Home>

When trying to connect to a remote Oracle database via SSL /TLS, an Exception is thrown:

"C: \ Program Files \ AdoptOpenJDK \ jdk-11.0.8.10-hotspot \ bin \ java.exe" ...
Exception in thread "main" java.sql.SQLRecoverableException: I /O Error: IO Error PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, Authentication lapse 0 ms.
                at oracle.jdbc.driver.T4CConnection.logon (T4CConnection.java:874)
                at oracle.jdbc.driver.PhysicalConnection.connect (PhysicalConnection.java:793)
                at oracle.jdbc.driver.T4CDriverExtension.getConnection (T4CDriverExtension.java:57)
                at oracle.jdbc.driver.OracleDriver.connect (OracleDriver.java:747)
                at oracle.jdbc.pool.OracleDataSource.getPhysicalConnection (OracleDataSource.java:406)
                at oracle.jdbc.pool.OracleDataSource.getConnection (OracleDataSource.java:291)
                at oracle.jdbc.pool.OracleDataSource.getConnection (OracleDataSource.java:206)
                at oracle.jdbc.pool.OracleDataSource.getConnection (OracleDataSource.java:184)
                at pkapora_tls.App.main (App.java:32)
Caused by: java.io.IOException: IO Error PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, Authentication lapse 0 ms.
                at oracle.jdbc.driver.T4CConnection.logon (T4CConnection.java:870)
                ... 8 more
Caused by: java.io.IOException: IO Error PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
                at oracle.net.nt.SSLSocketChannel.wrap (SSLSocketChannel.java:547)
                at oracle.net.nt.SSLSocketChannel.wrapHandshakeMessage (SSLSocketChannel.java:460)
                at oracle.net.nt.SSLSocketChannel.doSSLHandshake (SSLSocketChannel.java:442)
                at oracle.net.nt.SSLSocketChannel.write (SSLSocketChannel.java:128)
                at oracle.net.ns.NIOPacket.writeToSocketChannel (NIOPacket.java:350)
                at oracle.net.ns.NIOConnectPacket.writeToSocketChannel (NIOConnectPacket.java:247)
                at oracle.net.ns.NSProtocolNIO.negotiateConnection (NSProtocolNIO.java:117)
                at oracle.net.ns.NSProtocol.connect (NSProtocol.java:340)
                at oracle.jdbc.driver.T4CConnection.connect (T4CConnection.java:1596)
                at oracle.jdbc.driver.T4CConnection.logon (T4CConnection.java:588)
                ... 8 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
                at java.base /sun.security.ssl.Alert.createSSLException (Alert.java:131)
                at java.base /sun.security.ssl.TransportContext.fatal (TransportContext.java:326)
                at java.base /sun.security.ssl.TransportContext.fatal (TransportContext.java:269)
                at java.base /sun.security.ssl.TransportContext.fatal (TransportContext.java:264)
                at java.base /sun.security.ssl.CertificateMessage $ T12CertificateConsumer.checkServerCerts (CertificateMessage.java:645)
                at java.base /sun.security.ssl.CertificateMessage $ T12CertificateConsumer.onCertificate (CertificateMessage.java:464)
                at java.base /sun.security.ssl.CertificateMessage $ T12CertificateConsumer.consume (CertificateMessage.java:360)
                at java.base /sun.security.ssl.SSLHandshake.consume (SSLHandshake.java:392)
                at java.base /sun.security.ssl.HandshakeContext.dispatch (HandshakeContext.java:444)
                at java.base /sun.security.ssl.SSLEngineImpl $ DelegatedTask $ DelegatedAction.run (SSLEngineImpl.java:1074)
                at java.base /sun.security.ssl.SSLEngineImpl $ DelegatedTask $ DelegatedAction.run (SSLEngineImpl.java:1061)
                at java.base /java.security.AccessController.doPrivileged (Native Method)at java.base /sun.security.ssl.SSLEngineImpl $ DelegatedTask.run (SSLEngineImpl.java:1008) at oracle.net.nt.SSLSocketChannel.runTasks (SSLSocketChannel.java:602)
                at oracle.net.nt.SSLSocketChannel.doSSLHandshake (SSLSocketChannel.java:434)
                ... 15 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
                at java.base /sun.security.validator.PKIXValidator.doBuild (PKIXValidator.java:439)
                at java.base /sun.security.validator.PKIXValidator.engineValidate (PKIXValidator.java:306)
                at java.base /sun.security.validator.Validator.validate (Validator.java:264)
                at java.base /sun.security.ssl.X509TrustManagerImpl.validate (X509TrustManagerImpl.java:313)
                at java.base /sun.security.ssl.X509TrustManagerImpl.checkTrusted (X509TrustManagerImpl.java:276)
                at java.base /sun.security.ssl.X509TrustManagerImpl.checkServerTrusted (X509TrustManagerImpl.java:141)
                at java.base /sun.security.ssl.CertificateMessage $ T12CertificateConsumer.checkServerCerts (CertificateMessage.java:623)
                ... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
                at java.base /sun.security.provider.certpath.SunCertPathBuilder.build (SunCertPathBuilder.java:141)
                at java.base /sun.security.provider.certpath.SunCertPathBuilder.engineBuild (SunCertPathBuilder.java:126)
                at java.base /java.security.cert.CertPathBuilder.build (CertPathBuilder.java:297)
                at java.base /sun.security.validator.PKIXValidator.doBuild (PKIXValidator.java:434)
                ... 31 more

