In Ubuntu 18.04, this error has a different cause (JEP 229, switch from the jks keystore default format to the pkcs12 format, and the Debian cacerts file generation using the default for new files) and workaround:
# Ubuntu 18.04 and various Docker images such as openjdk:9-jdk throw exceptions when
# Java applications use SSL and HTTPS, because Java 9 changed a file format, if you
# create that file from scratch, like Debian / Ubuntu do.
#
# Before applying, run your application with the Java command line parameter
# java -Djavax.net.ssl.trustStorePassword=changeit ...
# to verify that this workaround is relevant to your particular issue.
#
# The parameter by itself can be used as a workaround, as well.
# 0. First make yourself root with 'sudo bash'.
# 1. Save an empty JKS file with the default 'changeit' password for Java cacerts.
# Use 'printf' instead of 'echo' for Dockerfile RUN compatibility.
/usr/bin/printf 'xfexedxfexedx00x00x00x02x00x00x00x00xe2x68x6ex45xfbx43xdfxa4xd9x92xddx41xcexb6xb2x1cx63x30xd7x92' > /etc/ssl/certs/java/cacerts
# 2. Re-add all the CA certs into the previously empty file.
/var/lib/dpkg/info/ca-certificates-java.postinst configure
Status (2018-08-07), the bug has been fixed in Ubuntu Bionic LTS 18.04.1 and Ubuntu Cosmic 18.10.
🗹 Ubuntu 1770553: [SRU] backport ca-certificates-java from cosmic (20180413ubuntu1)
🗹 Ubuntu 1769013: Please merge ca-certificates-java 20180413 (main) from Debian unstable (main)
🗹 Ubuntu 1739631: Fresh install with JDK 9 can’t use the generated PKCS12 cacerts keystore file
🗹 docker-library 145: 9-jdk image has SSL issues
🗹 Debian 894979: ca-certificates-java: does not work with OpenJDK 9, applications fail with InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
🗹 JDK-8044445 : JEP 229: Create PKCS12 Keystores by Default
🖺 JEP 229: Create PKCS12 Keystores by Default
If the issue continues after this workaround, you might want to make sure that you’re actually running the Java distribution you just fixed.
$ which java
/usr/bin/java
You can set the Java alternatives to ‘auto’ with:
$ sudo update-java-alternatives -a
update-alternatives: error: no alternatives for mozilla-javaplugin.so
You can double-check the Java version you’re executing:
$ java --version
openjdk 10.0.1 2018-04-17
OpenJDK Runtime Environment (build 10.0.1+10-Ubuntu-3ubuntu1)
OpenJDK 64-Bit Server VM (build 10.0.1+10-Ubuntu-3ubuntu1, mixed mode)
There are alternative workarounds as well, but those have their own side effects which will require extra future maintenance, for no payoff whatsoever.
The next-best workaround is to add the row
javax.net.ssl.trustStorePassword=changeit
to the files
/etc/java-9-openjdk/management/management.properties
/etc/java-11-openjdk/management/management.properties
whichever exists.
The third least problematic workaround is to change the value of
keystore.type=pkcs12
to
keystore.type=jks
in the files
/etc/java-9-openjdk/security/java.security
/etc/java-11-openjdk/security/java.security
whichever exists, and then remove the cacerts file and regenerate it in the manner described on the last row of the workaround script at the top of the post.
System information:
- Operating system (distribution) and version = macOS High Sierra v10.13.6
- DBeaver version = 5.0.2
- Java version =1.8.9
- Additional extensions
Connection specification:
- Database name and version= DB2 v10.5.0.9
- Driver name = DB2 / DB2 LUW
- Do you use tunnels or proxies (SSH, SOCKS, etc)? = SSL
Describe the problem you’re observing:
I have tried several times to install and make DBEAVER work in this mac machine and I always encounter this trustAnchors parameters must not be non-empty.
I have tried the latest version of dbeaver and I settled on 5.0.2 as this is the version working for my colleague. I’m trying to connect to a db2 db with SSL enabled. I have included the following
parameters (sslTrustStoreLocation, sslConnection, sslTrustStorepassword), in the Connection Properties, but I still got this the trustAchors parameter must non-empty error message.
Thanks in advance for your help.
