trustAnchors parameter must be non-empty ??

Classic Servoy
1

Hey Guys,

I’m trying to connect to a https URL (intranet) using the HTTP plug-in:

url = "https://sso-test.mednet.ucla.edu/amserver/SSOTokenRemoteAD";
oClient = plugins.http.createNewHttpClient();
oPoster = oClient.createPostRequest(url);

I then add a couple of more parameters (that’s specific to the login stuff on that server) and then execute:

sHttpCode = oPoster.executeRequest();

I can connect just fine from Developer, no problem and code works as expected. However, when I put it on our server - I get the error below when trying to execute.

Any ideas on how to fix this?

Server INFO:

Servoy version 7.4.9 -releaseNumber 2047
Repository version 44

java.vm.name=Java HotSpot™ 64-Bit Server VM
java.version=1.8.0_131
java.vm.info=mixed mode
java.vm.vendor=Oracle Corporation

Operating System Information
os.name=Windows Server 2012
os.version=6.2
os.arch=amd64

javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty 
    	at sun.security.ssl.Alerts.getSSLException(Unknown Source) 
    	at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) 
    	at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) 
    	at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source) 
    	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) 
    	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) 
    	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543) 
    	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409) 
    	at com.servoy.extensions.plugins.http.HttpClient$1.connectSocket(HttpClient.java:105) 
    	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) 
    	at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304) 
    	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) 
    	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) 
    	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) 
    	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) 
    	at com.servoy.extensions.plugins.http.BaseRequest.executeRequest(BaseRequest.java:212) 
    	at com.servoy.extensions.plugins.http.BaseRequest.js_executeRequest(BaseRequest.java:138) 
    	at com.servoy.extensions.plugins.http.BaseRequest.js_executeRequest(BaseRequest.java:124) 
    	at sun.reflect.GeneratedMethodAccessor383.invoke(Unknown Source) 
    	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) 
    	at java.lang.reflect.Method.invoke(Unknown Source) 
    	at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:158) 
    	at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:312) 
    	at org.mozilla.javascript.Interpreter.interpretLoop(Interpreter.java:1774) 
    	at org.mozilla.javascript.Interpreter.interpret(Interpreter.java:837) 
    	at org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:158) 
    	at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:406) 
    	at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3204) 
    	at org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:156) 
    	at com.servoy.j2db.scripting.ScriptEngine.executeFunction(ScriptEngine.java:628) 
    	at com.servoy.j2db.BasicFormController.executeFunction(BasicFormController.java:824) 
    	at com.servoy.j2db.FormController.executeFunction(FormController.java:1277) 
    	at com.servoy.j2db.FormController.executeFunction(FormController.java:1144) 
    	at com.servoy.j2db.FormController$ScriptExecuter.executeFunction(FormController.java:1056) 
    	at com.servoy.j2db.ui.BaseEventExecutor.fireEventCommand(BaseEventExecutor.java:284) 
    	at com.servoy.j2db.ui.BaseEventExecutor.fireEventCommand(BaseEventExecutor.java:250) 
    	at com.servoy.j2db.ui.BaseEventExecutor.fireActionCommand(BaseEventExecutor.java:218) 
    	at com.servoy.j2db.server.headlessclient.dataui.WebEventExecutor.handleEvent(WebEventExecutor.java:491) 
    	at com.servoy.j2db.server.headlessclient.dataui.WebEventExecutor.onEvent(WebEventExecutor.java:422) 
    	at com.servoy.j2db.server.headlessclient.dataui.WebEventExecutor.onEvent(WebEventExecutor.java:395) 
    	at com.servoy.j2db.server.headlessclient.dataui.WebEventExecutor.onEvent(WebEventExecutor.java:390) 
    	at com.servoy.j2db.server.headlessclient.dataui.ServoyActionEventBehavior.onUpdate(ServoyActionEventBehavior.java:91) 
    	at org.apache.wicket.ajax.form.AjaxFormComponentUpdatingBehavior.onEvent(AjaxFormComponentUpdatingBehavior.java:158) 
    	at org.apache.wicket.ajax.AjaxEventBehavior.respond(AjaxEventBehavior.java:177) 
    	at org.apache.wicket.ajax.AbstractDefaultAjaxBehavior.onRequest(AbstractDefaultAjaxBehavior.java:312) 
    	at org.apache.wicket.request.target.component.listener.BehaviorRequestTarget.processEvents(BehaviorRequestTarget.java:157) 
    	at org.apache.wicket.request.AbstractRequestCycleProcessor.processEvents(AbstractRequestCycleProcessor.java:92) 
    	at org.apache.wicket.RequestCycle.processEventsAndRespond(RequestCycle.java:1279) 
    	at org.apache.wicket.RequestCycle.step(RequestCycle.java:1358) 
    	at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1465) 
    	at org.apache.wicket.RequestCycle.request(RequestCycle.java:545) 
    	at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:486) 
    	at com.servoy.j2db.server.servlets.Zt.doGet(Zt.java:9) 
    	at org.apache.wicket.protocol.http.WicketServlet.doPost(WicketServlet.java:160) 
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:643) 
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) 
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) 
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
    	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) 
    	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) 
    	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) 
    	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) 
    	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:615) 
    	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 
    	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) 
    	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) 
    	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:620) 
    	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) 
    	at java.lang.Thread.run(Unknown Source) 
    Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty 
    	at sun.security.validator.PKIXValidator.<init>(Unknown Source) 
    	at sun.security.validator.Validator.getInstance(Unknown Source) 
    	at sun.security.ssl.X509TrustManagerImpl.getValidator(Unknown Source) 
    	at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(Unknown Source) 
    	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) 
    	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) 
    	at org.apache.http.conn.ssl.SSLContextBuilder$TrustManagerDelegate.checkServerTrusted(SSLContextBuilder.java:195) 
    	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source) 
    	at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) 
    	at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) 
    	at sun.security.ssl.Handshaker.processLoop(Unknown Source) 
    	at sun.security.ssl.Handshaker.process_record(Unknown Source) 
    	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) 
    	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) 
    	... 65 more 
    Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty 
    	at java.security.cert.PKIXParameters.setTrustAnchors(Unknown Source) 
    	at java.security.cert.PKIXParameters.<init>(Unknown Source) 
    	at java.security.cert.PKIXBuilderParameters.<init>(Unknown Source)
2

