Search code examples
postgresqlsslopen-liberty

Openliberty PostgreDB connection with sslMode=verify-ca fails

i'm trying to connect my Openliberty Server to a PostgreDB with a higher sslMode than just "require". Here's the server.xml:

<featureManager>
    <feature>jaxrs-2.1</feature>
    <feature>mpHealth-2.1</feature>
    <feature>ejbLite-3.2</feature>
    <feature>beanValidation-2.0</feature>
    <feature>concurrent-1.0</feature>
    <feature>mpConfig-1.3</feature>
    <feature>jpa-2.2</feature>
    <feature>transportSecurity-1.0</feature>
    <feature>jdbc-4.2</feature>
</featureManager>

...

<sslDefault sslRef="defaultSsl"/>
<ssl id="defaultSsl" trustStoreRef="defaultTrustStore"/>
<keyStore id="defaultTrustStore" location="postgre_store.jks" password="changeit"/>

<library id="postgresql-driver-library">
    <fileset dir="${shared.resource.dir}/postgresql" id="postgresql-driver-fileset" includes="*.jar"/>
</library>

<jdbcDriver id="postgresql-driver" javax.sql.XADataSource="org.postgresql.xa.PGXADataSource"
            javax.sql.ConnectionPoolDataSource="org.postgresql.ds.PGConnectionPoolDataSource"
            libraryRef="postgresql-driver-library"/>

<dataSource id="some-db" jndiName="jdbc/mydb" jdbcDriverRef="postgresql-driver"
            type="javax.sql.ConnectionPoolDataSource" transactional="true">
    <properties serverName="${datasource.servername}"
                portNumber="${datasource.port}"
                databaseName="${datasource.database}"
                user="${datasource.username}"
                password="${datasource.password}"
                ssl="true"
                loggerLevel="DEBUG"
                sslMode="verify-ca"
                sslFactory="org.postgresql.ssl.DefaultJavaSSLFactory"/>
</dataSource>

The truststore is in the same folder as the server.xml. On server startup i receive the following error as soon as Flyway tries to connect to the PostgreDB:

[INFO] SQL State  : 08006
[INFO] Error Code : 0
[INFO] Message    : SSL error: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path 
to requested target DSRA0010E: SQL-Status = 08006, Errorcode = 0
[INFO]
[INFO]  at org.flywaydb.core.internal.jdbc.JdbcUtils.openConnection(JdbcUtils.java:60)
[INFO]  at 
org.flywaydb.core.internal.database.DatabaseFactory.createDatabase(DatabaseFactory.java:72)
[INFO]  at org.flywaydb.core.Flyway.execute(Flyway.java:1670)
[INFO]  at org.flywaydb.core.Flyway.info(Flyway.java:1521)

I added the root certificate (which is self signed) to a newly created truststore as desribed here: https://jdbc.postgresql.org/documentation/head/ssl-client.html and also converted it from .cer to .crt.der (altough i'm not sure if that matters). How can i be sure, that the provided truststore is recognized and used by jdbc? Is my assumption correct that the sslRootCert attribute inside the <properties> tag should also point to the public, trusted root certificate which was used for certificate generation on the Postgre server side (the server i want to connect to)?

Openliberty version is: 21.0.0.3

postgre driver artefact is:

<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<version>42.2.14</version>

Any ideas on why the connection might not work?

Solution

  • The connection setup was correct, the issue in this case was a non proper configured PostgreSQL server.