Email Server SSL Connection Problem

[rifai]

Kubig,

I tried with the following parameters.  Still I am facing the same issue

-Dmail.imap.auth.login.disable=false
-Dmail.imap.auth.plain.disable=true

10:36:21.641 Dbg 23021 [OutSbSchd] Found 0 matching messages in database in 13 ms
10:36:21.642 Dbg 23022 [OutSbSchd] Queue size : 0 (no new messages found).
10:36:21.762 Dbg 23192 [MsgIn-1] <pop-client> Thread 'MsgIn-1' registers to shutdown notification.
10:36:21.762 Trc 21621 [MsgIn-1] <pop-client> Running inbound messaging client.
10:36:21.763 Dbg 29999 [MsgIn-1] <pop-client> factory creating impl for pop/imap server
10:36:21.767 Dbg 25112 [MsgIn-1] <pop-client> JavaMail POP: DEBUG: mail.imap.class property exists and points to com.sun.mail.imap.IMAPSSLStore
10:36:21.767 Dbg 25112 [MsgIn-1] <pop-client> JavaMail POP: DEBUG IMAP: mail.imap.fetchsize: 16384
10:36:21.767 Dbg 25112 [MsgIn-1] <pop-client> JavaMail POP: DEBUG IMAP: mail.imap.ignorebodystructuresize: false
10:36:21.767 Dbg 25112 [MsgIn-1] <pop-client> JavaMail POP: DEBUG IMAP: mail.imap.statuscachetimeout: 1000
10:36:21.768 Dbg 25112 [MsgIn-1] <pop-client> JavaMail POP: DEBUG IMAP: mail.imap.appendbuffersize: -1
10:36:21.768 Dbg 25112 [MsgIn-1] <pop-client> JavaMail POP: DEBUG IMAP: mail.imap.minidletime: 10
10:36:21.768 Dbg 25112 [MsgIn-1] <pop-client> JavaMail POP: DEBUG IMAP: trying to connect to host "10.200.20.40", port 993, isSSL true
10:36:21.777 Std 29997 [MsgIn-1] <pop-client> javax.net.ssl.SSLException: Unable to establish handshake using SSL - server may be expecting plain text connection
10:36:21.778 Std 29997 [MsgIn-1] <pop-client> at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:576)
10:36:21.778 Std 29997 [MsgIn-1] <pop-client> at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:381)
10:36:21.779 Std 29997 [MsgIn-1] <pop-client> at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:232)
10:36:21.779 Std 29997 [MsgIn-1] <pop-client> at com.sun.mail.iap.Protocol.<init>(Protocol.java:116)
10:36:21.779 Std 29997 [MsgIn-1] <pop-client> at com.sun.mail.imap.protocol.IMAPProtocol.<init>(IMAPProtocol.java:121)
10:36:21.780 Std 29997 [MsgIn-1] <pop-client> at com.sun.mail.imap.IMAPStore.newIMAPProtocol(IMAPStore.java:710)
10:36:21.780 Std 29997 [MsgIn-1] <pop-client> at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:659)
10:36:21.781 Std 29997 [MsgIn-1] <pop-client> at javax.mail.Service.connect(Service.java:381)
10:36:21.781 Std 29997 [MsgIn-1] <pop-client> at com.genesyslab.icc.emailserver.MailDeliveryAgentImpl.openConnection(MailDeliveryAgentImpl.java:260)
10:36:21.782 Std 29997 [MsgIn-1] <pop-client> at com.genesyslab.icc.emailserver.InboundMessagingClient$SessionRunLoop.retrieveMessages(InboundMessagingClient.java:1121)
10:36:21.782 Std 29997 [MsgIn-1] <pop-client> at com.genesyslab.icc.emailserver.InboundMessagingClient$SessionRunLoop.run(InboundMessagingClient.java:993)
10:36:21.783 Std 29997 [MsgIn-1] <pop-client> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
10:36:21.783 Std 29997 [MsgIn-1] <pop-client> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
10:36:21.783 Std 29997 [MsgIn-1] <pop-client> at com.genesyslab.util.concurrent16.NamedThreadFactory$1.run(NamedThreadFactory.java:55)
10:36:21.784 Std 29997 [MsgIn-1] <pop-client> at java.lang.Thread.run(Thread.java:745)
10:36:21.784 Std 20015 [MsgIn-1] <pop-client> JavaMail Exception.
[color=red]javax.mail.MessagingException: Unable to establish handshake using SSL - server may be expecting plain text connection;
  nested exception is:
javax.net.ssl.SSLException: Unable to establish handshake using SSL - server may be expecting plain text connection[/color]
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:695)
at javax.mail.Service.connect(Service.java:381)
at com.genesyslab.icc.emailserver.MailDeliveryAgentImpl.openConnection(MailDeliveryAgentImpl.java:260)
at com.genesyslab.icc.emailserver.InboundMessagingClient$SessionRunLoop.retrieveMessages(InboundMessagingClient.java:1121)
at com.genesyslab.icc.emailserver.InboundMessagingClient$SessionRunLoop.run(InboundMessagingClient.java:993)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at com.genesyslab.util.concurrent16.NamedThreadFactory$1.run(NamedThreadFactory.java:55)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLException: [color=red]Unable to establish handshake using SSL - server may be expecting plain text connection[/color]
at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:245)
at com.sun.mail.iap.Protocol.<init>(Protocol.java:116)
at com.sun.mail.imap.protocol.IMAPProtocol.<init>(IMAPProtocol.java:121)
at com.sun.mail.imap.IMAPStore.newIMAPProtocol(IMAPStore.java:710)
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:659)
... 8 more