[jcc][t4][2030][11211][4.16.53] A communication error occurred during operations on the connection’s underlying socket, socket input stream,
or socket output stream. Error location: Reply.fill() — socketInputStream.read (-1). Message: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty. ERRORCODE=-4499, SQLSTATE=08001
Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
Unexpected error:java.security.InvalidAlgorithmParameterException:Z
the trustAnchors parameter must be non-empty
the trustAnchors parameter must be non-empty
Steps to reproduce, if exist:
Include any warning/errors/backtraces from the logs
The trustAnchors parameter must be non-empty error typically occurs when you are trying to create an instance of the SSLContext class in Java and you pass an empty trust store as the trustAnchors parameter.
The trustAnchors parameter is used to specify the trusted certificate authorities (CA) that are used to verify the authenticity of the server’s certificate. If the trust store is empty, then there are no trusted CAs available to verify the server’s certificate, and the error is thrown.
To fix this error, you need to make sure that the trust store is not empty. You can do this by adding the trusted CAs to the trust store. For example:
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null, null);
// Add the trusted CAs to the trust store
InputStream in = new FileInputStream("trusted_cas.jks");
trustStore.load(in, "password".toCharArray());
in.close();
// Create an SSL context with the trust store
SSLContext sslContext = SSLContext.getInstance("TLS");
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
sslContext.init(null, trustManagerFactory.getTrustManagers(), null);In this example, the trust store is loaded from a file called trusted_cas.jks using the load() method
AlexanderD |
|
|
Статус: Новичок Группы: Участники
|
Добрый день! Подскажите что не так. Код: В результате его выполнения получаю: Код: Но, если раскоментировать второй блок, т.е. установка трастового хранилища пропертями, то все работает! Спасибо! Отредактировано пользователем 27 августа 2018 г. 19:14:41(UTC) |
 |
|
|
Евгений Афанасьев |
|
|
Статус: Сотрудник Группы: Участники Сказал(а) «Спасибо»: 20 раз |
Здравствуйте. Код: Когда используется setDefaultSSLSocketFactory, то все работает несколько иначе: у SSLSocketFactory вызывается DefaultSSLContext без учета ранее настроенного SSLContext, который пытается получить trust store из настроек System.Properties, их нет — тогда по умолчанию в качестве trust store используется HDImageStore (если есть System.Properties — trust store грузится из настроек). |
|
Тех. поддержка |
|
|
|
|
|
|
Санчир Момолдаев
оставлено 07.08.2020(UTC) |
1 пользователь поблагодарил Евгений Афанасьев за этот пост.|
AlexanderD |
|
|
Статус: Новичок Группы: Участники
|
Все заработало, спасибо огромное, кучу времени сэкономили! |
|
|
|
|
Oleg Frolov |
|
|
Статус: Участник Группы: Участники Сказал(а) «Спасибо»: 6 раз |
Добрый день! Подскажите, пожалуйста. Есть такой код: Код: Если установлен JCP без TLS провайдера, либо JCP не установлен вообще, то соединение успешно (далее в коде отправляю запрос, получаю ответ). Но, если установлен JCP вместе с TLS провайдером, то получаю ошибку «TrustAnchors parameter must be non-empty». Нужно, чтобы код работал также как и до установки TLS провайдера. Что необходимо для этого сделать? JCP v2.0 Отредактировано пользователем 15 сентября 2020 г. 19:33:54(UTC) |
|
|
|
|
Санчир Момолдаев |
|
|
Статус: Сотрудник Группы: Модератор, Участники Сказал(а) «Спасибо»: 83 раз |
Автор: Oleg Frolov Добрый день! Подскажите, пожалуйста. Есть такой код: Код: Если установлен JCP без TLS провайдера, либо JCP не установлен вообще, то соединение успешно (далее в коде отправляю запрос, получаю ответ). Но, если установлен JCP вместе с TLS провайдером, то получаю ошибку «TrustAnchors parameter must be non-empty». Нужно, чтобы код работал также как и до установки TLS провайдера. Что необходимо для этого сделать? JCP v2.0 Добрый день! если нужно использовать гост тлс в коде то можно установить их программно: либо делать connection.setSSLSocketFactory(ctx.getSocketFactory()); для гостовых тлс соединений |
|
Техническую поддержку оказываем тут |
|
|
|
|
|
|
Oleg Frolov
оставлено 16.09.2020(UTC) |
|
Oleg Frolov |
|
|
Статус: Участник Группы: Участники Сказал(а) «Спасибо»: 6 раз |
Автор: Санчир Момолдаев Автор: Oleg Frolov Добрый день! Подскажите, пожалуйста. Есть такой код: Код: Если установлен JCP без TLS провайдера, либо JCP не установлен вообще, то соединение успешно (далее в коде отправляю запрос, получаю ответ). Но, если установлен JCP вместе с TLS провайдером, то получаю ошибку «TrustAnchors parameter must be non-empty». Нужно, чтобы код работал также как и до установки TLS провайдера. Что необходимо для этого сделать? JCP v2.0 Добрый день! если нужно использовать гост тлс в коде то можно установить их программно: либо делать connection.setSSLSocketFactory(ctx.getSocketFactory()); для гостовых тлс соединений Теперь ясно где были изменения. Все работает. Спасибо! |
|
|
|
| Пользователи, просматривающие эту тему |
|
Guest |
Быстрый переход
Вы не можете создавать новые темы в этом форуме.
