
Introduction
Overview
Update: March 2025
Real-Time SDK (i.e. EMA and ETA APIs, formerly known as Elektron SDK) supports various transport types. One of the most familiar connection types is ‘Socket Transport (RSSL)’ that implemented the idea of TCP/IP-based (RFC 971) reliable network protocol which is a packet-switch network. For two hosts to communicate (source and destination), they must packetize their data and submit it to communication devices to reach the end-point machine.
As a packet can and probably will pass through many routers (and network components) between the sender and receiver. If the contents of the data in that packet are sensitive – authentication information, confidential insider data – the sender would probably like to ensure that only the receiver can read the package, rather than the packet being readable by any router along the way. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are developed in order to serve this purpose in the HTTPS protocol.
HTTPS is vital to securing end-to-end interactions. For many server application, HTTPS is handled by the server side such as the Web server, Real-Time Distribution System component (ADS) integrated with SSL Accelerator. However, the client side needs its own HTTPS implementation to make requests and to receive information securely from the server. Fortunately, Real-Time SDK Java prepares a solution for you to use the keystore file.
This article will demonstrate how to generate a new keystore file, view the keystore file’s content, import a certification along with EMA Java API walkthrough.
Target Audience
This article provides information and examples that aids programmers using Real-Time APIs (EMA and ETA) - Java Edition. It is assumed that the reader is familiar with running EMA or ETA application to connect to a provider application (or Real-Time/RDF-D/ADS) before, and has experience developing products using the Java programming language in a networked environment.
Note: Since RTSDK Java 1.5.1.L1 (EMA/ETA Java 3.5.1.L1 ), RTSDKJ Client Side uses the default Java Certificate Authority keystore location (<JAVA_HOME>/lib/security/cacerts) so a jks file isn't required.
What is the Keystore File
The keystore file (.jsk) contains the server’s certification, including its private key which is used for cryptographic. The keystore file is protected with a password. Each keystore entry has a unique alias that refers to a particular certificate. You can administrate the keystore file using “keytool – Key and Certificate Management Tool” provided by Oracle.
An RSSL consumer (client-server) diagram
For the connection and component topology that is used in this article, the consumer application connects to Real-Time Advanced Distribution Server via the Internet. The SSL accelerator is a server-side device located at the same Real-Time Advanced Distribution Server machine that helps to perform key and certificate exchange for HTTPS connection establishment.
Note: The latest version of ADS supports an encryption via configurations so the SSL accelerator isn't required.
Referring to the diagram above, if the EMA Java consumer tries to connect to the server without performing TLS handshake (RSSL_SOCKET or RSSL_HTTP), there will be no response from the server side (or encountering unexpected error) because it cannot understand a bare message, and expects a cipher message to be decrypted.
<!-- ChannelType possible values are: -->
<!-- ChannelType::RSSL_SOCKET - TCP IP connection type -->
<!-- ChannelType::RSSL_HTTP - Http tunnel connection type -->
<!-- ChannelType::RSSL_ENCRYPTED - Https tunnel connection type -->
<Channel>
<Name value="Channel_4"/>
<ChannelType value="ChannelType::RSSL_HTTP"/>
<CompressionType value="CompressionType::None"/>
<GuaranteedOutputBuffers value="5000"/>
<Host value="server_host"/>
<Port value="14002"/>
<ObjectName value=""/>
</Channel>
So, you need to specify a connection channel type to RSSL_ENCRYPTED when the server requires SSL or TLS encryption.