10:36:21.785 Dbg 23005 [MsgIn-1] <pop-client> Inbound messaging client finished.
10:36:31.467 Dbg 23030 [TimerTask] LogReconfigureTask is now running.
10:36:31.467 Dbg 23032 [TimerTask] LogReconfigureTask cycleTime = 30000 ms.

[Kubig]

Enable debug logging on IMAP box level (on ESJ) to see what happens within the IMAP communication, afterthat you would be able to recognize what options have to be added

[Andrei Stanciu]

[quote author=cavagnaro link=topic=9238.msg41613#msg41613 date=1448996451]
You are right, just checked my ESJ new folders.

Please check my oneNote "notes" about this
[url=http://www.filedropper.com/casodesslenimap4pop3paraemailocualquieraqueusejava]http://www.filedropper.com/casodesslenimap4pop3paraemailocualquieraqueusejava[/url]
[/quote]
Cavagnaro, hello. Can you please re-upload the files? The link has expired i think.
I am facing the same issue and i have spent a day trying to figure it out.

[n3vek7]

Well, it seems that I'm also running into this issue... cavagnaro, do you still have those notes?

[code]
23:25:37.214 Std 25080 [SvcSrvW-44] <322> Exception message: Connnection to SMTP Server host 'smtp.office365.com', port 587 failed..
23:25:37.214 Trc 25097 [SvcSrvW-44] <322> Response:
Id=322
Type=Fault
AppName=DEMO_ESJ
AppType=EMAIL_SERVER
Service=Email
Method=Send.
23:25:37.230 Trc 25098 [SvcSrvW-44] <322> 'Email.Send' (request id 322) handling duration : 204 ms.
23:25:37.230 Std 29997 [SvcSrvW-47] <323 023GT72RJ02FC003> javax.net.ssl.SSLException: Unable to establish handshake using SSL - server may be expecting plain text connection
[/code]

It's late, i'll try tomorrow the following instructions from the deployment guide, Andrei Stanciu, you tried it ?

[b]Prerequisites:[/b]
• The .truststore file has been created.
1. Open JavaEmailServerDriver.ini in a text editor.
2. In the [JavaArgs] section, add the following: -
Djavax.net.ssl.trustStore=<path to certificate>
3. Save and close the file.

Configuring the Corporate E-mail Server
[b]Configure TLS/SSL in the Corporate E-mail Server. Follow the constructor recommendations
to generate a certificate and configure TLS/SSL on ports POP3, IMAP and SMTP.[/b]
The following is an example of generation of a certificate with keytool (keytool is a Java
utility that is available with the JRE. The utility can be found in
<eServices_Install_Dir>/jre/bin for Unix operating systems, and in
<eServices_Install_Dir>\jre\bin for Windows operating systems):
keytool -genkey -v -alias hostname.example.com
-dname “CN=hostname.example.com,OU=IT,O=ourcompany,C=FR” -keypass
<certificate_password>
-keystore <certicate_name>.keystore -storepass <certificate_password>
-keyalg “RSA” -sigalg “SHA1withRSA” -keysize 2048 -validity 3650
The arguments used in this command are the following:
• -alias—Defines an alias in keystore, to store the key.
• -dname—Distinguished Name, a comma-separated list made up of the following, in
the following order:
◦ CN—Common Name. This must be the name of the host where the corporate e-mail server is running. It must be the host name used in E-mail Server's settings; for example, if connecting to a POP 3 server, the option server in the pop-client section must have this value.
◦ OU—Organizational Unit Name
◦ O—Organization Name
◦ L—Locality Name (city)
◦ S—State
◦ C—Country Name

