If your like myself you use self-signed certificates in your lab environment, as its quick and easy. In my Pivotal Cloud Foundry lab I have generated a self-signed certificate in the Elastic Runtime configuration. When you have a self-signed certificate you add --skip-ssl-validation to your cf api and cf login commands.
With the latest builds of the Cloud Foundry Integration for Eclipse Plug-In, self-signed certificates have an issue. They will generate an error with something to the effect of:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
It will ask you if you wish to ignore this, but regardless the integration will fail, and it won’t be able to validate your credentials, and so you will have no Cloud Foundry integration.
I really like the Cloud Foundry integration in Eclipse so I set off on a way to figure out how to make it work. Originally I tried an older version of the plug-in, version 1.7.3, which appeared to work. I was using this with PCF 1.4.0.0 which has just been released. I removed an application however, and when it did, I believe it removed my apps_manager application which exists in the system org. I know this sounds weird, because 1) the plug-in should not be removing the apps_manager service under any circumstances, 2) even if it wanted to, my credentials I used in Spring Tool Suite did not have the authority to remove an app from the system org. I did not spend a lot of time looking into this, I just noticed that I removed an application, and all the sudden my developer console was gone. (Developer Console is now known as Apps Manager).
To get the integration to work you need to add the self-signed certificate from your PCF to your Java keystore. Its important to understand which version of Java your running, you may have several versions of Java installed. Typically the version that is being used is defined by $JAVA_HOME, but you’ll want to verify with STS/Eclipse which version its using or maybe add the certificate to all your versions.
I use a Mac, and typically the original Java installed by Apple is in /System/Library/Java/JavaVirtualMachines. For example my system has like so:
nettles:~ bfeeny$ ls /System/Library/Java/JavaVirtualMachines/
1.6.0.jdk
This however is not the version I am using. When you install later versions, from Oracle for example, they are installed in /Library/Java/JavaVirtualMachines:
nettles:~ bfeeny$ ls /Library/Java/JavaVirtualMachines/
jdk1.7.0_76.jdk
This is the one I am using, and it can be further verified by looking at my $JAVA_HOME:
nettles:~ bfeeny$ echo $JAVA_HOME
/Library/Java/JavaVirtualMachines/jdk1.7.0_76.jdk/Contents/Home
Java stores its trusted certificates in a keystore, which on my system is located at
$JAVA_HOME/jre/lib/security/cacerts
The first thing to do is extract the self-signed certificate from your Cloud Foundry, an easy way to do this is using openssl like so:
nettles:~ bfeeny$ openssl s_client -connect api.cf.lab.local:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/public.crt
depth=0 C = US, O = Pivotal, CN = *.cf.lab.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, O = Pivotal, CN = *.cf.lab.local
verify return:1
DONE
We can verify its there:
nettles:~ bfeeny$ more /tmp/public.crt
-----BEGIN CERTIFICATE-----
MIIDHDCCAgSgAwIBAgIVAP1HgDzBrzGSFY9lUTvpeOl0fpxPMA0GCSqGSIb3DQEB
BQUAMDgxCzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdQaXZvdGFsMRcwFQYDVQQDA4qa
LmNmLmxhYi5sb2NhbDAeFw0xNTA0MTUwMTQ0NTFaFw0xNzA0MTQwMTQ0NTFMDgxx
CzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdQaXZvdGFsMRcwFQYDVQQDDA4qLmNmLmxh
Yi5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPL/JZ2Ehqt
kLzJn2mlS0XTURSdeaZvaSqdwMvm9Fg7UauC8pI5mAAxg/PEmlY5NXbXuOMrO6WK
ZLy3mQbCdhgw5JWc/qKJV9SQHP0Npn27mLjhiydo08kXv2IzKVwm5YfPkEw5u5SE
GgPzSqQUIiziLuhpMr7ztir4OICvmj8u0LebpKXyO3y+deeibYNLislu/lrr9ZKD
7ADgiM4tZH/c21HVf6cFz9eBbAoCqXY/Q+nZeRb2o4rxmDitojqf30WK9i+Qhqeu
18QPX/EFRIhFrBCYs6YloUDBrPtVvZrOX7kp5zxBGC89+XmMmLUzFzkYpGld9Mfg
l+En+ZQen4cCAwEAAaMdMBswGQYDVR0RBBIwEIIOKi5jZi5sYWIubG9jYWwwDQYJ
KoZIhvcNAQEFBQADggEBAJ+B6P2zkpWp8F7L5N/gRWwM2sumpXUJNwQU3m9ylM5U
yJOgifrk3f410LWsoifbs2Rd7re8NOV7Sud15gjCGI/Zw8mFJElSqd0HrPw0WFB/
v55p/cNKgZJQ4bcpZ0Jp7Y7P7FzLcp76wAacljnbYGkXdxCsrtpUd/VxtNzOeIBP
dbQQxW6Ph9cvSx/w28AaoU9DeoqZvOTnQu2Rltfn6lBPijWQWTEXltiS1WPCyyd+
2Gnl+acnNerspdnHn1lte4ydDR+uq2hYnCJSrlMXaR5TAp3dpwMxtSHA71zkVS61
VRU/vLLtyz3JzAmhGepZ6m2vt2vMNPNGKxVS0c/odNI=
-----END CERTIFICATE-----
Of course, if you have access to the Ops Manager, you can just go into the Elastic Runtime tile and look at the IPs and Ports and grab the certificate from there, that is where you created it in the first place. There are two certificates listed, the first one is the public one, which is the one you want, and the second is the private. Whether you use openssl or just cut and paste it, the result should be the same.
Now you simply have to import the certificate into the Java keystore:
nettles:~ bfeeny$ sudo keytool -import -alias api.cf.lab.local -keystore $JAVA_HOME/jre/lib/security/cacerts -file /tmp/public.crt
Password: <enter your admin password here>
Enter keystore password: <default password is changeit>
Owner: CN=*.cf.lab.local, O=Pivotal, C=US
Issuer: CN=*.cf.lab.local, O=Pivotal, C=US
Serial number: fd47803cc1af3192158f65513be978e9747e9c4f
Valid from: Tue Apr 14 21:44:51 EDT 2015 until: Thu Apr 13 21:44:51 EDT 2017
Certificate fingerprints:
MD5: C4:DA:C3:02:B4:25:FC:A9:1E:A1:FB:3A:E0:F7:B5:AD
SHA1: EB:A4:1E:A5:EA:D4:BE:7A:A3:CD:9B:D4:4D:BF:1F:1C:DD:97:52:ED
SHA256: 12:7C:1E:69:32:D4:28:FE:6B:EE:2A:DE:91:FB:76:5E:A6:1F:29:DA:15:A5:4C:21:E8:4C:73
83:BE:0A:78:77
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.cf.lab.local
]
Trust this certificate? [no]: yes
Certificate was added to keystore
After this is done, simply restart your Eclipse or Spring Tool Suite application, and it should now allow you to add a Cloud Foundry instance with no issue. If you have already added an instance, simply delete it and re-add it. Fill out your credentials, and all should validate properly.
Update: I passed this onto Pivotal and they have added it to their Knowledge Base!