Вы не можете отвечать в этом форуме.
Вы не можете удалять Ваши сообщения в этом форуме.
Вы не можете редактировать Ваши сообщения в этом форуме.
Вы не можете создавать опросы в этом форуме.
Вы не можете голосовать в этом форуме.
While accessing a https url from servlets we had got below error and the application used to break at the trustAnchors parameter must be non-empty error with below given error.
So before we get to solution steps we shall know what is truststore and what is key store.
1. TrustStore and keyStore are used in context of setting up SSL connection in Java application between client and server.
2. TrustStore and keyStore are very much similar in terms of construct and structure as both are managed by keytool command.
3. In SSL handshake purpose of trustStore is to verify credentials and purpose of keyStore is to provide credential.
4, KeyStore in Java stores private key and certificates corresponding to there public keys and require if SSL requires client authentication.
5. TrustStore stores certificates from third party or certificates signed by CA(certificate authorities like Verisign, Thawte, Geotrust, etc) which can be used to identify a third party.
Basically in simple words below error means that message means that the truststore specified was not found, or couldn’t be opened due to access permissions issues.
net.sf.jasperreports.engine.JRRuntimeException: net.sf.jasperreports.engine.JRException: Error opening input stream from URL : https://test-server.com:443/imagest/TEF-1049_Desert.jpg at net.sf.jasperreports.repo.DefaultRepositoryService.getInputStream(DefaultRepositoryService.java:117) at net.sf.jasperreports.repo.InputStreamPersistenceService.load(InputStreamPersistenceService.java:48) at net.sf.jasperreports.repo.DefaultRepositoryService.getResource(DefaultRepositoryService.java:155) at net.sf.jasperreports.repo.RepositoryUtil.findInputStream(RepositoryUtil.java:176) at net.sf.jasperreports.repo.RepositoryUtil.getBytesFromLocation(RepositoryUtil.java:192) at net.sf.jasperreports.engine.JRImageRenderer.getImageData(JRImageRenderer.java:504) at net.sf.jasperreports.engine.RenderableUtil.getOnErrorRendererForImageData(RenderableUtil.java:287) at net.sf.jasperreports.engine.export.JRPdfExporter.exportImage(JRPdfExporter.java:1132) at net.sf.jasperreports.engine.export.JRPdfExporter.exportElements(JRPdfExporter.java:749) at net.sf.jasperreports.engine.export.JRPdfExporter.exportFrame(JRPdfExporter.java:2537) at net.sf.jasperreports.engine.export.JRPdfExporter.exportElements(JRPdfExporter.java:757) at net.sf.jasperreports.engine.export.JRPdfExporter.exportFrame(JRPdfExporter.java:2537) at net.sf.jasperreports.engine.export.JRPdfExporter.exportElements(JRPdfExporter.java:757) at net.sf.jasperreports.engine.export.JRPdfExporter.exportPage(JRPdfExporter.java:712) at net.sf.jasperreports.engine.export.JRPdfExporter.exportReportToStream(JRPdfExporter.java:589) at net.sf.jasperreports.engine.export.JRPdfExporter.exportReport(JRPdfExporter.java:316) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) at org.jboss.as.web.session.ClusteredSessionValve.handleRequest(ClusteredSessionValve.java:134) at org.jboss.as.web.session.ClusteredSessionValve.invoke(ClusteredSessionValve.java:99) at org.jboss.as.web.session.JvmRouteValve.invoke(JvmRouteValve.java:92) at org.jboss.as.web.session.LockingValve.invoke(LockingValve.java:64) at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) at java.lang.Thread.run(Thread.java:724) Caused by: net.sf.jasperreports.engine.JRException: Error opening input stream from URL : https://test-server.com:443/imagest/TEF-1049_Desert.jpg at net.sf.jasperreports.engine.util.JRLoader.getInputStream(JRLoader.java:302) at net.sf.jasperreports.repo.DefaultRepositoryService.getInputStream(DefaultRepositoryService.java:100) ... 41 more Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1844) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1827) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1346) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at java.net.URL.openStream(URL.java:1037) at net.sf.jasperreports.engine.util.JRLoader.getInputStream(JRLoader.java:298) ... 