Confluence not able to connect to SSL services due to "java.security.KeyManagementException: problem accessing trust store"
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Post upgrading to Confluence 8.5.5+, accessing applications or websites that are encrypted with SSL (for example LDAPS, IMAPS) throws an exception. This can happen when attempting to establish a secure connection to any of the following:
Active Directory server, JIRA User Server or Crowd
Mail server
Another Atlassian application using Application Links
Atlassian Migration Service
Environment
Confluence 8.5.5+ on Windows environment
Diagnosis
The atlassian-confluence.log shows below exception when Confluence is trying to connect to SSL services (For example here LDAPS) :
1
2
3
4
5
6
7
2024-02-07 19:20:35,619 ERROR [Caesium-1-2] [atlassian.crowd.directory.DbCachingRemoteDirectory] synchroniseCache Exception occured when performing full synchronization
com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.CommunicationException: ldap.example.local:636; nested exception is javax.naming.CommunicationException: ldap.example.local:636 [Root exception is java.lang.RuntimeException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)]
....
.....
... 44 more
Caused by: java.security.KeyManagementException: problem accessing trust store
at java.base/sun.security.ssl.SSLContextImpl$DefaultManagersHolder.<clinit>(Unknown Source)1
2
3
4
5
Caused by: java.security.KeyManagementException: problem accessing trust store
at java.base/sun.security.ssl.SSLContextImpl$DefaultManagersHolder.<clinit>(Unknown Source)
at java.base/sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(Unknown Source)
Caused by: java.io.FileNotFoundException: D:\Program Files\Atlassian\Confluence\cacerts (Access is denied)Cause
To give additional insight on why this occurs with 8.5.5+, one of our key objectives with this upgrade is to enhance the security of the Confluence install folder. To achieve this, we have removed access to non-admin users who belong to theBUILTIN\Usersgroup, thereby limiting the ability to manipulate files in that folder. In light of these changes, it's important to note that theBUILTIN\Usersgroup, and even theCREATORof the folder, will no longer have access to it. They will need to escalate their permissions to Administrator level in order to manipulate files in this directory.
Furthermore, we have modified the install directory permissions for most folders (except work, temp, logs) to "read" and "execute" only. This means that users can run programs or files, and read the contents of the directory, but they cannot modify, delete, or create new files. These alterations are part of our ongoing commitment to enhancing the security and functionality of our products.
Solution
Update the permissions on theC:\Program Files\Atlassian\Confluence\jre\lib\security\cacertsfile and ensure the user starting Confluence has read access to it. If it's the service account that's managing the Confluence service, then that account needs to have read permissions on that file.
Was this helpful?