if the following line is present and then check the password.

<keyStore id="defaultKeyStore" password="passwordStore"/>

After a restart the websphere liberty profile had trust the SSL certificate and the app has started to run properly.

No comments:

Post a Comment