Thursday, April 28, 2016

Connecting IntelliJ and JIRA with SSL (java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty)

Connecting IntelliJ and JIRA with SSL (java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty)

My work place change the JIRA connection from HTTP to HTTPS meaning now JIRA was working with SSL. 
Everything was working fine with Chrome but when trying to work with IntelliJ and JIRA using the Atlassian plugin (https://confluence.atlassian.com/display/IDEPLUGIN/Installing+the+IntelliJ+Connector) I've encountered the following error: 


Clicking on Show Details was not that helpful and displayed the following stack trace:

com.atlassian.theplugin.commons.remoteapi.RemoteApiException: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at com.atlassian.connector.commons.jira.soap.JIRASoapSessionImpl.login(JIRASoapSessionImpl.java:193)
at com.atlassian.connector.commons.jira.JIRASoapAndXmlServerFacade2Impl.testServerConnection(JIRASoapAndXmlServerFacade2Impl.java:154)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.atlassian.connector.commons.jira.JIRAServerFacade2Impl$1.invoke(JIRAServerFacade2Impl.java:93)
at com.sun.proxy.$Proxy41.testServerConnection(Unknown Source)
at com.atlassian.connector.commons.jira.JIRAServerFacade2Impl.testServerConnection(JIRAServerFacade2Impl.java:268)
at com.atlassian.theplugin.commons.jira.IntelliJJiraServerFacade.testServerConnection(IntelliJJiraServerFacade.java:473)
at com.atlassian.theplugin.idea.config.serverconfig.ProductConnector.connect(ProductConnector.java:35)
at com.atlassian.theplugin.ConnectionWrapper.run(ConnectionWrapper.java:63)

The problem

Intellij now needed the Certificate JIRA was using in order to establish a connection

How to solve?

Thanks to the IT guy at my work, I understood I needed to fetch the certificate and tell IntelliJ to use the key store in which I loaded the certificate to.

Here is how to do it.
  • You have JRE / JDK installed
  • Make sure you have openssl.exe (I'm assuming you are on windows). If you don't have you can get it by installing openvpn (get it from here https://openvpn.net/)
  • Open command line
  • Execute: openssl s_client -connect <JIRA_DNS_NAME>:443 where <JIRA_DNS_NAME> should be replaced with the your JIRA dns name / IP (for example openssl s_client -connect jira:443)
  • Copy the output the last command generated from ---BEGIN CERTIFICATE--- to ---END CERTIFICATE-- including those lines to a file named public.cert
  • Execute: keytool -import-alias <NAME_OF_ALIAS> -file public.cert. For example, keytool -import -alias jira -file public.cert
  • It will ask for a password. The default password is 'changeit'
  • Answer yes to 'Trust this certificate'
  • You should receive 'Certificate was added to keystore'
  • Verify the certificate was really added using the following command: keytool -list | findstr <NAME_OF_ALIAS>, for exampe keytool -list | findstr jira
  • You should see something like this: jira, Apr 28, 2016, trustedCertEntry,
  • Go to the installation of IntelliJ. Default installation in windows is at 'C:\Program Files (x86)\JetBrains\<INTELLIJ_PRODUCT>\bin'
  • If you have multiple installation, notice which one you choose, in my case it was 'C:\Program Files (x86)\JetBrains\IntelliJ IDEA Community Edition 2016.1.1\bin'
  • Edit the file idea.exe.vmoptions (or idea64.exe.vmoptions, depends which one you are running)
  • Add the following: -Djavax.net.ssl.trustStore=c:\Users\<YOUR USERNAME>\.keystore, for example, in my case it was '-Djavax.net.ssl.trustStore=c:\Users\tzachs\.keystore'
  • Restart IntelliJ

Troubleshoot

In case something does not work, check the idea.log. 

For more reading