-keypass—Password of the key of the certificate.
• -keystore—Specifies the keystore used.
• -storepass—Password of the keystore.
• -keyalg—Algorithm used to generate the key. Possible values are DSA and RSA. More
information is available at http://docs.oracle.com/javase.
• -sigalg—Specifies the algorithm used to sign the key.
• -keysize—Specifies the size of the key.
• -validity—Defines the validity of the certificate, in days. The value in the example is
3,650 days, or 10 years.

[n3vek7]

By the way, I searched for a long time the "famous" keytool, and it's under the JDK folder of java, for example ;
C:\Program Files\Java\jdk1.8.0_65\bin\keytool.exe

[hsujdik]

what do you get when you telnet the host/port of the IMAP server and perform the command "a0 capability" (whitout the quotes)?
[s]Also, recently, Windows has stopped supporting SHA-1 certificates. Perhaps this explains why there were two reports of this issue in this brief time[/s] (Edit: Disregard... I reviewed the publication and it seems that only the Microsoft Browsers are not supporting it anymore)

[cavagnaro]

Basically, you want to add the server's certificate to the KeyStore with your trusted certificates. There are any number of ways to achieve that, but a simple solution is to compile and run the attached program as java InstallCert hostname, for example


% java InstallCert ecc.fedora.redhat.com

Loading KeyStore /usr/jdk/instances/jdk1.5.0/jre/lib/security/cacerts...
Opening connection to ecc.fedora.redhat.com:443...
Starting SSL handshake...

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:846)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
at InstallCert.main(InstallCert.java:63)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
at sun.security.validator.Validator.validate(Validator.java:203)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:158)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:839)
... 7 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
... 13 more

Server sent 2 certificate(s):

1 Subject CN=ecc.fedora.redhat.com, O=example.com, C=US
  Issuer  CN=Certificate Shack, O=example.com, C=US
  sha1    2e 7f 76 9b 52 91 09 2e 5d 8f 6b 61 39 2d 5e 06 e4 d8 e9 c7
  md5    dd d1 a8 03 d7 6c 4b 11 a7 3d 74 28 89 d0 67 54

2 Subject CN=Certificate Shack, O=example.com, C=US
  Issuer  CN=Certificate Shack, O=example.com, C=US
  sha1    fb 58 a7 03 c4 4e 3b 0e e3 2c 40 2f 87 64 13 4d df e1 a1 a6
  md5    72 a0 95 43 7e 41 88 18 ae 2f 6d 98 01 2c 89 68

Enter certificate to add to trusted keystore or 'q' to quit: [1]
What happened was that the program opened a connection to the specified host and started an SSL handshake. It printed the exception stack trace of the error that occured and shows you the certificates used by the server. Now it prompts you for the certificate you want to add to your trusted KeyStore. You should only do this if you are sure that this is the certificate of the trusted host you want to connect to. You may want to check the MD5 and SHA1 certificate fingerprints against a fingerprint generated on the server (e.g. using keytool) to make sure it is the correct certificate.
If you've changed your mind, enter 'q'. If you really want to add the certificate, enter '1'. (You could also add a CA certificate by entering a different certificate, but you usually don't want to do that'). Once you have made your choice, the program will print the following:
[
[
  Version: V3
  Subject: CN=ecc.fedora.redhat.com, O=example.com, C=US
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

  Key:  SunPKCS11-Solaris RSA public key, 1024 bits (id 5158256, session object)
  modulus: 1402933022884660852748661816869706021655226675890
635441166580364941191074987345500771612454338502131694873337
233737712894815966313948609351561047977102880577818156814678
041303637255354084762814638611185951230474669455913908815827
173696651397340074281578017567044868711049821409365743953199
69584127568303024757
  public exponent: 65537
  Validity: [From: Wed Jan 18 13:16:12 PST 2006,
              To: Wed Apr 18 14:16:12 PDT 2007]
  Issuer: CN=Certificate Shack, O=example.com, C=US
  SerialNumber: [    0f]

Certificate Extensions: 2
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
  SSL server
]

[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_Encipherment
]

