Java – Maven Error: (repeated) java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

javakeystoremavenssl

Have to ask again. Someone thought it was a duplicate question and already answered and removed it from the list.

I'm using maven (mvn) batch command with windows (not m2e with eclipse) to run clean install or resolve dependencies. Sometimes, when pom.xml was changed, it is necessary to download artifacts from our nexus server.
This used to work for long time for me.

But now the connection to the nexus server (https, the server uses a company owned certificate) fails with "java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty"
I know, I changed the Java release. But I'm pretty sure I maintained the cacerts keystore the same way I did with the previous releases. (at leased I compared the fingerprints in both of the cacerts; they are the same).

When running the command
"mvn -s -Djavax.net.debug=all -Djava.net.ssl.trustStore="C:/Programme/Java/jre1.8.0_102/lib/security/cacerts" -Djavax.net.ssl.trustStorePassword=changeit dependency:resolve", the ssl-trace says:

keyStore is :    
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
trustStore is: No File Available, using empty keystore.
trustStore type is : jks
trustStore provider is : 
init truststore

Even if specifying the path and the password of the keystore in the command, the answer in the ssl trace is that it could not be found.

I've no idea what I might have changed to get to this trouble. I changed the Windows PATH-Statement, but this should not matter fro the previously described command.
Any hint is appreciated

Best Answer

I had the same issue and it took me a day to solve it. This a java related issue as you may see in the error stack. Check in:

/etc/ssl/certs/java for the cacerts file.
1) If you don't have this file here that is the reason why your getting this error
2) If you do have this file here it means that this is probably not a valid cacerts file.

If you want you can update it with:
sudo apt-get install --reinstall ca-certificates
And if it works now, then perfect (in my case it did not work)

So to solve this:

Download from open-jdk8 (in my case) directly from oracle
Extract the tar.gz files
Find the new valid cacerts file under jre/lib/security
Copy this file to /etc/ssl/certs/java (removing the old one if that is your case)

Finally run the comand that caused you this error and hopefully its gone! Hope this helped.

Cheers

Related Solutions

Java – Using client/server certificates for two way authentication SSL socket on Android

Android supports certificates in the BKS, P12 and other formats.

For BKS format: Use portecle to convert your certificates (.p12 and .crt) to .bks.

You need 2 files in your /res/raw folder: truststore.bks trust certificate for the server (converted from .cer file)

client.bks/client.p12 - the client certificate (converted from a .p12 file that contains the client certificate and the client key)

import java.io.*;
import java.security.KeyStore;

import javax.net.ssl.*;

import org.apache.http.*;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.params.HttpClientParams;
import org.apache.http.conn.ClientConnectionManager;
import org.apache.http.conn.params.*;
import org.apache.http.conn.scheme.*;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager;
import org.apache.http.params.*;

import android.app.Activity;
import android.os.Bundle;

public class SslTestActivity extends Activity {

  /** Called when the activity is first created. */
  @Override
  public void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.main);

    try {
      // setup truststore to provide trust for the server certificate

      // load truststore certificate
      InputStream clientTruststoreIs = getResources().openRawResource(R.raw.truststore);
      KeyStore trustStore = null;
      trustStore = KeyStore.getInstance("BKS");
      trustStore.load(clientTruststoreIs, "MyPassword".toCharArray());

      System.out.println("Loaded server certificates: " + trustStore.size());

      // initialize trust manager factory with the read truststore
      TrustManagerFactory trustManagerFactory = null;
      trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
      trustManagerFactory.init(trustStore);

      // setup client certificate

      // load client certificate
      InputStream keyStoreStream = getResources().openRawResource(R.raw.client);
      KeyStore keyStore = null;
      keyStore = KeyStore.getInstance("BKS");
      keyStore.load(keyStoreStream, "MyPassword".toCharArray());

      System.out.println("Loaded client certificates: " + keyStore.size());

      // initialize key manager factory with the read client certificate
      KeyManagerFactory keyManagerFactory = null;
      keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
      keyManagerFactory.init(keyStore, "MyPassword".toCharArray());


