13

I'm looking to parse an XML file that updates said file daily - the only issue I've run into is that they use their own certificate (https://...) and I can't use that specific URL, nor is there an http://... link available.

URL url = new URL("https://...");
...
Document document = db.parse(url.openStream());

This code throws the following exception while running my tests:

javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

I've seen a variety of suggestions dealing with creating various classes to deal with this kind of connection or with a personal server, as well as adding the certificate to a keystore and then adding that keystore to the Java project, but I've been unable to do that and am looking for a slightly simpler way for me to go about accessing the XML online.

Improve this question
3
  • It looks like you've changed your truststore settings not to use the default ones. What have you changed? Commented Dec 4, 2011 at 20:12
  • 1
    This had the effect of removing the default trust store, hence you got an empty trustAnchors parameter. There always must be a non-empty truststore. Commented Dec 5, 2011 at 10:27
  • See this How to Answer[1] In short, the keystore can't be found. [1]: stackoverflow.com/a/6788682/207131 Commented Dec 11, 2012 at 22:30

4 Answers 4

Reset to default
12

You need a truststore to store SSL certificates. You can download the certificate using your preferred web browser. To load the certificate into the truststore, you need the "keytool" program, which comes with the JDK.

For example, if your certificate file is named "certificate.crt" and you want to create a truststore named "secure.ts", you can invoke keytool as follows:

keytool -importcert -keystore secure.ts -storepass S3cuR3pas$! -file certificate.crt

Now, you must tell your program where the keystore is and the password to open it, defining the system properties "javax.net.ssl.trustStore" and "javax.net.ssl.trustStorePassword" before opening the connection

URL url = new URL("https://...");

System.setProperty("javax.net.ssl.trustStore", "secure.ts");
System.setProperty("javax.net.ssl.trustStorePassword", "S3cuR3pas$!");
...
Document document = db.parse(url.openStream());
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

This curious message means the truststore wasn't found.

Nothing whatsoever to do with XML BTW.

Improve this answer

10 Comments

@Acetaminophen See the Javadoc: Security/JSSE Reference Guide.
I had renamed <java-home>/lib/security/cacerts to <java-home>/lib/security/cacerts_orig previously in an attempt to add the certificate I have to a keystore - I've fixed that and now get the following error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
@Acetaminophen so your truststore doesn't trust the server's certificate. So it is probably self-signed. You need to import it into your cacerts, or more probably copy your cacerts to a local truststore, import the server certificate into that, and use that as the truststore. See forums.oracle.com/forums/… for a possible import solution. Best solution of all is to get the server to use a certificate signed by a CA.
@Acetaminophen (a) What issues? It compiles and executes fine for me. (b) I've never understood the enthusiasm for disabling certificate verification. If you don't want it secure, why use SSL at all? (c) putting certificates into lib/security doesn't accomplish anything.
@Acetaminophen, so far, your problem had nothing to do with XML (@EJP correctly re-tagged your question). Now, UnknownHostException: I'm not sure why you would remove the https:// preceding the link. NumberFormatException: this may have to do with the processing of your XML document at some stage. This should probably be addressed in a different question, since it has nothing to do with SSL now.
|
2

You can try with this:

String javaHomePath = System.getProperty("java.home");
String keystore = javaHomePath + "/lib/security/cacerts";
String storepass= "changeit";
String storetype= "JKS";

String[][] props = {
    { "javax.net.ssl.trustStore", keystore, },
    { "javax.net.ssl.keyStore", keystore, },
    { "javax.net.ssl.keyStorePassword", storepass, },
    { "javax.net.ssl.keyStoreType", storetype, },
};
for (int i = 0; i < props.length; i++) {
    System.getProperties().setProperty(props[i][0], props[i][1]);
}
// Now you can proceed to connect to call the webservice.
// SSL will be used automatically if the service endpoint url 
// starts with <a href="https://." target="_blank"         rel="nofollow">https://.</a>
// The server will send its certificate signed by verisign and 
// client will trust and authenticate the server as it recognizes 
// verisign as one trusted root.
Improve this answer

Comments

-3

I ran into the same Exception for my MAC OSX (Yosemite), while developing Java 6 applications. You need to download and install Apple's Java for OSX 2014:

http://support.apple.com/kb/DL1572

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.