]
  Algorithm: [MD5withRSA]
  Signature:
0000: 6D F4 2A 63 76 2A 05 70  A2 21 0E 1E 4A 31 BE 6B  m.*cv*.p.!..J1.k
0010: 15 64 D8 BB 35 36 82 B0  0D 2A 96 FA 7A 9F A1 59  .d..56...*..z..Y
0020: CA 90 C3 28 C5 A6 9B 59  05 3B EB B2 8D C9 5E 38  ...(...Y.;....^8
0030: 62 ED 1A D7 93 DF 2A A5  D6 54 94 23 15 A2 0C E5  b.....*..T.#....
0040: 13 40 2C 3E 59 E4 2A EB  51 AC 9E 28 44 23 87 B1  .@,>Y.*.Q..(D#..
0050: 34 0B AC F3 E0 39 CA B8  35 B4 78 07 BF 28 4C C4  4....9..5.x..(L.
0060: 9A 2B A3 E9 04 26 78 19  F0 62 EA 0A B5 BB DC 0B  .+...&x..b......
0070: 90 59 E7 77 90 F8 BC 8A  1B 74 4B 4D C1 F8 3B 6C  .Y.w.....tKM..;l

]

Added certificate to keystore 'jssecacerts' using alias 'ecc.fedora.redhat.com-1'
It displayed the complete certificate and then added it to a Java KeyStore 'jssecacerts' in the current directory. To use it in your program, either configure JSSE to use it as its trust store (as explained in the documentation) or copy it into your $JAVA_HOME/jre/lib/security directory. If you want all Java applications to recognize the certificate as trusted and not just JSSE, you could also overwrite the cacerts file in that directory.
After all that, JSSE will be able to complete a handshake with the host, which you can verify by running the program again:
% java InstallCert ecc.fedora.redhat.com
Loading KeyStore jssecacerts...
Opening connection to ecc.fedora.redhat.com:443...
Starting SSL handshake...

No errors, certificate is already trusted

Server sent 2 certificate(s):

1 Subject CN=ecc.fedora.redhat.com, O=example.com, C=US
  Issuer  CN=Certificate Shack, O=example.com, C=US
  sha1    2e 7f 76 9b 52 91 09 2e 5d 8f 6b 61 39 2d 5e 06 e4 d8 e9 c7
  md5    dd d1 a8 03 d7 6c 4b 11 a7 3d 74 28 89 d0 67 54

2 Subject CN=Certificate Shack, O=example.com, C=US
  Issuer  CN=Certificate Shack, O=example.com, C=US
  sha1    fb 58 a7 03 c4 4e 3b 0e e3 2c 40 2f 87 64 13 4d df e1 a1 a6
  md5    72 a0 95 43 7e 41 88 18 ae 2f 6d 98 01 2c 89 68

Enter certificate to add to trusted keystore or 'q' to quit: [1]
q
KeyStore not changed
I hope that helps. For more information about the InstallCert program, have a look at the source code. I am sure you can figure out how it works.

[cavagnaro]

installCert.java
[code]
/*
* Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
*  - Redistributions of source code must retain the above copyright
*    notice, this list of conditions and the following disclaimer.
*
*  - Redistributions in binary form must reproduce the above copyright
*    notice, this list of conditions and the following disclaimer in the
*    documentation and/or other materials provided with the distribution.
*
*  - Neither the name of Sun Microsystems nor the names of its
*    contributors may be used to endorse or promote products derived
*    from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

import java.io.*;
import java.net.URL;

import java.security.*;
import java.security.cert.*;

import javax.net.ssl.*;

public class InstallCert {

    public static void main(String[] args) throws Exception {
String host;
int port;
char[] passphrase;
if ((args.length == 1) || (args.length == 2)) {
    String[] c = args[0].split(":");
    host = c[0];
    port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
    String p = (args.length == 1) ? "changeit" : args[1];
    passphrase = p.toCharArray();
} else {
    System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");
    return;
}

File file = new File("jssecacerts");
if (file.isFile() == false) {
    char SEP = File.separatorChar;
    File dir = new File(System.getProperty("java.home") + SEP
    + "lib" + SEP + "security");
    file = new File(dir, "jssecacerts");
    if (file.isFile() == false) {
file = new File(dir, "cacerts");
    }
}
System.out.println("Loading KeyStore " + file + "...");
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(in, passphrase);
in.close();

SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmf =
    TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[] {tm}, null);
SSLSocketFactory factory = context.getSocketFactory();

System.out.println("Opening connection to " + host + ":" + port + "...");
SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
socket.setSoTimeout(10000);
try {
    System.out.println("Starting SSL handshake...");
    socket.startHandshake();
    socket.close();
    System.out.println();
    System.out.println("No errors, certificate is already trusted");
} catch (SSLException e) {
    System.out.println();
    e.printStackTrace(System.out);
}

