The article presents the steps to import required certificates and enable Java application to connect to Azure SQL DB/Managed Instance. If required certificates are missing on client machine when connecting via AAD authentication, a similar error will be prompted in the application logs:
"SQLServerException: Failed to authenticate the user in Active Directory (Authentication=ActiveDirectoryPassword).
Caused by: ExecutionException: mssql_shaded.com.microsoft.aad.adal4j.AuthenticationException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: AuthenticationException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. "
This is an issue in Java Certificate Store. As a quick workaround, if you enable TrustServerCertificate=True in the connection string, the connection from JDBC succeeds. When TrustServerCertificate
is set to true
, the transport layer will use SSL to encrypt the channel and bypass walking the certificate chain to validate trust. If TrustServerCertificate
is set to true
and encryption is turned on, the encryption level specified on the server will be used even if Encrypt
is set to false
. The connection will fail otherwise. However, for security considerations, it is not recommended to bypass the certificate validation. Hence, to address the issue, follow the steps below to change the connection string and import the required certificates.
Download all the certs from here, store them in a location on client host and then use keytool utility to import these certificates into the truststore. Please follow the below steps:
Example of commands:
keytool -importcert -trustcacerts -alias TLS1 -file "C:\Users\Documents\Microsoft RSA TLS CA 01.crt" -keystore "C:\Program Files\Java\jdk-14.0.2\lib\security\cacerts"
keytool -importcert -trustcacerts -alias TLS2 -file "C:\Users\Documents\Microsoft RSA TLS CA 02.crt" -keystore "C:\Program Files\Java\jdk-14.0.2\lib\security\cacerts"
Certificate was added to keystore.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.