Confluence not able to connect to SSL services due to "java.security.KeyManagementException: problem accessing trust store"

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community


Summary

Post upgrading to Confluence 8.5.5+, accessing applications or websites that are encrypted with SSL (for example LDAPS, IMAPS) throws an exception. This can happen when attempting to establish a secure connection to any of the following:

  • Active Directory server, JIRA User Server or Crowd
  • Mail server 
  • Another Atlassian application using Application Links
  • Atlassian Marketplace
  • Atlassian Migration Service

Environment

  • Confluence 8.5.5+ on Windows environment

Diagnosis

The atlassian-confluence.log  shows below exception when Confluence is trying to connect to SSL services (For example here LDAPS) :

2024-02-07 19:20:35,619 ERROR [Caesium-1-2] [atlassian.crowd.directory.DbCachingRemoteDirectory] synchroniseCache Exception occured when performing full synchronization
com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.CommunicationException: ldap.example.local:636; nested exception is javax.naming.CommunicationException: ldap.example.local:636 [Root exception is java.lang.RuntimeException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)]
....
.....
        ... 44 more
Caused by: java.security.KeyManagementException: problem accessing trust store
        at java.base/sun.security.ssl.SSLContextImpl$DefaultManagersHolder.<clinit>(Unknown Source)
Caused by: java.security.KeyManagementException: problem accessing trust store
	at java.base/sun.security.ssl.SSLContextImpl$DefaultManagersHolder.<clinit>(Unknown Source)
	at java.base/sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(Unknown Source)

Caused by: java.io.FileNotFoundException: D:\Program Files\Atlassian\Confluence\cacerts (Access is denied)

Cause

To give additional insight on why this occurs with 8.5.5+, one of our key objectives with this upgrade is to enhance the security of the Confluence install folder. To achieve this, we have removed access to non-admin users who belong to the BUILTIN\Users group, thereby limiting the ability to manipulate files in that folder. In light of these changes, it's important to note that the BUILTIN\Users group, and even the CREATOR of the folder, will no longer have access to it. They will need to escalate their permissions to Administrator level in order to manipulate files in this directory.

Furthermore, we have modified the install directory permissions for most folders (except work, temp, logs) to "read" and "execute" only. This means that users can run programs or files, and read the contents of the directory, but they cannot modify, delete, or create new files. These alterations are part of our ongoing commitment to enhancing the security and functionality of our products.

Solution

Update the permissions on the C:\Program Files\Atlassian\Confluence\jre\lib\security\cacerts file and ensure the user starting Confluence has read access to it. If it's the service account that's managing the Confluence service, then that account needs to have read permissions on that file.

Last modified on Feb 22, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.