Servoy Forum

Discuss Servoy here!
https://forum.servoy.com/

trustAnchors parameter must be non-empty ??

https://forum.servoy.com/viewtopic.php?f=22&t=21848

Page 1 of 1

trustAnchors parameter must be non-empty ??

PostPosted: Tue Aug 08, 2017 6:40 pm
by bcusick
Hey Guys,

I'm trying to connect to a https URL (intranet) using the HTTP plug-in:

Code: Select all
url = "https://sso-test.mednet.ucla.edu/amserver/SSOTokenRemoteAD";
oClient = plugins.http.createNewHttpClient();
oPoster = oClient.createPostRequest(url);


I then add a couple of more parameters (that's specific to the login stuff on that server) and then execute:

Code: Select all
sHttpCode = oPoster.executeRequest();


I can connect just fine from Developer, no problem and code works as expected. However, when I put it on our server - I get the error below when trying to execute.

Any ideas on how to fix this?

Server INFO:

Servoy version 7.4.9 -releaseNumber 2047
Repository version 44

java.vm.name=Java HotSpot(TM) 64-Bit Server VM
java.version=1.8.0_131
java.vm.info=mixed mode
java.vm.vendor=Oracle Corporation

Operating System Information
os.name=Windows Server 2012
os.version=6.2
os.arch=amd64


Code: Select all
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
       at sun.security.ssl.Alerts.getSSLException(Unknown Source)
       at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
       at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
       at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
       at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
       at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
       at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543)
       at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
       at com.servoy.extensions.plugins.http.HttpClient$1.connectSocket(HttpClient.java:105)
       at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
       at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
       at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
       at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
       at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
       at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
       at com.servoy.extensions.plugins.http.BaseRequest.executeRequest(BaseRequest.java:212)
       at com.servoy.extensions.plugins.http.BaseRequest.js_executeRequest(BaseRequest.java:138)
       at com.servoy.extensions.plugins.http.BaseRequest.js_executeRequest(BaseRequest.java:124)
       at sun.reflect.GeneratedMethodAccessor383.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:158)
       at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:312)
       at org.mozilla.javascript.Interpreter.interpretLoop(Interpreter.java:1774)
       at org.mozilla.javascript.Interpreter.interpret(Interpreter.java:837)
       at org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:158)
       at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:406)
       at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3204)
       at org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:156)
       at com.servoy.j2db.scripting.ScriptEngine.executeFunction(ScriptEngine.java:628)
       at com.servoy.j2db.BasicFormController.executeFunction(BasicFormController.java:824)
       at com.servoy.j2db.FormController.executeFunction(FormController.java:1277)
       at com.servoy.j2db.FormController.executeFunction(FormController.java:1144)
       at com.servoy.j2db.FormController$ScriptExecuter.executeFunction(FormController.java:1056)
       at com.servoy.j2db.ui.BaseEventExecutor.fireEventCommand(BaseEventExecutor.java:284)
       at com.servoy.j2db.ui.BaseEventExecutor.fireEventCommand(BaseEventExecutor.java:250)
       at com.servoy.j2db.ui.BaseEventExecutor.fireActionCommand(BaseEventExecutor.java:218)
       at com.servoy.j2db.server.headlessclient.dataui.WebEventExecutor.handleEvent(WebEventExecutor.java:491)
       at com.servoy.j2db.server.headlessclient.dataui.WebEventExecutor.onEvent(WebEventExecutor.java:422)
       at com.servoy.j2db.server.headlessclient.dataui.WebEventExecutor.onEvent(WebEventExecutor.java:395)
       at com.servoy.j2db.server.headlessclient.dataui.WebEventExecutor.onEvent(WebEventExecutor.java:390)
       at com.servoy.j2db.server.headlessclient.dataui.ServoyActionEventBehavior.onUpdate(ServoyActionEventBehavior.java:91)
       at org.apache.wicket.ajax.form.AjaxFormComponentUpdatingBehavior.onEvent(AjaxFormComponentUpdatingBehavior.java:158)
       at org.apache.wicket.ajax.AjaxEventBehavior.respond(AjaxEventBehavior.java:177)
       at org.apache.wicket.ajax.AbstractDefaultAjaxBehavior.onRequest(AbstractDefaultAjaxBehavior.java:312)
       at org.apache.wicket.request.target.component.listener.BehaviorRequestTarget.processEvents(BehaviorRequestTarget.java:157)
       at org.apache.wicket.request.AbstractRequestCycleProcessor.processEvents(AbstractRequestCycleProcessor.java:92)
       at org.apache.wicket.RequestCycle.processEventsAndRespond(RequestCycle.java:1279)
       at org.apache.wicket.RequestCycle.step(RequestCycle.java:1358)
       at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1465)
       at org.apache.wicket.RequestCycle.request(RequestCycle.java:545)
       at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:486)
       at com.servoy.j2db.server.servlets.Zt.doGet(Zt.java:9)
       at org.apache.wicket.protocol.http.WicketServlet.doPost(WicketServlet.java:160)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:643)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
       at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:615)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:620)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
       at java.lang.Thread.run(Unknown Source)
    Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
       at sun.security.validator.PKIXValidator.<init>(Unknown Source)
       at sun.security.validator.Validator.getInstance(Unknown Source)
       at sun.security.ssl.X509TrustManagerImpl.getValidator(Unknown Source)
       at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(Unknown Source)
       at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
       at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
       at org.apache.http.conn.ssl.SSLContextBuilder$TrustManagerDelegate.checkServerTrusted(SSLContextBuilder.java:195)
       at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
       at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
       at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
       at sun.security.ssl.Handshaker.processLoop(Unknown Source)
       at sun.security.ssl.Handshaker.process_record(Unknown Source)
       at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
       at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
       ... 65 more
    Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
       at java.security.cert.PKIXParameters.setTrustAnchors(Unknown Source)
       at java.security.cert.PKIXParameters.<init>(Unknown Source)
       at java.security.cert.PKIXBuilderParameters.<init>(Unknown Source)

