2 Replies Latest reply: Aug 13, 2011 7:44 PM by 830591 RSS

    PKIX path building failed

    michaelk
      I'm trying to connect using Java to a remote webserver using HTTPS. The remote server uses port 8700.
      I've received two files from the sysadmin of the remote server, a certificate file (in ASCII) and a PKCS file (in binary). The remote system is an MVS system (although it shouldn't matter) configured to use Application Transparent TLS (AT-TLS). I import the certificate into Chrome (also works with Firefox) in the Trusted Root Certification Authorities tab and the PKCS file into the Personal tab.

      I am then able to enter a URL on the browser bar and receive proper responses.

      All this tells me the necessary (security) plumbing is configured correctly.

      I imported the certificate, using keytool into the C:\Program Files\Java\jdk1.6.0_26\jre\lib\security\cacerts file. So, the cacerts file has the standard Java trusted CAs plus the one from my server.
      I also have a client.p12 file containing the client key.
      My Java runtime includes:
      -Djavax.net.ssl.trustStoreType=pkcs12
      -Djavax.net.ssl.trustStore=client.p12
      -Djavax.net.ssl.trustStorePassword=(real password)
      -Djavax.net.ssl.keyStoreType=jks
      -Djavax.net.ssl.keyStore=cacerts
      -Djavax.net.ssl.keyStorePassword=changeit
      -Djavax.net.debug=ssl

      When I run my program, this is the output:
      keyStore is : cacerts
      keyStore type is : jks
      keyStore provider is :
      init keystore
      init keymanager of type SunX509
      trustStore is: client.p12
      trustStore type is : pkcs12
      trustStore provider is :
      init truststore
      adding as trusted cert:
      Subject: CN=lstclmvs.us.oracle.com, OU=tbiCLIENT Oracle, O=Oracle Corp., C=US
      Issuer: CN=lstclmvs.us.oracle.com, OU=tbiSERVER Oracle, O=Oracle Corp., C=US
      Algorithm: RSA; Serial number: 0x2
      Valid from Thu Aug 04 00:00:00 MDT 2011 until Sat Aug 04 23:59:59 MDT 2012

      trigger seeding of SecureRandom
      done seeding SecureRandom
      Allow unsafe renegotiation: false
      Allow legacy hello messages: true
      Is initial handshake: true
      Is secure renegotiation: false
      main, setSoTimeout(120000) called
      %% No cached client session
      *** ClientHello, TLSv1
      RandomCookie: GMT: 1312830894 bytes = { 126, 81, 157, 159, 169, 69, 226, 97, 103, 152, 187, 185, 26, 79, 240, 69, 120, 13, 70, 236, 179, 163, 243, 189, 176, 180, 136, 150 }
      Session ID: {}
      Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
      Compression Methods: { 0 }
      ***
      main, WRITE: TLSv1 Handshake, length = 75
      main, WRITE: SSLv2 client hello message, length = 101
      main, READ: TLSv1 Handshake, length = 1458
      *** ServerHello, TLSv1
      RandomCookie: GMT: 1312830892 bytes = { 127, 130, 124, 67, 27, 110, 103, 184, 180, 159, 166, 51, 45, 129, 71, 236, 172, 42, 189, 142, 6, 163, 145, 32, 158, 146, 215, 185 }
      Session ID: {0, 7, 1, 136, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 10, 135, 65, 99, 16, 30, 0, 0, 78, 64, 54, 172, 0, 0, 0, 87}
      Cipher Suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
      Compression Method: 0
      Extension renegotiation_info, renegotiated_connection: <empty>
      ***
      %% Created: [Session-1, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
      ** SSL_RSA_WITH_3DES_EDE_CBC_SHA
      *** Certificate chain
      chain [0] = [
      [
      Version: V3
      Subject: CN=lstclmvs.us.oracle.com, OU=tbiSERVER Oracle, O=Oracle Corp., C=US
      Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

      Key: Sun RSA public key, 1024 bits
      modulus: 116972943503467525966195939007076658796043661766435147223468765711869830522155936138634690751360545686810896769066760743939903344353959120886196428563814310112453094939675235454381102500978699282072409791574452637986586967656310113303922402698943678641204044632459961446473697847615041244540937762349028164937
      public exponent: 65537
      Validity: [From: Thu Aug 04 00:00:00 MDT 2011,
                     To: Sat Aug 04 23:59:59 MDT 2012]
      Issuer: CN=lstclmvs.us.oracle.com, OU=tbiSERVER Oracle, O=Oracle Corp., C=US
      SerialNumber: [    01]

      Certificate Extensions: 3
      [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
      Extension unknown: DER encoded OCTET string =
      0000: 04 32 16 30 47 65 6E 65 72 61 74 65 64 20 62 79 .2.0Generated by
      0010: 20 74 68 65 20 53 65 63 75 72 69 74 79 20 53 65 the Security Se
      0020: 72 76 65 72 20 66 6F 72 20 7A 2F 4F 53 20 28 52 rver for z/OS (R
      0030: 41 43 46 29 ACF)


      [2]: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: C0 C0 B4 C5 19 16 76 45 6C 08 73 93 69 7F 4F 41 ......vEl.s.i.OA
      0010: 58 2C 10 BF X,..
      ]
      ]

      [3]: ObjectId: 2.5.29.35 Criticality=false
      AuthorityKeyIdentifier [
      KeyIdentifier [
      0000: 17 90 68 46 09 80 11 71 33 7A 49 9F 43 76 11 6F ..hF...q3zI.Cv.o
      0010: 8C F6 88 F7 ....
      ]

      ]

      ]
      Algorithm: [SHA1withRSA]
      Signature:
      0000: 8F 3D 89 47 C5 1F 5E D9 78 F6 58 CF 6C C3 ED C8 .=.G..^.x.X.l...
      0010: 7C 3A 02 0B 6D CF DD AD E1 53 62 0E 7E 4E 84 45 .:..m....Sb..N.E
      0020: E2 84 77 36 C1 44 A4 0C 76 F6 3D AD B7 5D 41 B7 ..w6.D..v.=..]A.
      0030: 49 EE 7A A9 83 81 33 C1 C4 25 C8 4E 9F 9A D8 DA I.z...3..%.N....
      0040: E4 C0 C0 4B FA 9F 3C AE 6F E1 E3 13 B4 33 8C F8 ...K..<.o....3..
      0050: 7F B9 2D 1D 80 A1 2D 00 19 BA 70 73 FA CE DC 9A ..-...-...ps....
      0060: 76 59 3D 3F CE DC F9 8F FD 6D 67 63 D8 47 F1 04 vY=?.....mgc.G..
      0070: 72 06 CF 10 90 82 68 0E F2 49 5D 96 71 57 73 16 r.....h..I].qWs.

      ]
      ***
      main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
      main, WRITE: TLSv1 Alert, length = 2
      main, called closeSocket()
      main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      main, called close()
      main, called closeInternal(true)
      Aug 8, 2011 1:19:15 PM oracle.tbi.weblogic.ssp.racf.authentication.RacfLoginModuleImpl loginImplementation
      WARNING: EXCEPTION_TEXT[Ljava.lang.StackTraceElement;@52d1a4
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
           at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
      (large stack trace omitted)

      I feel like I'm close but missing or messed up some configuration item. Any ideas?

      Best Regards,
      Michael