      // initialize SSLSocketFactory to use the certificates
      SSLSocketFactory socketFactory = null;
      socketFactory = new SSLSocketFactory(SSLSocketFactory.TLS, keyStore, "MyTestPassword2010",
          trustStore, null, null);

      // Set basic data
      HttpParams params = new BasicHttpParams();
      HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
      HttpProtocolParams.setContentCharset(params, "UTF-8");
      HttpProtocolParams.setUseExpectContinue(params, true);
      HttpProtocolParams.setUserAgent(params, "Android app/1.0.0");

      // Make pool
      ConnPerRoute connPerRoute = new ConnPerRouteBean(12);
      ConnManagerParams.setMaxConnectionsPerRoute(params, connPerRoute);
      ConnManagerParams.setMaxTotalConnections(params, 20);

      // Set timeout
      HttpConnectionParams.setStaleCheckingEnabled(params, false);
      HttpConnectionParams.setConnectionTimeout(params, 20 * 1000);
      HttpConnectionParams.setSoTimeout(params, 20 * 1000);
      HttpConnectionParams.setSocketBufferSize(params, 8192);

      // Some client params
      HttpClientParams.setRedirecting(params, false);

      // Register http/s shemas!
      SchemeRegistry schReg = new SchemeRegistry();
      schReg.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
      schReg.register(new Scheme("https", socketFactory, 443));
      ClientConnectionManager conMgr = new ThreadSafeClientConnManager(params, schReg);
      DefaultHttpClient sClient = new DefaultHttpClient(conMgr, params);

      HttpGet httpGet = new HttpGet("https://server/path/service.wsdl");
      HttpResponse response = sClient.execute(httpGet);
      HttpEntity httpEntity = response.getEntity();

      InputStream is = httpEntity.getContent();
      BufferedReader read = new BufferedReader(new InputStreamReader(is));
      String query = null;
      while ((query = read.readLine()) != null)
        System.out.println(query);

    } catch (Exception e) {
      e.printStackTrace();
    }
  }

}

Update:

You can also load .crt files for the trust store directly without converting them to BKS:

    private static KeyStore loadTrustStore(String[] certificateFilenames) {
        AssetManager assetsManager = GirdersApp.getInstance().getAssets();

        int length = certificateFilenames.length;
        List<Certificate> certificates = new ArrayList<Certificate>(length);
        for (String certificateFilename : certificateFilenames) {
          InputStream is;
          try {
            is = assetsManager.open(certificateFilename, AssetManager.ACCESS_BUFFER);
            Certificate certificate = KeyStoreManager.loadX509Certificate(is);
            certificates.add(certificate);
          } catch (Exception e) {
            throw new RuntimeException(e);
          }
        }

        Certificate[] certificatesArray = certificates.toArray(new Certificate[certificates.size()]);
          return new generateKeystore(certificatesArray);
      }

 /**
   * Generates keystore congaing the specified certificates.
   *
   * @param certificates certificates to add in keystore
   * @return keystore with the specified certificates
   * @throws KeyStoreException if keystore can not be generated.
   */
  public KeyStore generateKeystore(Certificate[] certificates) throws RuntimeException {
      // construct empty keystore
      KeyStore keyStore = KeyStore.getInstance(keyStoreType);

      // initialize keystore
      keyStore.load(null, null);

      // load certificates into keystore
      int length = certificates.length;
      for (int i = 0; i < length; i++) {
        Certificate certificate = certificates[i];
        keyStore.setEntry(String.valueOf(i), new KeyStore.TrustedCertificateEntry(certificate),
            null);
      }
      return keyStore;
  }

Same goes for the KeyStore with the client certificate, you can use the .p12 file directly without converting it to BKS.

Java – Error – trustAnchors parameter must be non-empty

This bizarre message means that the trustStore you specified was:

empty,
not found, or
couldn't be opened
- (due to wrong/missing trustStorePassword, or
- file access permissions, for example).

Best Answer

Related Solutions

Java – Using client/server certificates for two way authentication SSL socket on Android

Java – Error – trustAnchors parameter must be non-empty

Related Topic