Monday, May 31, 2010

Can not find truststore url.

"Error creating SSL Socket Factory for client invoker: Error initializing socket factory SSL context: Can not find truststore url."

Ever seen this error in your JBoss AS logs?

I have an application running on JBoss AS 5.1 and I saw org.jboss.remoting.transport.http.HTTPClientInvoker throwing this error at me, so I started to investigate what was going on.

I'm calling an external web service with a HTTPS and I saw the above error before every outgoing request message. The reason was that I didn't have a keystore set up.

Creating a keystore with a key and self-signed certificate is easy, it can be done with the keytool that comes with the JDK:

keytool -keystore myApp.keystore -alias myApp -genkey -keyalg RSA -validity 365

I then placed the keystore file into the conf folder on my server. To let JBoss know about the keystore, I added the following options to run.conf.bat, so that they would be loaded each time the server is started:"

No more "Can not find truststore url" error.

If I ever want to setup my production environment Tomcat with a secure HTTP connector, I must remember not to try to use the same keystore for the connector (set up in server.xml). Not only because it's self-signed, but also because in production the Tomcat utilizes the APR connector (Apache Portable Runtime). APR uses a native connection and for SSL a native connection uses OpenSSL instead of JSSE (Java Secure Sockets Extension).

Here are commands to create key and certificate with OpenSSL:

openssl genrsa -des3 -out myApp.key
openssl req -new -x509 -key myApp.key -out myApp.crt

Here's example how to configure the connector in server.xml:

< Connector port="443" maxHttpHeaderSize="8192"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLCertificateKeyFile="${jboss.server.home.dir}\conf\myApp.key" />

In a non-APR enviroment, like my localhost, I can use the JSSE keystore:

< Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystorePass="password" sslProtocol = "TLS" />

Configuring SSL for Jetty:


  1. Hey!, great article!. I understand how configure JBoss as ssl client and server!. Thanks