Issue Description:

If you are observing below Error message when Ephesoft is configured over https in tomcat and truststore & keystore are referencing to same jks file which doesn’t contain any CA Certificate .

2018-04-03 14:26:23,092 [main] ERROR org.apache.coyote.http11.Http11NioProtocol- Failed to initialize end point associated with ProtocolHandler [“https-jsse-nio-443”]
 Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[?:1.8.0_144]
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) ~[?:1.8.0_144]
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) ~[?:1.8.0_144]
at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:368) ~[tomcat-coyote.jar:8.5.23]
at org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:292) ~[tomcat-coyote.jar:8.5.23]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113) ~[tomcat-coyote.jar:8.5.23]
… 20 more

Component:

Tomcat

 

Ephesoft Version:

Ephesoft 4.5.0.0

 

Solution:

If we use same .jks file as a keystore and as a truststore, then the server start up is failing with following error : java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty.
Keystore is to store the ServerCerts and TrustStore is to store the CA certs. On adding at least one CA certificate in the .jks, above issue will be resolved.

Also if you are not using PIV/CAC, so you are not required to set truststoreFile option in connector settings.
Also, the change in behaviour b/w 4120/4130 and 4500 is because of Tomcat version upgrade.

Was this article helpful to you?

Abhishek Jain