The applications use data connection pools to connect to the iSeries
servers we use. Allof the connections use hibernate
(<app_name>.hibernate.connection.url=jdbc:as400://<host>;<libraries>;<options>;
In the options we add secure=true.
The CAcert we have is the root cert and if I use the openSSL command to use
the actual file I get a good handshake. In the application logs I get an
error like this:
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
I need to figure out how to build the cert path for the cert coming from
the server.
Thanks,
Eric Speake
Web Systems Administrator
O'Reilly Auto Parts
(417) 862-2674 Ext. 1975
From: Viktor Dukhovni <openssl-us...@dukhovni.org>
To: openssl-users@openssl.org, owner-openssl-us...@openssl.org
Date: 02/17/2014 01:14 PM
Subject: Re: CA cert issue
Sent by: owner-openssl-us...@openssl.org
On Mon, Feb 17, 2014 at 01:03:59PM -0600, espe...@oreillyauto.com wrote:
> I have tried the c_rehash /etc/ssl/certs and that did not help the
> situation. I had seen that in a bug post and tried it.
>
> How can I make sure that openssl is using the /etc/ssl/certs folder to
> search for the ca certificate?
By specifying a suitable CApath. However, note that the algorithm
used to compute the subject name hash (the hex digits before the
final .<instance> extension in the soft links) changed between
OpenSSL 0.9.8 and 1.0.0. In environments where you have both OpenSSL
0.9.8 and 1.0.0 or later applications, you need a c_rehash that generates
both hashes.
How CApath is specified for a particular applicaiton depends on that
application.
Also the CAs in CApath need to be "root" (self-signed) CAs. If
you used an intermediate CA, its issuer needs to go into /etc/ssl/certs,
and the server chain needs to include not only the leaf, but also
any intermediate certificates.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
--
This message has been scanned for viruses and dangerous content,
and is believed to be clean.
Message id: 08C356013FD.A236D
This communication and any attachments are confidential, protected by
Communications Privacy Act 18 USCS ยง 2510, solely for the use of the intended
recipient, and may contain legally privileged material. If you are not the
intended recipient, please return or destroy it immediately. Thank you.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
