License Type | SaaS & On-Premise |
Agent Mode | Assess & Protect |
Main Product Category | Java Agent |
Sub Category | Configuration |
Issue
As detailed in the article Java Agent Fails to Connect to Contrast UI: javax.net.ssl.SSLHandshakeException, one of the options for resolving a certificate trust issue is to import a certificate into the TrustStore used by the application server hosting the application that the Java Agent is instrumenting.
In the case of IBM's WebSphere Application Server (WAS), the normal process of importing the certificate via the WAS console does not resolve the trust issue.
Cause
Due to the timing involved in WAS and the JVM (and therefore the Contrast Java Agent) starting up, the WAS configured TrustStores are not available to the Java Agent when it first tries to connect to the Contrast UI.
Resolution
Java allows for the TrustStore (and associated password and type) to be overridden via the JVM System Properties:
javax.net.ssl.trustStore
javax.net.ssl.trustStoreType
javax.net.ssl.trustStorePassword
Because these are specified at JVM startup, they will be honored by the JVM and therefore the Java Agent. An example configuration would look something like this:
-Djavax.net.ssl.trustStore=/apps/ki01/xa-was90-dv114/AppServer/profiles/xa-dmgr90-dv114/config/cells/xa-cell90-dv114/trust.p12 -javax.net.ssl.trustStoreType=pkcs12 -javax.net.ssl.trustStorePassword=<your password>