42 more Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:90) at sun.security.validator.Validator.getInstance(Validator.java:179) at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:314) at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:173) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:186) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) ... 49 more Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120) at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104) at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:88) ... 61 more Caused by: net.sf.jasperreports.engine.JRException: Error opening input stream from URL : https://test-server.com:443/imagest/TEF-1049_Desert.jpg at net.sf.jasperreports.engine.util.JRLoader.getInputStream(JRLoader.java:302) at net.sf.jasperreports.repo.DefaultRepositoryService.getInputStream(DefaultRepositoryService.java:100) at net.sf.jasperreports.repo.InputStreamPersistenceService.load(InputStreamPersistenceService.java:48) at net.sf.jasperreports.repo.DefaultRepositoryService.getResource(DefaultRepositoryService.java:155) at net.sf.jasperreports.repo.RepositoryUtil.findInputStream(RepositoryUtil.java:176) at net.sf.jasperreports.repo.RepositoryUtil.getBytesFromLocation(RepositoryUtil.java:192) at net.sf.jasperreports.engine.JRImageRenderer.getImageData(JRImageRenderer.java:504) at net.sf.jasperreports.engine.RenderableUtil.getOnErrorRendererForImageData(RenderableUtil.java:287) at net.sf.jasperreports.engine.export.JRPdfExporter.exportImage(JRPdfExporter.java:1132) at net.sf.jasperreports.engine.export.JRPdfExporter.exportElements(JRPdfExporter.java:749) at net.sf.jasperreports.engine.export.JRPdfExporter.exportFrame(JRPdfExporter.java:2537) at net.sf.jasperreports.engine.export.JRPdfExporter.exportElements(JRPdfExporter.java:757) at net.sf.jasperreports.engine.export.JRPdfExporter.exportFrame(JRPdfExporter.java:2537) at net.sf.jasperreports.engine.export.JRPdfExporter.exportElements(JRPdfExporter.java:757) at net.sf.jasperreports.engine.export.JRPdfExporter.exportPage(JRPdfExporter.java:712) at net.sf.jasperreports.engine.export.JRPdfExporter.exportReportToStream(JRPdfExporter.java:589) at net.sf.jasperreports.engine.export.JRPdfExporter.exportReport(JRPdfExporter.java:316) at javax.servlet.http.HttpServlet.service(HttpServlet.java:734) at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) at org.jboss.as.web.session.ClusteredSessionValve.handleRequest(ClusteredSessionValve.java:134) at org.jboss.as.web.session.ClusteredSessionValve.invoke(ClusteredSessionValve.java:99) at org.jboss.as.web.session.JvmRouteValve.invoke(JvmRouteValve.java:92) at org.jboss.as.web.session.LockingValve.invoke(LockingValve.java:64) at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) at java.lang.Thread.run(Thread.java:724) Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1844) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1827) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1346) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at java.net.URL.openStream(URL.java:1037) at net.sf.jasperreports.engine.util.JRLoader.getInputStream(JRLoader.java:298) ... 42 more Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:90) at sun.security.validator.Validator.getInstance(Validator.java:179) at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:314) at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:173) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:186) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) ... 49 more Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120) at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104) at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:88) ... 