“PKIK path building failed” when attempting to clone repo from github in Eclipse 3.6 with WAS 8 plugin

Question

I have installed the Eclipse Java EE Developers Helios SR2 IDE. The only additional plugins, installed from the Eclipse marketplace, are WebSphere Application Server 8.0 Developer Tools (8.0.4) and JGit/EGit.

I could attach to github fine until I follow the steps on the IBM site to update the eclipse.ini file to use the IBM-provided JRE that comes with WAS8.

Once I changed Eclipse to use the IBM JRE, I could not connect to github. When I tried to clone a repository, for instance, I got the error here:

my/url/to.git: cannot open git-upload-pack
java.lang.ClassNotFoundException: Cannot find the specified class com.ibm.websphere.ssl.protocol.SSLSocketFactory

I updated the configuration file as documented here: http://publib.boulder.ibm.com/infocenter/radhelp/v7r5/index.jsp?topic=%2Fcom.ibm.ws.ast.st.v6.ui.doc%2Ftopics%2Frssl_isUseIBMSSLSocketFactory.html

After I make the change, it still doesn't work. I get this error:

my/url/to.git: cannot open git-upload-pack
com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error

Answer 1

(Firstly, I'm not sure why you want to run Eclipse on the IBM JRE. If you need the IBM JRE for specific projects (or even by default) as the running environment, you could add it and set it in the Workspace (or Project) properties.)

This error is happening because the IBM JRE doesn't trust this certificate (CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US) out of the box.

Both the Oracle and the IBM JRE come with a default set of trusted CA certificates.

In Oracle Java, they're located in "jssecacerts, if it exists. Otherwise, cacerts". The documentation also says:

IMPORTANT NOTE: The JDK ships with a limited number of trusted root certificates in the /lib/security/cacerts file. As documented in keytool, it is your responsibility to maintain (that is, add/remove) the certificates contained in this file if you use this file as a truststore.

Depending on the certificate configuration of the servers you contact, you may need to add additional root certificate(s). Obtain the needed specific root certificate(s) from the appropriate vendor.

This may be in a different place for the IBM JRE, but ultimately, this piece of advice also applies: it's ultimately up to you to make sure you have the CA certificates you want to trust. You could export them from your browser, for example.