Results tagged “Eclipse” from Bill Benac

Configure Eclipse TFS Plugin for SSL Repos

|
Java and Microsoft integrations? Edge cases aren't always fully documented.

Today I tried setting up my Eclipse IDE with a Microsoft Team Foundation Server (TFS). The TFS plugin is here. My organization's TFS in on a host with SSL, and we use our own certificate authority for the certificate. When I tried to connect to TFS, I got this error:

SunCertPathBuilderException.jpgsun.security.validator.validatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

With SSL, the client (in this case Eclipse) needs to know whether to trust the certificate on the server. Usually, servers use certificates from Verisign, Thawte, and the like. Java ships with a file that describes those commercial certificate authorities that can be trusted. But if you're using a certificate or a CA that isn't recognized, then Java and by extension Eclipse won't trust the certificate. But you can tell Java to trust the certificates or CAs you need. There are at least three ways to do this.

First, I found an IBM webpage that described how to start Eclipse with an extra trust store. This worked, but it seems like unnecessary overhead to create a new trust store and to launch the application with extra arguments every time. The page is here. This creates a custom keystore:

C:\>%JAVA_HOME%\bin\keytool.exe  -import -alias tfsrepo.mydomain.com -file c:\temp\tfsrepo.mydomain.der -keystore mycustom.keystore -storepass password

And this starts Eclipse using that keystore:

C:\eclipse\eclipse.exe -vmargs -Djavax.net.ssl.trustStore="%JAVA_HOME%\bin\mycustom.keystore" -Djavax.net.ssl.trustStorePassword=password

Second, I realized that it would be simpler to have the Java install behind Eclipse include my TFS server's certificate in its default trust store. So I downloaded the SSL certificate for my TFS server and added it to my cacerts file:

C:\>%JAVA_HOME%\bin\keytool.exe  -import -alias tfsrepo.mydomain.com -file c:\temp\tfsrepo.mydomain.der -keystore %JAVA_HOME%\lib\security\cacerts -storepass changeit

Third, I realized that I ought to just import the certificate for my organization's top-level CA instead of using the TFS cert. The top-level CA's certificate lasts many years longer than the one on the TFS server, and if I trust the top-level CA then my Eclipse install will trust all other systems with certificates from our CA. So I first deleted the TFS certificate:

%JAVA_HOME%\bin\keytool.exe  -delete -alias tfsrepo.mydomain.com  -keystore %JAVA_HOME%\lib\security\cacerts -storepass changeit

Then I imported the top-level CA's certificate:

C:\>%JAVA_HOME%\bin\keytool.exe  -import -alias topCA.mydomain.com -file c:\temp\topCA.mydomain.der -keystore %JAVA_HOME%\lib\security\cacerts -storepass changeit


And now I can launch Eclipse (c:\eclipse\eclipse.exe) and connect to my TFS system (File->Import->Team->Projects for Team Foundation Server->Servers->Add->tfsrepo.mydomain.com).

To download a certificate, use your web browser to visit the URL of the system. Use the browser's feature to look at the certificate. cert-firefox.jpgIn Firefox, I click the lock icon in front of the URL, then click "More Information...," then click "View Certificate," then "Details." At this point, I have an Export button to save this certificate to a file, or I can use the certificate hierarchy to select the top-level certificate from the CA and save it.

cert-viewer.jpg

And if you want to see which certificates your Java system trusts, you can list what's in the cacerts file with this:

%JAVA_HOME%\bin\keytool.exe  -list -keystore %JAVA_HOME%\lib\security\cacerts -storepass changeit


Find recent content on the main index or look in the archives to find all content.