61 more Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1844) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1827) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1346) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at java.net.URL.openStream(URL.java:1037) at net.sf.jasperreports.engine.util.JRLoader.getInputStream(JRLoader.java:298) at net.sf.jasperreports.repo.DefaultRepositoryService.getInputStream(DefaultRepositoryService.java:100) at net.sf.jasperreports.repo.InputStreamPersistenceService.load(InputStreamPersistenceService.java:48) at net.sf.jasperreports.repo.DefaultRepositoryService.getResource(DefaultRepositoryService.java:155) at net.sf.jasperreports.repo.RepositoryUtil.findInputStream(RepositoryUtil.java:176) at net.sf.jasperreports.repo.RepositoryUtil.getBytesFromLocation(RepositoryUtil.java:192) at net.sf.jasperreports.engine.JRImageRenderer.getImageData(JRImageRenderer.java:504) at net.sf.jasperreports.engine.RenderableUtil.getOnErrorRendererForImageData(RenderableUtil.java:287) at net.sf.jasperreports.engine.export.JRPdfExporter.exportImage(JRPdfExporter.java:1132) at net.sf.jasperreports.engine.export.JRPdfExporter.exportElements(JRPdfExporter.java:749) at net.sf.jasperreports.engine.export.JRPdfExporter.exportFrame(JRPdfExporter.java:2537) at net.sf.jasperreports.engine.export.JRPdfExporter.exportElements(JRPdfExporter.java:757) at net.sf.jasperreports.engine.export.JRPdfExporter.exportFrame(JRPdfExporter.java:2537) at net.sf.jasperreports.engine.export.JRPdfExporter.exportElements(JRPdfExporter.java:757) at net.sf.jasperreports.engine.export.JRPdfExporter.exportPage(JRPdfExporter.java:712) at net.sf.jasperreports.engine.export.JRPdfExporter.exportReportToStream(JRPdfExporter.java:589) at net.sf.jasperreports.engine.export.JRPdfExporter.exportReport(JRPdfExporter.java:316) at javax.servlet.http.HttpServlet.service(HttpServlet.java:734) at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) at org.jboss.as.web.session.ClusteredSessionValve.handleRequest(ClusteredSessionValve.java:134) at org.jboss.as.web.session.ClusteredSessionValve.invoke(ClusteredSessionValve.java:99) at org.jboss.as.web.session.JvmRouteValve.invoke(JvmRouteValve.java:92) at org.jboss.as.web.session.LockingValve.invoke(LockingValve.java:64) at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) at java.lang.Thread.run(Thread.java:724) Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:90) at sun.security.validator.Validator.getInstance(Validator.java:179) at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:314) at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:173) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:186) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) ... 49 more Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120) at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104) at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:88) ... 61 more Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:90) at sun.security.validator.Validator.getInstance(Validator.java:179) at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:314) at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:173) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:186) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at java.net.URL.openStream(URL.java:1037) at net.sf.jasperreports.engine.util.JRLoader.getInputStream(JRLoader.java:298) at net.sf.jasperreports.repo.DefaultRepositoryService.getInputStream(DefaultRepositoryService.java:100) at net.sf.jasperreports.repo.InputStreamPersistenceService.load(InputStreamPersistenceService.java:48) at net.sf.jasperreports.repo.DefaultRepositoryService.getResource(DefaultRepositoryService.java:155) at net.sf.jasperreports.repo.RepositoryUtil.findInputStream(RepositoryUtil.java:176) at net.sf.jasperreports.repo.RepositoryUtil.getBytesFromLocation(RepositoryUtil.java:192) at net.sf.jasperreports.engine.JRImageRenderer.getImageData(JRImageRenderer.java:504) at net.sf.jasperreports.engine.RenderableUtil.getOnErrorRendererForImageData(RenderableUtil.java:287) at net.sf.jasperreports.engine.export.JRPdfExporter.exportImage(JRPdfExporter.java:1132) at net.sf.jasperreports.engine.export.JRPdfExporter.exportElements(JRPdfExporter.java:749) at net.sf.jasperreports.engine.export.JRPdfExporter.exportFrame(JRPdfExporter.java:2537) at net.sf.jasperreports.engine.export.JRPdfExporter.exportElements(JRPdfExporter.java:757) at net.sf.jasperreports.engine.export.JRPdfExporter.exportFrame(JRPdfExporter.java:2537) at net.sf.jasperreports.engine.export.JRPdfExporter.exportElements(JRPdfExporter.java:757) at