IBM Support

How to import a certificate for Java keystore using Java keytool

Troubleshooting


Problem

When connecting to a remote host that uses a Java application with TLS the following error may appear:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed java.security.cert.CertPathBuilderException : PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException

Resolving The Problem

This error indicates that the remote host's Certificate Authority (CA) is not trusted and needs to be imported into the JVM's keystore. This can be accomplished with the following steps:
To obtain the remote host CA either contact that host to get it or use the GETSSL command found in QMGTOOLS



READ FIRST!!

Files that reside in the /QIBM/ProdData/* and /QOpenSys/QIBM/ProdData/* directory structures are "owned" by IBM. These system directories are used for Licensed Program Product (LPP) data. As a result, they will be updated/overlaid when Java PTFs are applied. This means it is very risky for clients/third parties to rely on changes/customizations made to any files in the /QIBM/ProdData/* or /QOpenSys/QIBM/ProdData/* directories because a PTF may overlay any changes/customizations.

The Java LPP on the IBM i provides default files for the security configuration. The default security configuration files include the 'java.security', 'java.policy' and 'cacerts' files which are located in the '/QIBM/ProdData/Java400/jdkxx/lib/security/' and '/QOpenSys/QIBM/ProdData/JavaVM/jdkxx/xxbit/jre/lib/security/' directories. It is recommended that you copy these files to another directory outside of the LPP system directories when making customizations. The following properties may be used so the JVM can find and use these customized configuration files. Using these custom properties will insulate your Java applications from changes made to the global Java system LPP security configuration files when applying PTFs.
https://www.ibm.com/support/pages/node/634649

This example is for JDK80 64 bit, replace any reference with your JDK version path

/QOpenSys/QIBM/ProdData/JavaVM/jdkxx/xxbit/jre/lib/security/cacerts

ie. /QOpenSys/QIBM/ProdData/JavaVM/jdk80/64bit/jre/lib/security/cacerts
 


Step 1. FTP the CA certificate file to the IBM i system
image-20221004141216-2
Step 2. Import the certificate using the Java 'keytool' command
 
keytool -import -file /home/rootca.cer -alias CertAuth -keystore  /QOpenSys/QIBM/ProdData/JavaVM/jdk80/64bit/jre/lib/security/cacerts -storepass changeit -noprompt

image-20221004141457-3

[{"Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH5AAM","label":"Java Development Kit"},{"code":"a8m0z0000001gHbAAI","label":"Java Development Kit-\u003EJava Secure Socket Extension"}],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2.0;7.3.0;7.4.0;7.5.0","Type":"MASTER"}]

Document Information

Modified date:
04 October 2022

UID

nas8N1020724