<Channel>
<Name value="Channel_4"/>
<ChannelType value="ChannelType::RSSL_ENCRYPTED"/>
<CompressionType value="CompressionType::None"/>
<GuaranteedOutputBuffers value="5000"/>
<Host value="server_host"/>
<Port value="443"/>
<ObjectName value=""/>
</Channel>
EMA Java API also provides a set of configuration for settings associated to the keystore file (refer to Chapter 4.3.2: Tunneling Configuration of the EMA Java developer guide). Below are some interfaces of an OmmConsumerConfig class to specify security parameters:
Method | Description |
tunnelingKeyStoreFile(java.lang.String keyStoreFile) |
The key store file that contains your own private keys, and public key certificates you received from someone else. |
tunnelingKeyStorePasswd(java.lang.String keyStorePasswd) |
The passwd for the key store file. |
tunnelingKeyStoreType(java.lang.String keyStoreType) |
The type of the key store for certificate file. |
Note: Since RTSDK Java 1.5.1.L1 (EMA/ETA Java 3.5.1.L1 ), RTSDKJ Client Side uses the default Java Certificate Authority keystore location (<JAVA_HOME>/lib/security/cacerts) so a jks file isn't required.
Here this is the example usage to specify the keystore file and keystore password.
// Create an OMM consumer
OmmConsumer consumer = EmaFactory.createOmmConsumer(EmaFactory.createOmmConsumerConfig()
.consumerName("Consumer_3")
.tunnelingKeyStoreFile("KEYSTORE_FILENAME")
.tunnelingKeyStorePasswd("KEYSTORE_PASSWORD")
);
-connection-type-for-real-time-java-based-apis/keytool_windows.png.transform/resize-768/q82/image.png)
You can find the keytool program from a bin subfolder of a Java Developer Kit (JDK) installation folder (in the same location as javac). The keytool program is a command-line based application, so you need to run it using command-prompt.
-connection-type-for-real-time-java-based-apis/keytool_cmd.png.transform/resize-768/q82/image.png)
Use the following command to create a new keystore file
keytool -genkeypair -alias <ALIAS> -keyalg RSA -keystore <KEYSTORE_FILENAME> -storepass <PASSWORD>
C:\jks>"c:\Program Files\Java\jdk-21\bin\keytool.exe" -genkeypair -alias lseg -keyalg RSA -keystore lseg_keystore.jks -storepass changeit
Enter the distinguished name. Provide a single dot (.) to leave a sub-component empty or press ENTER to use the default value in braces.
What is your first and last name?
[Unknown]: Developers
What is the name of your organizational unit?
[Unknown]: Developer Advocate
What is the name of your organization?
[Unknown]: LSEG
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]: Bangkok
What is the two-letter country code for this unit?
[Unknown]: TH
Is CN=Developers, OU=Developer Advocate, O=LSEG, L=Unknown, ST=Bangkok, C=TH correct?
[no]: yes
Generating 3,072 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 90 days
for: CN=Developers, OU=Developer Advocate, O=LSEG, L=Unknown, ST=Bangkok, C=TH
C:\jks>
keytool.exe -list -v -keystore <KEYSTORE_FILENAME> -storepass <PASSWORD>
C:\jks>"c:\Program Files\Java\jdk-21\bin\keytool.exe" -list -v -keystore lseg_keystore.jks -storepass changeit
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: lseg
Creation date: Mar 27, 2025
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Developers, OU=Developer Advocate, O=LSEG, L=Unknown, ST=Bangkok, C=TH
Issuer: CN=Developers, OU=Developer Advocate, O=LSEG, L=Unknown, ST=Bangkok, C=TH
Serial number: a731ca149a5ed73b
Valid from: Thu Mar 27 16:54:06 ICT 2025 until: Wed Jun 25 16:54:06 ICT 2025
Certificate fingerprints:
SHA1: 4F:44:8D:85:CF:D0:9F:FD:17:95:13:85:3F:7D:A4:9C:9C:32:6E:7A
SHA256: 66:B9:11:AE:DF:C8:21:BF:08:C7:34:82:41:B4:78:F7:FF:E6:8A:FA:66:00:65:31:07:FB:AA:52:9C:5A:0B:B7
Signature algorithm name: SHA384withRSA
Subject Public Key Algorithm: 3072-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 99 39 4E 39 9C B5 DF 7E 40 C3 0C 24 D1 1D 52 90 .9N9....@..$..R.
0010: B7 EE F2 F1 ....
]
]
*******************************************
*******************************************
C:\jks>
As this is the new keystore file, it does not contain any server’s certificate yet. If you try to use it, the application will receive an event indicates that it cannot initialize a channel, which is not sufficient information (see below).
