Using SSL certificate in Jaspersoft Studio 5.5

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

Jaspersoft Studio uses a specific holder for its security certificate. The location is the Jaspersoft Studio Professional-5.5.0 root, finalfeaturesjre.win32.win32.x86_64.feature_1.7.0.u25jrelibsecurity directory.

Resolution

After importing the certificate into Jaspersoft Studio Professional-5.5.0 root, finalfeaturesjre.win32.win32.x86_64.feature_1.7.0.u25jrelibsecurity directory,  the user will be able to make HTTPS calls to the server and connect successfully. The default cacert keystore password is 'changeit' without quotes.

How to import the certificate

One way to import your appserver's certificate is to use keytool commands, using the keytool.exe found in your Jaspersoft Studio installation directory within a folder similar to featuresjre.win32.win32.x86_64.feature_1.7.0.u67jrebin 

Run it with 4 params, listed below:

• -import 
• -alias <provide_an_alias> 
• -file <certificate_file> 
• -keystore <your_path_to_jre with the Jaspersoft Installation dir>/lib/security/cacerts 

The -alias can be anything.

The -file needs to be the full path to your certificate file fetched from the server hosting your web access to JRS... like -file c:tomcat.cer  or .crt, .pem, etc.

The -keystore needs to be the full path to your cacerts file, in my case -keystore C:Program FilesJaspersoftJaspersoft Studio Professional-5.6.1.finalfeaturesjre.win32.win32.x86_64.feature_1.7.0.u67jrelibsecuritycacerts 

An example might be:  keytool -import -alias tomcatProd -keystore c:/JSS/jre/lib/security/cacerts -file c:/tomcat.cer 

If prompted for password enter "changeit", then accept it.  

Finally restart JSS.

MacOSX Note:

The default Apple java security keystore is usually located in /Library/Java/Home/lib/security/cacerts. It is also sometimes named 'jssecacerts'. You will need to either:

• Add your certificate instead to the default Apple keystore
• Tell Studio to use its own cacert keystore by adding the following JVM options to <jaspersoft studio install dir>/Jaspersoft Studio Professional.ini
  • -Djavax.net.ssl.trustStore=<path to keystore file>
  • -Djavax.net.ssl.trustStorePassword=changeit

Reference:

• http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLHandshakeException.html
• http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html

TTC-20131127

• where’s the actual home of java jdk (possibly update your jdk first)
  • $ /usr/libexec/java_home

                 - /Library/Java/JavaVirtualMachines/jdk1.8.0_66.jdk/Contents/Home

• download the server-Certificate (not private key) an den fullchain.pem from your server
  • /letsencrypt/live/example.com/cert.pem
  • /live/example.com/fullchain.pem

     

• Import both files to  /Library/Java/JavaVirtualMachines/jdk1.8.0_66.jdk/Contents/Home/jre/lib/security/cacerts
  • first take a backup of cacerts
  • copy cert.pem & fullchain.pem to /Library/Java/JavaVirtualMachines/jdk1.8.0_66.jdk/Contents/Home/jre/lib/security/ (if you don’t do this before)
  • cd /Library/Java/JavaVirtualMachines/jdk1.8.0_66.jdk/Contents/Home/jre/lib/security/
  • sudo keytool -trustcacerts -keystore cacerts -storepass changeit -noprompt -importcert -file fullchain.pem -alias example-com-fullchain
  • sudo keytool -importcert -file cert.pem -keystore cacerts -alias example-com-cert

     

• Go to /Applications/TIBCO Jaspersoft Studio 6.2.0.final Pro.app/Contents/Eclipse/Jasper Studio Professional.ini (done on Mac OS x 10.11) and add the following two lines at the end of the ini-File
  • -Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk1.8.0_66.jdk/Contents/Home/jre/lib/security/cacerts
  • -Djavax.net.ssl.trustStorePassword=changeit