X509Certificate[] chain = tm.chain;
if (chain == null) {
    System.out.println("Could not obtain server certificate chain");
    return;
}

BufferedReader reader =
new BufferedReader(new InputStreamReader(System.in));

System.out.println();
System.out.println("Server sent " + chain.length + " certificate(s):");
System.out.println();
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
MessageDigest md5 = MessageDigest.getInstance("MD5");
for (int i = 0; i < chain.length; i++) {
    X509Certificate cert = chain[i];
    System.out.println
    (" " + (i + 1) + " Subject " + cert.getSubjectDN());
    System.out.println("  Issuer  " + cert.getIssuerDN());
    sha1.update(cert.getEncoded());
    System.out.println("  sha1    " + toHexString(sha1.digest()));
    md5.update(cert.getEncoded());
    System.out.println("  md5    " + toHexString(md5.digest()));
    System.out.println();
}

System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
String line = reader.readLine().trim();
int k;
try {
    k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
} catch (NumberFormatException e) {
    System.out.println("KeyStore not changed");
    return;
}

X509Certificate cert = chain[k];
String alias = host + "-" + (k + 1);
ks.setCertificateEntry(alias, cert);

OutputStream out = new FileOutputStream("jssecacerts");
ks.store(out, passphrase);
out.close();

System.out.println();
System.out.println(cert);
System.out.println();
System.out.println
("Added certificate to keystore 'jssecacerts' using alias '"
+ alias + "'");
    }

    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

    private static String toHexString(byte[] bytes) {
StringBuilder sb = new StringBuilder(bytes.length * 3);
for (int b : bytes) {
    b &= 0xff;
    sb.append(HEXDIGITS[b >> 4]);
    sb.append(HEXDIGITS[b & 15]);
    sb.append(' ');
}
return sb.toString();
    }

    private static class SavingTrustManager implements X509TrustManager {

private final X509TrustManager tm;
private X509Certificate[] chain;

SavingTrustManager(X509TrustManager tm) {
    this.tm = tm;
}

public X509Certificate[] getAcceptedIssuers() {
    throw new UnsupportedOperationException();
}

public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
    throw new UnsupportedOperationException();
}

public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
    this.chain = chain;
    tm.checkServerTrusted(chain, authType);
}
    }

}
[/Code]

[n3vek7]

god damn java... hate it!

I'm playing with my java setup as I'm getting an error running the script you provided.
Thanks for the script by the way.

p.s. "I" has to be uppercase to compile correctly
[code]
C:\Program Files\Java\jdk1.8.0_65\bin>java InstallCert.java
Error: Could not find or load main class InstallCert.java

C:\Program Files\Java\jdk1.8.0_65\bin>echo %CLASSPATH%
.;%JAVA_HOME%\lib\dt.jar;%JAVA_HOME%\lib\tools.jar

C:\Program Files\Java\jdk1.8.0_65\bin>echo %PATH%
C:\ProgramData\Oracle\Java\javapath;...;C:\Program Files\Java\jdk1.8.0_65\jre\bin;C:\Users\...\AppData\Local\Microsoft\WindowsApps
[/code]

[cavagnaro]

Little mistake on my side, was the rush, but easy to spot

[n3vek7]

Hey Guys, I'm getting back on this one. I had no time to continue this before now... @Cavagnaro, Thanks for the Java Program you provided, but it always failed with "unable to find main class/function" and I didn't want to spent a lot of time on. Because, i wanted to better understand the concept of truststore and keystore by doing it manually.

So, I'm tried to add smtp.office365.com certificate into truststore of EmailServer.
1. I've downloaded the public .cer file from outlook.office.com
2. Put that file "office.com.cer" in the same folder as keytool (under java/bin).
3. Ran the command "keytool -import -v -trustcacerts -alias office.com -file office.com.cer -keystore cacerts.jks -keypass [keypass] -storepass [storepass]"
Am I missing a command or something else? Any pre-requisite that I may have missed?

I've changed the ini file to have the truststore path at the same location of the keytool and all the store files.

Any other idea? If not, that's fine, I'll get to work this week, and will share my findings!

