Can't connect thru SSL with Vault CPC, Java CLC, or Eclipse

A collection of information about Vault, including solutions to common problems.

Moderator: SourceGear

PostPosted: Tue Jul 01, 2008 9:13 am
If you are having trouble connecting to a Vault Server using the Vault Cross Platform Client (Vault CPC), Vault Eclipse Plugin or the Vault Java Command Line Client (Java CLC) using SSL, you may need to configure the machine's Java keystore to trust the server's ssl certificate if the ssl certificate contains any invalid properties - for example using an expired or self-signed certificate.

To import the trusted certificate you must:

1) Extract your Vault server's public SSL certificate from the IIS Server in which the Vault Server has been installed. Many web browsers will allow you to browse to the Vault Server (https://VAULTSERVER-HOST/VaultService/VaultService.asmx - where VAULTSERVER-HOST is the host name of your Vault Server installation), view and extract the Vault server's certificate.

If further instructions are required, search for "Export SSL Certificate from Browser" and look for examples for your particular browser. However, the following are instructions for how to export SSL certificates for Firefox and Chrome for quick reference:

Firefox 55:
  • Browse to https://VAULTSERVER-HOST/VaultService/VaultService.asmx
  • From the context menu for the page, choose "View Page Info"
  • Click the Security button on the top tool bar
  • Click "View Certificate"
  • On the Details page, expand the Certificate Hierarchy, and select the certificate which is assigned to the Vault Server. This is usually the bottom node of the hierarchy
  • On the bottom, click Export to save the certificate to a file on disk

On Google Chrome (Windows) 61:
  • Browse to https://VAULTSERVER-HOST/VaultService/VaultService.asmx
  • From the context menu for the page, choose "Inspect"
  • On the Chrome DevTools panel, click the "Security" tab
  • Next click the "View Certificate" button
  • On the ensuing dialog, choose "Details"
  • Finally, click "Copy to File..." to invoke the Certificate Export Wizard to export the SSL Certificate to a file on disk

2) Next, you will need to determine the location of the Java's keystore on disk. By default, Java's keystore will be located in a file named cacerts. In earlier setups, the directory of the Java keystore file should be something like $JAVA_HOME/lib/security for the JRE installation or $JAVA_HOME/jre/lib/security for the JDK. This will all be dependent on the Java Virtual Machine (JVM) in use when connecting to Vault.

Note, for Eclipse, you can check which JVM is driving Eclipse from the Help -> About Eclipse dialog. Click the "Installation Details" button and then the "Configuration" tab. Look for the very next line after the '-vm' argument for a hint on which JVM is being used.

For OS X, from a Terminal shell, type /usr/libexec/java_home which should provide the installation of the Java JDK / JRE. For example, with the Java JDK installed on El Capitan the path from java_home may be /Library/Java/JavaVirtualMachines/jdk1.8.0_65.jdk/Contents/Home. Next, using this path, find the full path of the file $JAVA_HOME/jre/lib/security/cacerts.

For Linux, from a console shell, type echo $JAVA_HOME. Next, using this path, find the full path of the file $JAVA_HOME/lib/security/cacerts or $JAVA_HOME/jre/lib/security/cacerts

For Windows, from a command prompt, type echo %JAVA_HOME%. Next, using this path, find the full path of the file %JAVA_HOME%/lib/security/cacerts or %JAVA_HOME%/jre/lib/security/cacerts

3) Import the Server ssl certificate into your Java keystore's trusted certificates.

On Mac or Linux from a console / terminal run the following command:
sudo keytool -keystore /path/to/java/keystore/cacerts -importcert -file /path/to/vault/server/certificate.crt

On Windows run the following from a command prompt:
keytool -keystore "DRIVE:path\to\java\keystore\cacerts" -importcert -file "DRIVE:\path\to\vault\server\certificate.crt"

You will need the keystore password to modify it. By default this password is 'changeit'. Note: If you change the SDK, you will need to rerun this command.

Note: if you already have a certificate under the "mykey" alias, you may have the following error: keytool error: java.lang.Exception: Certificate not imported, alias already exists In that case, import the other one under a new alias (-alias newalias) or remove your old certificate (Mac/Linux example: sudo keytool -keystore /path/to/java/keystore/cacerts -delete -alias mykey).

If the command correctly imports the Vault Server ssl certificate into the Java keystore, you should now be able to connect to the Vault Server using SSL.

Posts: 3599
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
PostPosted: Thu Sep 21, 2017 5:04 pm
Also note, the instructions presented here apply to all SourceGear related products. If you are using a client piece by one of our partners or a third party, and that solution is Java based, the same instructions will apply.

For example, for users of JetBrains TeamCity trying to connect with HTTPS ( SSL ), will need to import their Vault server certificate into the keystore of the JRE of which TeamCity is using.
Jeff Clausius

Return to Knowledge Base (Vault)

Who is online

Users browsing this forum: No registered users and 1 guest