Re: trustAnchors parameter must be non-empty ??

PostPosted: Wed Aug 09, 2017 6:22 pm
by kwpsd
Hi, Bob.

A trust anchor is the top-level certificate in a chain, like a root certificate. Are all the .jar files on the server signed with a valid certificate?

We use the http client with POST on Java version 1.8.0_121 without issue. You could try downgrading to see if the problem goes away...I think there have been problems reported with _131.

Re: trustAnchors parameter must be non-empty ??

PostPosted: Wed Aug 09, 2017 6:54 pm
by bcusick
Thanks! I get that - but it was working great a few weeks ago - with the same settings & java version.

Does the http plugin support TLS 1.2?

I think that's the problem - as I got this in an email from the IT department:
Code: Select all
As part of the security initiative to block TLS v1.0, we will be upgrading Single Sign On Solution (SSO) to support TLS v1.2 over the next few weeks.

Re: trustAnchors parameter must be non-empty ??

PostPosted: Wed Aug 09, 2017 7:36 pm
by kwpsd
Java 8 supports TLS 1.2 by default per:

https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default

TLS 1.2 is backwards compatible with versions 1.1 and 1.0. I don't know what version the http plug-in is using, or whether the version is select-able ...a good question for Servoy.

If your set-up was previously working, contact the IT department to find out what they changed (this happens to us all the time) and what they are now expecting with the change. Perhaps, they could roll back the change until you can figure out what is going on.

Re: trustAnchors parameter must be non-empty ??

PostPosted: Wed Aug 09, 2017 7:57 pm
by bcusick
The ANSWER is: the plug-in doesn't allow you to specify the TLS version.

It's a Java setting - so it has to be set on the startup. BUT this means that once Servoy starts - it's using that TLS version, period.

In my case - that will work - but it would be MUCH BETTER if the plug-in allowed to specify the TLS version to use.

Re: trustAnchors parameter must be non-empty ??

PostPosted: Wed Aug 09, 2017 8:39 pm
by kwpsd
That's good to know, thanks!

So, IT blocked TLS 1.0, and this was the only version selected in JCP on the server thus causing an error to be emitted? And, you fixed this by selecting TLS 1.1 and TLS 1.2? I am asking for clarification, because this could happen to us as well.

java_control_panel_tls_settings.png
java_control_panel_tls_settings.png (90.86 KiB) Viewed 5467 times


Agreed, the http plug-in could be better. If it weren't for others on this forum, we would not have our http implementation working.
All times are UTC + 1 hour [ DST ]
Page 1 of 1