[code]
C:\Program Files\Java\jdk1.7.0_79\jre\bin>keytool -import -v -trustcacerts -alias office.com -file office.com.cer -keystore cacerts.jks -keypass [keypass] -storepass  [storepass]
Owner: CN=outlook.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, ST=WA, C=US
Issuer: CN=Microsoft IT SSL SHA2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US
Serial number: 5a00020e4289e78c6958489ec1000100020e42
Valid from: Tue Oct 13 18:20:04 EDT 2015 until: Thu Oct 12 18:20:04 EDT 2017
Certificate fingerprints:
        MD5:  3A:A4:58:42:56:CD:BD:11:19:5B:CF:1E:85:16:8E:4D
        SHA1: A0:47:6C:0C:30:34:7A:7A:15:9A:9F:F5:0B:CD:BC:84:BD:D3:D1:66
        SHA256: A1:C0:26:65:59:14:1B:2E:70:D6:C6:5E:15:54:B2:16:AC:7B:D3:B4:9F:
5F:B0:6F:C8:4A:2C:4C:B9:64:EF:7A
        Signature algorithm name: SHA256withRSA
        Version: 3
Extensions:
#1: ObjectId: 1.2.840.113549.1.9.15 Criticality=false
0000: 30 69 30 0E 06 08 2A 86  48 86 F7 0D 03 02 02 02  0i0...*.H.......
0010: 00 80 30 0E 06 08 2A 86  48 86 F7 0D 03 04 02 02  ..0...*.H.......
0020: 00 80 30 0B 06 09 60 86  48 01 65 03 04 01 2A 30  ..0...`.H.e...*0
0030: 0B 06 09 60 86 48 01 65  03 04 01 2D 30 0B 06 09  ...`.H.e...-0...
0040: 60 86 48 01 65 03 04 01  02 30 0B 06 09 60 86 48  `.H.e....0...`.H
0050: 01 65 03 04 01 05 30 07  06 05 2B 0E 03 02 07 30  .e....0...+....0
0060: 0A 06 08 2A 86 48 86 F7  0D 03 07                ...*.H.....
#2: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
0000: 30 18 30 0A 06 08 2B 06  01 05 05 07 03 01 30 0A  0.0...+.......0.
0010: 06 08 2B 06 01 05 05 07  03 02                    ..+.......
#3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
  accessMethod: caIssuers
  accessLocation: URIName: http://www.microsoft.com/pki/mscorp/msitwww2.crt
,
  accessMethod: ocsp
  accessLocation: URIName: http://ocsp.msocsp.com
]
]
#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 51 AF 24 26 9C F4 68 22  57 80 26 2B 3B 46 62 15  Q.$&..h"W.&+;Fb.
0010: 7B 1E CC A5                                        ....
]
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
    [URIName: http://mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl, URIName:
http://crl.microsoft.com/pki/mscorp/crl/msitwww2.crl]
]]
#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.311.42.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 28 68 74 74 70 3A 2F  2F 77 77 77 2E 6D 69 63  .(http://w
ww.mic
0010: 72 6F 73 6F 66 74 2E 63  6F 6D 2F 70 6B 69 2F 6D  rosoft.com/pki/m
0020: 73 63 6F 72 70 2F 63 70  73 00                    scorp/cps.
]]  ]
]
#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]
#8: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
  Data_Encipherment
]
#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: outlook.com
  DNSName: *.outlook.com
  DNSName: office365.com
  DNSName: *.office365.com
  DNSName: *.live.com
  DNSName: *.internal.outlook.com
  DNSName: *.outlook.office365.com
  DNSName: outlook.office.com
  DNSName: attachment.outlook.office.net
  DNSName: attachment.outlook.officeppe.net
  DNSName: *.office.com
]
#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9D B0 98 1C 24 5A D4 9D  ED 51 53 C4 D7 F6 BA B1  ....$Z...QS.....
0010: 8D 7B 90 0F                                        ....
]
]
Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing cacerts.jks]
[/code]

[code]
[JavaArgs]
-Xmx1G
-Xbootclasspath/p:./lib/acsc.jar
-Djava.rmi.dgc.leaseValue=60000
-Dtkv.multibytes=true
-Dpsdk.config.tls=false
-Dcom.genesyslab.platform.commons.connection.factory.class=com.genesyslab.platform.commons.connection.impl.netty.NettyConnectionFactory
-XX:+UseConcMarkSweepGC
-XX:+UseParNewGC
-XX:+ExplicitGCInvokesConcurrent
;-Djavax.net.ssl.trustStore=C:\Program Files\GCTI\DEMO_ESJ\cert
-Djavax.net.ssl.trustStore=C:\Program Files\Java\jdk1.7.0_79\jre\bin
[/code]