Hi, Bob.

A trust anchor is the top-level certificate in a chain, like a root certificate. Are all the .jar files on the server signed with a valid certificate?

We use the http client with POST on Java version 1.8.0_121 without issue. You could try downgrading to see if the problem goes away…I think there have been problems reported with _131.

3

Thanks! I get that - but it was working great a few weeks ago - with the same settings & java version.

Does the http plugin support TLS 1.2?

I think that’s the problem - as I got this in an email from the IT department:

As part of the security initiative to block TLS v1.0, we will be upgrading Single Sign On Solution (SSO) to support TLS v1.2 over the next few weeks.
4

Java 8 supports TLS 1.2 by default per:

https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default

TLS 1.2 is backwards compatible with versions 1.1 and 1.0. I don’t know what version the http plug-in is using, or whether the version is select-able …a good question for Servoy.

If your set-up was previously working, contact the IT department to find out what they changed (this happens to us all the time) and what they are now expecting with the change. Perhaps, they could roll back the change until you can figure out what is going on.

5

The ANSWER is: the plug-in doesn’t allow you to specify the TLS version.

It’s a Java setting - so it has to be set on the startup. BUT this means that once Servoy starts - it’s using that TLS version, period.

In my case - that will work - but it would be MUCH BETTER if the plug-in allowed to specify the TLS version to use.

6

That’s good to know, thanks!

So, IT blocked TLS 1.0, and this was the only version selected in JCP on the server thus causing an error to be emitted? And, you fixed this by selecting TLS 1.1 and TLS 1.2? I am asking for clarification, because this could happen to us as well.

[attachment=0]java_control_panel_tls_settings.png[/attachment]

Agreed, the http plug-in could be better. If it weren’t for others on this forum, we would not have our http implementation working.

java_control_panel_tls_settings.png
java_control_panel_tls_settings.png436×409 70.6 KB