Feb 11, 2021 11:03:02 AM com.refinitiv.ema.access.ChannelCallbackClient reactorChannelEventCallback
WARNING: loggerMsg
ClientName: ChannelCallbackClient
Severity: Warning
Text: Received ChannelDownReconnecting event on channel Channel_4
RsslReactor Channel is null
Error Id 0
Internal sysError 0
Error Location Reactor.processWorkerEvent
Error text Error initializing channel: errorId=0 text=null
loggerMsgEnd
At this stage, you can use the JVM argument option: -Djavax.net.debug=all to print more detail of HTTPS activities. Please see the example below:
java -Djavax.net.debug=all -Djava.util.logging.config.file=logging.properties -cp <CLASSPATH> <APPLICATION_NAME>
Here this is the log output after adding the JVM parameter above:
<SSL Handshake Information>
***
pool-1-thread-1, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
pool-1-thread-1, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
pool-1-thread-1, WRITE: TLSv1.2 Alert, length = 2
pool-1-thread-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem
pool-1-thread-1, called closeOutbound()
pool-1-thread-1, closeOutboundInternal()
You need to download certificate files to your local machine (depending on which certificate that the server in your environment is using. After that, you can use the keytool to view and verify the content of the certification obtained using the following command:
keytool -printcert -v -file <CERTIFICATE_FILENAME>
Note: You do not have to get every certificate, just only the certificate that appears in the output during the SSL or TLS handshake stage).
The example outputs form various certifications:
Print a digitcert certificate file:
C:\jks>"c:\Program Files\Java\jdk-21\bin\keytool.exe" -printcert -v -file DigiCertTLSRSA4096RootG5.cer
Owner: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
Issuer: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
Serial number: 8f9b478a8fa7eda6a333789de7ccf8a
Valid from: Fri Jan 15 07:00:00 ICT 2021 until: Mon Jan 15 06:59:59 ICT 2046
Certificate fingerprints:
SHA1: A7:88:49:DC:5D:7C:75:8C:8C:DE:39:98:56:B3:AA:D0:B2:A5:71:35
SHA256: 37:1A:00:DC:05:33:B3:72:1A:7E:EB:40:E8:41:9E:70:79:9D:2B:0A:0F:2C:1D:80:69:31:65:F7:CE:C4:AD:75
Signature algorithm name: SHA384withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: no limit
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 51 33 1C ED 36 40 AF 17 D3 25 CD 69 68 F2 AF 4E Q3..6@...%.ih..N
0010: 23 3E B3 41 #>.A
]
]
Print a sectigo certificate file:
C:\jks>"c:\Program Files\Java\jdk-21\bin\keytool.exe" -printcert -v -file 1720081.crt
Owner: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Serial number: 4caaf9cadb636fe01ff74ed85b03869d
Valid from: Tue Jan 19 07:00:00 ICT 2010 until: Tue Jan 19 06:59:59 ICT 2038
Certificate fingerprints:
SHA1: AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4
SHA256: 52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34
Signature algorithm name: SHA384withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: no limit
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BB AF 7E 02 3D FA A6 F1 3C 84 8E AD EE 38 98 EC ....=...<....8..
0010: D9 32 32 D4 .22.
]
]
To import the certification obtained into the keystore file, use the command below.
keytool -importcert -alias <NEW_ALIAS> -file <CERTFICICATE_FILENAME> -keystore <KEYSTORE_FILENAME> -storepass <PASSWORD>
Import a digicert certificate file.