Specified in the arguments in the configuration:

-Doracle.net.ssl_server_dn_match= "true" -Djavax.net.ssl.trustStore= C: /Users/user/client/truststore.jks -Djavax.net.ssl.trustStorePassword= "*** ******* "-Djavax.net.ssl.trustStoreType="JKS "-Djavax.net.ssl.keyStore="C: /Users/user/client/keystore.jks "-Djavax.net.ssl. keyStorePassword= "**********" -Djavax.net.ssl.keyStoreType= "JKS"

Please help me figure out what the problem is? Thanks in advance for your help

p.s. Here are the contents of keystore.jks and truststore.jks

C: \ Users \ user \ client >
keytool -list -keystore C: /Users/user/client/keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
servertest, 23 Feb 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 35: 00: BD: 30: D0: B8: 69: A4: 12: F0: DB: C9: 60: CE: AE: F7: 94: ED: D5: 72: 3B: 41: 6C: CC: A6: CB: 57: 98: F7: 2D: 83: 5E
testclient, 22 Feb. 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): EC: D0: 14: 18: CC: 33: 10: FC: 5D: EB: 18: 66: 16: F7: 5B: CF: 63: F2: 1C: EE: B3: 1D: 4D: F0: 1E: D8: 0A: ED: 2F: 26: FC: 0B
testroot, 22 Feb 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 2C: 24: DD: A2: C7: 74: AF: 69: 48: 42: A5: FE: 51: 98: 20: FF: 18: 5F: 8E: 7D: B1: 1F: 61: 0C: 29: 3D: 44: 83: 82: 3F: 88: 2C
C: \ Users \ user \ client >
keytool -list -keystore C: /Users/user/client/truststore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
servertest, 23 Feb 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 35: 00: BD: 30: D0: B8: 69: A4: 12: F0: DB: C9: 60: CE: AE: F7: 94: ED: D5: 72: 3B: 41: 6C: CC: A6: CB: 57: 98: F7: 2D: 83: 5E
testclient, 23 Feb 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): EC: D0: 14: 18: CC: 33: 10: FC: 5D: EB: 18: 66: 16: F7: 5B: CF: 63: F2: 1C: EE: B3: 1D: 4D: F0: 1E: D8: 0A: ED: 2F: 26: FC: 0B
testroot, 22 Feb 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 2C: 24: DD: A2: C7: 74: AF: 69: 48: 42: A5: FE: 51: 98: 20: FF: 18: 5F: 8E: 7D: B1: 1F: 61: 0C: 29: 3D: 44: 83: 82: 3F: 88: 2C

Apparently, you do not have your server certificate in the truststore. Add it to trustsore and everything should work.

Sergi2021-02-25 06:09:07

@Sergi Looked at the list of certificates in keyStore.jks -it contained the trusted (root) and signed client certificates, added the server certificate to them. The trustStore had only trusted (root), added client and server to it. I tried to start the project, the error is the same. Lists of certificates of both storages indicated in my question, please see

bnv2021-02-25 06:09:07

So hard to say, try enabling TLS debugging: -Djavax.net.debug= all

Sergi2021-02-25 06:09:07

@Sergi i.e. do you need to insert -Djavax.net.debug= all in the configuration arguments? I'm not good at java, just learning). I added this line to the rest of the arguments, nothing has changed, the text of the previous error is displayed. Please tell me where to put -Djavax.net.debug= all

bnv2021-02-25 06:09:07

@Sergi Maybe the reason for the error is that all certificates contained in the stores are in the .txt format, not .cert, for example?

bnv2021-02-25 06:09:07