Oh - for your original question, we use the default truststore for the JVM - cacerts. We also have the ability to add a custom truststore for client-certs via configuration in gateway-site.xml.
http://knox.apache.org/books/knox-0-13-0/user-guide.html#Gateway+Server+Configuration On Wed, Sep 27, 2017 at 9:13 AM, larry mccay <[email protected]> wrote: > FYI - since we are officially dropping Java 7 support in 0.14.0/1.0.0 we > can upgrade our pac4j library. > If you are playing around with that then it may be interesting to drop in > the new version. > > I do suspect it will require some changes though. > > On Wed, Sep 27, 2017 at 8:11 AM, Colm O hEigeartaigh <[email protected]> > wrote: > >> Nevermind on this one, I can just use the http URL instead for the >> discovery doc and it works fine. >> >> Colm. >> >> On Wed, Sep 27, 2017 at 12:57 PM, Colm O hEigeartaigh < >> [email protected]> >> wrote: >> >> > Hi all, >> > >> > I'm playing around with using PAC4J to secure KnoxSSO, talking to an >> OIDC >> > IdP. I'm getting a TLS handshake error when trying to retrieve the OIDC >> > configuration as specified by the "oidc.discoveryUri" parameter: >> > >> > Caused by: org.pac4j.core.exception.TechnicalException: >> javax.net.ssl.SSLHandshakeException: >> > sun.security.validator.ValidatorException: PKIX path building failed: >> > sun.security.provider.certpath.SunCertPathBuilderException: unable to >> > find valid certification path to requested target >> > at org.pac4j.oidc.client.OidcClient.internalInit(OidcClient. >> java:297) >> > >> > How can I add the cert of the IdP to Knox/Pac4J so that the TLS >> handshake >> > works correctly? I tried adding it to gateway.jks but it doesn't work. >> Is >> > there a separate way to specify a TLS truststore? >> > >> > Colm. >> > >> > >> > -- >> > Colm O hEigeartaigh >> > >> > Talend Community Coder >> > http://coders.talend.com >> > >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> > >