C:\jks>"c:\Program Files\Java\jdk-21\bin\keytool.exe" -importcert -alias digicert -file DigiCertTLSRSA4096RootG5.cer -keystore lseg_keystore.jks -storepass changeit
Owner: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
Issuer: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
Serial number: 8f9b478a8fa7eda6a333789de7ccf8a
Valid from: Fri Jan 15 07:00:00 ICT 2021 until: Mon Jan 15 06:59:59 ICT 2046
Certificate fingerprints:
SHA1: A7:88:49:DC:5D:7C:75:8C:8C:DE:39:98:56:B3:AA:D0:B2:A5:71:35
SHA256: 37:1A:00:DC:05:33:B3:72:1A:7E:EB:40:E8:41:9E:70:79:9D:2B:0A:0F:2C:1D:80:69:31:65:F7:CE:C4:AD:75
Signature algorithm name: SHA384withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: no limit
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 51 33 1C ED 36 40 AF 17 D3 25 CD 69 68 F2 AF 4E Q3..6@...%.ih..N
0010: 23 3E B3 41 #>.A
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
C:\jks>
Import a sectigo certificate file.
C:\jks>"c:\Program Files\Java\jdk-21\bin\keytool.exe" -importcert -alias sectigo -file 1720081.crt -keystore lseg_keystore.jks -storepass changeit
Owner: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Serial number: 4caaf9cadb636fe01ff74ed85b03869d
Valid from: Tue Jan 19 07:00:00 ICT 2010 until: Tue Jan 19 06:59:59 ICT 2038
Certificate fingerprints:
SHA1: AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4
SHA256: 52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34
Signature algorithm name: SHA384withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: no limit
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BB AF 7E 02 3D FA A6 F1 3C 84 8E AD EE 38 98 EC ....=...<....8..
0010: D9 32 32 D4 .22.
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
You can also re-check whether the certificate was added in the keystore file successfully or not using the same command in the previous step (and specify an alias option to filter the output if necessary).
keytool -list -v -keystore <KEYSTORE_FILENAME> -storepass <PASSWORD> -alias <ALIAS>
View the digicert certificate:
C:\jks>"c:\Program Files\Java\jdk-21\bin\keytool.exe" -list -v -alias digicert -keystore lseg_keystore.jks -storepass changeit
Alias name: digicert
Creation date: Mar 27, 2025
Entry type: trustedCertEntry
Owner: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
Issuer: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
Serial number: 8f9b478a8fa7eda6a333789de7ccf8a
Valid from: Fri Jan 15 07:00:00 ICT 2021 until: Mon Jan 15 06:59:59 ICT 2046
Certificate fingerprints:
SHA1: A7:88:49:DC:5D:7C:75:8C:8C:DE:39:98:56:B3:AA:D0:B2:A5:71:35
SHA256: 37:1A:00:DC:05:33:B3:72:1A:7E:EB:40:E8:41:9E:70:79:9D:2B:0A:0F:2C:1D:80:69:31:65:F7:CE:C4:AD:75
Signature algorithm name: SHA384withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: no limit
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 51 33 1C ED 36 40 AF 17 D3 25 CD 69 68 F2 AF 4E Q3..6@...%.ih..N
0010: 23 3E B3 41 #>.A
]
]
View the sectigo certificate:
C:\jks>"c:\Program Files\Java\jdk-21\bin\keytool.exe" -list -v -alias sectigo -keystore lseg_keystore.jks -storepass changeit
Alias name: sectigo
Creation date: Mar 27, 2025
Entry type: trustedCertEntry
Owner: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Serial number: 4caaf9cadb636fe01ff74ed85b03869d
Valid from: Tue Jan 19 07:00:00 ICT 2010 until: Tue Jan 19 06:59:59 ICT 2038
Certificate fingerprints:
SHA1: AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4
SHA256: 52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34
Signature algorithm name: SHA384withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: no limit
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BB AF 7E 02 3D FA A6 F1 3C 84 8E AD EE 38 98 EC ....=...<....8..
0010: D9 32 32 D4 .22.
]
]
After the server certificate has been entrusted within the keystore file. Now, the keystore file is ready to be used via encrypted connection type. Below is the success log output from EMA Java API.
Feb 11, 2021 11:04:33 AM com.refinitiv.ema.access.ChannelCallbackClient reactorChannelEventCallback
INFO: loggerMsg
ClientName: ChannelCallbackClient
Severity: Info
Text: Received ChannelUp event on channel Channel_4
Instance Name Consumer_3_1
Component Version ads3.4.2.L1.linux.tis.rrg 64-bit
loggerMsgEnd
Once the application can connect to the server and receive a response back. You can remove the JVM option to reduce the log overhead output.
