Monthly Archives: November 2014

Add a HTTPS certificate to your Java keychain

You have a tool like GIT or Maven that connects to a HTTPS website. Then your tool needs to know whether to trust that website’s certificate.

When that tool uses Java underneath, you can follow the following steps to add the website’s certificate to your keystore.

1) Visit the website [like for example https://maven.company.nl/nexus] using Firefox.

2) (optional) Confirm and add the exception if you get the notification “This Connection is Untrusted”

3) Export the certificate to a file with the name “CompanyCA.pem” ( click on lock left next to the domain name -> More information -> View certificate -> Details -> Export (choose format “X.509 Certificate with chain PEM”))

Click on the lock
Schermafbeelding 2014-11-27 om 20.51.54

View the details
Schermafbeelding 2014-11-27 om 20.52.36

View the certificate
Schermafbeelding 2014-11-27 om 20.52.49

Export the certificate with format “X.509 Certificate with chain PEM”
Schermafbeelding 2014-11-27 om 21.24.46

4) Add the certificate to you cacerts keychain to the java version that maven uses via the following steps

4.1) Determine which java version your maven uses via
mvn –version
https-keychain-security

4.2) On the command line, go to the java directory via
cd < java home directory >

Note: when you use Windows, then you need to start the command prompt as “Run as administrator”.

4.3) open the lib/security directory within this folder
4.4) Add the website’s CA certificate to the cacerts keychain via
keytool -keystore cacerts -importcert -alias companyca -file < file directory >/CompanyCA.pem

Note Replace the placeholder < file directory > with the file location where you stored the pem certificate. If you are on a unix like system, then you need to prefix this command with sudo.

Provide your password. By default this is changeit
Schermafbeelding 2014-11-27 om 21.07.31

When asked to trust it, type yes
Schermafbeelding 2014-11-27 om 21.08.22

When the notification “Certificate was added to keystore” is shown without errors, then you are done!

Additionally
Do ensure that in your settings.xml and your pom files, all links to you repository point to the https url, so for example https://maven.company.nl/nexus

How do know your certificate is not trusted properly?
When you get one of the below exceptions…

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy (default-deploy) on project parent: Failed to retrieve remote metadata nl.company:parent:1.5-SNAPSHOT/maven-metadata.xml: Could not transfer metadata nl.company:parent:1.5-SNAPSHOT/maven-metadata.xml from/to corporateRepo (https://maven.company.nl/nexus/content/repositories/snapshots): peer not authenticated -> [Help 1]

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy (default-deploy) on project parent: Failed to retrieve remote metadata nl.company:parent:1.5-SNAPSHOT/maven-metadata.xml: Could not transfer metadata nl.company:parent:1.5-SNAPSHOT/maven-metadata.xml from/to corporateRepo (https://maven.company.nl/nexus/content/repositories/snapshots): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1]

Store Subversion credentials in Maven

When you are using Subversion from the command line instead of via a tool like TortoiseSVN, then you do NOT want to provide your username and password everything again when you want to update or commit the code of your Maven project.

To ensure that your SVN never asks for the credentials again, you can set these in your settings.xml via below addition.

The ID needs to be the host of your Subversion repository. So, when your Subversion url is “https://subversion.company.nl/svn/projects/project1″, then the id is “subversion.company.nl”. 

  <servers>
    <server>
      <id>subversion.company.nl</id>
      <username>...</username>
      <password>...</password>
    </server>

    ...
  </servers>

An example of an error from the maven-release-plugin when the [proper] SVN credentials are not available.

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-release-plugin:2.0:prepare (default-cli) on project internet-portal-parent: Unable to commit files
[ERROR] Provider message:
[ERROR] The svn command failed.
[ERROR] Command output:
[ERROR] svn: E170001: Commit failed (details follow):
[ERROR] svn: E170001: Unable to connect to a repository at URL 'https://subversion.company.nl/svn/projects/internet-portal-parent/trunk'
[ERROR] svn: E170001: OPTIONS of 'https://subversion.company.nl/svn/projects/internet-portal-parent/trunk': authorization failed: Could not authenticate to server: rejected Basic challenge (https://subversion.company.nl)
[ERROR] -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException