cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

java openkit certificate error when trying simplesample

cbruhn2
Participant

I have installed a Publice Active Gateway (PAG). Version 1.183.127.20200108-111113 on Platform: Linux, Version: 3.10.0-1062.el7.x86_64, Architecture: amd64, Processors: 2 - Running.

On the same server I have installed the java openkit package from https://bintray.com/dynatrace/openkit/com.dynatrace.openkit

Then I have altered the SimpleSample https://github.com/Dynatrace/openkit-java/blob/master/samples/SimpleSample.java for my environment stating the url in my environmen, the application the applicationid and deviceid.

When I run the java application, I get errors about the certificate.

[root@vhpmon540cop007 cbruhn2]# java SimpleSample
2020-02-11T10:52:46.245 ERROR [BeaconSender] HTTPClient sendRequest() - ERROR: STATUS Request failed!
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)

I have not altered anything about the certificate that the PAG uses, so it just states it has been issued by dynatrace.

Cluster ActiveGate SSL certificate

Current SSL certificate

Issuer: Dynatrace

Subject: Dynatrace

Expires: Feb 07, 2030

Is there a way in Dynatrace to export this certificate to other machines ?

I think that this certificate should be exported and then imported with keytools, but I can't find any documentation about how to do this.

The java application is run on the same machine as the PAG so I don't understand why there should be a problem with the certificate, but that is just my ignorance about certificates.

Can anybody help solving this issue, so I could test the openkit setup, before I let java developers access the setup ?

3 REPLIES 3

Julius_Loman
Leader

You have the answer right there - "java.security.cert.CertificateException: No subject alternative names". Certificates are verified every time, it does not matter if it is a local connection.

The default self-signed certificate is not a good way to operate Cluster ActiveGate (named Public Security Gateway in the past). You will need a proper certificate issued to FQDN / DNS name of the ActiveGate. Now also with the SNI extension (subject alternative name). So you should get a certificate with SNI extension, including a private key and put it on the ActiveGate. This is done via the CMC console in Dynatrace Managed, not by copying it to the host. If your certificate will be issued by a your local CA and not by a public CA, then you might need to import the CA certificate into the trust store of the JVM you are running so the SSL connection to the gateway can be trusted.


If this is just for testing and getting familiar with OpenKit, you can turn off the SSL validation in the example, see here:

https://github.com/Dynatrace/openkit-java/blob/master/docs/example.md#ssltls-security-in-openkit

Just add this method call in the initialization of the openkit library:

.withTrustManager(new SSLBlindTrustManager())

Hi Julius, thank you for a very helpfull answer. I can now test and i works fine. Just one thing for the record.

You have to import the class

import com.dynatrace.openkit.protocol.ssl.SSLBlindTrustManager;

Otherwise it works great. Once again. Many thanks

Best regards

Carl Bruhn

You are welcome. Of course you need to import that class or package. Just in production I strongly discourage running Cluster ActiveGate with selfsigned certificate or without SSL certificate validation.