More example from Enterprise Transport API (ETA) - Java
ETA Java provides methods to specify HTTPS tunneling by setting a ConnectionTypes.ENCRYPTED constant as an input of a ConnectOptions.connectionType() method. Also, it has a TunnelingInfo class to specify details of a keystore file using (refer to Chapter 9.15: Tunneling of the ETA Java developer guide).
Class | Method | Purpose | Value |
---|---|---|---|
ConnectOptions | connectionType(int connectionType) | Type of connection to establish. |
|
tunnelingInfo() | Tunneling connection parameters. Use this ConnectionOptions.tunnelingInfo() method to access TunnelingInfo's attributes/members. | ||
tunnelingType(java.lang.String tunnelingType) | Tunneling type. | Possible values are "None", http", or "encrypted" For HTTP Tunneling, tunnelingType has to be set to "http" or "encrypted" | |
TunnelingInfo | KeystoreFile(java.lang.String KeystoreFile) | Keystore file that contains your own private keys, and public key certificates you received from someone else. | <ANY> |
KeystorePasswd(java.lang.String KeystorePasswd) | Password for keystore file. | <ANY> |
Example:
// ConnectOptions cOpt = chnlInfo.connectOptions.connectionList().get(0).connectOptions();
cOpt.connectionType(ConnectionTypes.ENCRYPTED);
cOpt.tunnelingInfo().tunnelingType("encrypted");
cOpt.tunnelingInfo().KeystoreFile("<KEYSTORE_FILENAME>");
cOpt.tunnelingInfo().KeystorePasswd("<KEYSTORE_PASSWORD>");
Example of general errors when using HTTPS with the keystore file:
Please enable the JVM option: -Djavax.net.debug=all to reveal more details about the error regarding HTTPS handshake activity.
1. The keystore file could not be found.
Error Message:
IOException initializeTLS: Error when loading keystore from certificate file <KEYSTORE_FILENAME> (The system cannot find the file specified)
Resolution:
Verify that the value of KEYSTORE_FILENAME is correct or exists or not.
2. The keystore file's password is not correct.
Error Message:
IOException initializeTLS: Error when loading keystore from certificate file <KEYSTORE_FILENAME> (The system cannot find the file specified)
Resolution:
Verify that the exact KEYSTORE_PASSWORD value is correct or not by using the keytool application.
3. The keystore file does not contain a valid certification to connect to the server.
Error Message:
***
pool-1-thread-1, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
pool-1-thread-1, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
pool-1-thread-1, WRITE: TLSv1.2 Alert, length = 2
pool-1-thread-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem
pool-1-thread-1, called closeOutbound()
pool-1-thread-1, closeOutboundInternal()
Resolution:
Check the javax.net.debug output to find the certification required.
Note: JRE8 Update 91 and higher support DigiCert certificates. If you encounter problems with DigiCert certificates, upgrade to JRE8 Update 91 or higher.
Conclusion
After reading this article, we hope you can get the idea about how to connect your application to the server by the HTTPS connection type. The article also introduces the Oracle's keytool application which is used for manipulating the keystore file as Java technology uses the keystore file to be a repository of certifications for secured message communication. We also mention the -Djavax.net.debug=all JVM argument which is useful when the application encounters a problem during the HTTPS connection establishment stage. The output from the JVM argument will give a meaningful message and provide some insight to identify a root cause of the problem.
Reference:
- https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html
- https://docs.oracle.com/cd/E19509-01/820-3503/cnfg_ssl-overview_c/index....
- Davies, Joshua. Implementing SSL/TLS Using Cryptography and PKI. Wiley Publishing, Inc., 2011. E-book.
- Real-time Java API page on the LSEG Developer Community web site.
- Enterprise Message API Developer Guide documents page.
- Enterprise Transport API Developer Guide documents page.
For any questions related to this article or the Real-Time SDK Java page, please use the Developer Community Q&A Forum.