net.sf.jasperreports.engine.export.JRPdfExporter.exportPage(JRPdfExporter.java:712) at net.sf.jasperreports.engine.export.JRPdfExporter.exportReportToStream(JRPdfExporter.java:589) at net.sf.jasperreports.engine.export.JRPdfExporter.exportReport(JRPdfExporter.java:316) at javax.servlet.http.HttpServlet.service(HttpServlet.java:734) at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) at org.jboss.as.web.session.ClusteredSessionValve.handleRequest(ClusteredSessionValve.java:134) at org.jboss.as.web.session.ClusteredSessionValve.invoke(ClusteredSessionValve.java:99) at org.jboss.as.web.session.JvmRouteValve.invoke(JvmRouteValve.java:92) at org.jboss.as.web.session.LockingValve.invoke(LockingValve.java:64) at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) at java.lang.Thread.run(Thread.java:724) Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120) at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104) at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:88) ... 61 more Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120) at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104) at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:88) at sun.security.validator.Validator.getInstance(Validator.java:179) at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:314) at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:173) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:186) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at java.net.URL.openStream(URL.java:1037) at net.sf.jasperreports.engine.util.JRLoader.getInputStream(JRLoader.java:298) at net.sf.jasperreports.repo.DefaultRepositoryService.getInputStream(DefaultRepositoryService.java:100) at net.sf.jasperreports.repo.InputStreamPersistenceService.load(InputStreamPersistenceService.java:48) at net.sf.jasperreports.repo.DefaultRepositoryService.getResource(DefaultRepositoryService.java:155) at net.sf.jasperreports.repo.RepositoryUtil.findInputStream(RepositoryUtil.java:176) at net.sf.jasperreports.repo.RepositoryUtil.getBytesFromLocation(RepositoryUtil.java:192) at net.sf.jasperreports.engine.JRImageRenderer.getImageData(JRImageRenderer.java:504) at net.sf.jasperreports.engine.RenderableUtil.getOnErrorRendererForImageData(RenderableUtil.java:287) at net.sf.jasperreports.engine.export.JRPdfExporter.exportImage(JRPdfExporter.java:1132) at net.sf.jasperreports.engine.export.JRPdfExporter.exportElements(JRPdfExporter.java:749) at net.sf.jasperreports.engine.export.JRPdfExporter.exportFrame(JRPdfExporter.java:2537) at net.sf.jasperreports.engine.export.JRPdfExporter.exportElements(JRPdfExporter.java:757) at net.sf.jasperreports.engine.export.JRPdfExporter.exportFrame(JRPdfExporter.java:2537) at net.sf.jasperreports.engine.export.JRPdfExporter.exportElements(JRPdfExporter.java:757) at net.sf.jasperreports.engine.export.JRPdfExporter.exportPage(JRPdfExporter.java:712) at net.sf.jasperreports.engine.export.JRPdfExporter.exportReportToStream(JRPdfExporter.java:589) at net.sf.jasperreports.engine.export.JRPdfExporter.exportReport(JRPdfExporter.java:316) at javax.servlet.http.HttpServlet.service(HttpServlet.java:734) at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) at org.jboss.as.web.session.ClusteredSessionValve.handleRequest(ClusteredSessionValve.java:134) at org.jboss.as.web.session.ClusteredSessionValve.invoke(ClusteredSessionValve.java:99) at org.jboss.as.web.session.JvmRouteValve.invoke(JvmRouteValve.java:92) at org.jboss.as.web.session.LockingValve.invoke(LockingValve.java:64) at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) at java.lang.Thread.run(Thread.java:724)
Solution:
For SSL web URL’s try below steps and check.
1. Add below two arguments to JVM arguments and paths pointing to the cacerts
-Djavax.net.ssl.trustStore=<JAVA_HOME>/jre/lib/security/cacerts -Djavax.net.ssl.trustAnchors=<JAVA_HOME>/jre/lib/security/cacerts
2. Download and Import the https://test-server.com:443/imagest/TEF-1049_Desert.jpg SSL using below command.
<JAVA_HOME>/bin/keytool -import -alias <server_name> -keystore <JAVA_HOME>/jre/lib/security/cacerts -file SSL_CA_Server.crt
3. Restart the services and test again
In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.