It's all about the answers!

Ask a question

How to customise Liberty servers configuration mail


vowner owner (25834) | asked Mar 22 '18, 11:24 a.m.

In Liberty profile, How can we remove the default keystore and add new keystore file ? in server.xml file we have onlydefault configuration and we have below requirement.

1) we created a new keystore file using ikeyman named ccm.jks
2) opened the ccm.jks keystore file using ikeyman and under "personal certificate" content, created a new self signed certificate with common name as servers FQDN name and given the key alias name as "ccm". Now the personel certificate displays "ccm" certificate. (Refer Screenshot1)
2) we created a new truststore file using ikeyman named ccmtrust.jks
3) then we edited the server.xml values with new parameters as below.

           <!-- Enable features -->
    <featureManager>
        <feature>monitor-1.0</feature>
        <feature>jsp-2.2</feature>
        <feature>servlet-3.0</feature>
        <feature>ssl-1.0</feature>
        <feature>appSecurity-2.0</feature>
        <feature>adminCenter-1.0</feature>
    </featureManager>
   
    <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" sslProtocol="SSL" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"/>
   
    <keyStore id="defaultKeyStore" location="${server.config.dir}/resources/security/CCM.jks" type="JKS" password="changeme"/>
    <keyStore id="defaultTrustStore" location="${server.config.dir}/resources/security/ccmtrust.jks" type="JKS" password="changeme"/>
    <httpEndpoint id="defaultHttpEndpoint"
            host="*"
            httpPort="9080"
            httpsPort="9443" />


4) Since we have to enable ssl trusting with our client DB server, we imported the DB servers self signed certificate to the the created truststore.jks file using ikeyman , signer certificate session (screenshot2).

5) All these setup we restarted the service and when we tried to connect the DB, getting the below error.


Caused by: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
    at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:654)
    at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:368)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at com.ibm.jsse2.util.f.a(f.java:61)



Please let us know if we missed something there in the configuration.

Also we couldnt identify that whether the server.xml configuration which we made are reflecting . ?

One answer



permanent link
Donald Nong (14.5k614) | answered Mar 23 '18, 3:46 a.m.

I'm not sure why you make it so complicated but let's just keep it as is for now. If you have made mistakes in the server.xml and Liberty cannot pick up either of the keystores, you should get a different error. For the last error message that you posted, that is "java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target", it means that you have not imported the complete "chain" of the DB SSL certificate. This chain should consists at least one root certificate (CA), one personal certificate (DB), and possibly one or more intermediate certificates. Search these keywords and you should find some documents explaining what they are.

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.