0 Replies Latest reply: Apr 17, 2013 4:36 AM by User_resU RSS

    Web service client and SSL Certificate

    User_resU
      Hello, everyone,

      I have a problem that has really stumped me.

      I've written a web service client for a web service that has a digital certificate. This comes in the form of a .pfx file.

      When I try send a request to the web service, I get the following:
      AxisFault
       faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
       faultSubcode: 
       faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       faultActor: 
       faultNode: 
       faultDetail: 
           {http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
           at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
           at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
           at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
           at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
           at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
           at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
           at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
           at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
           at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
           at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
           at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
           at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
           at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
           at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
           at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
           at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
           at org.apache.axis.client.Call.invoke(Call.java:2767)
           at org.apache.axis.client.Call.invoke(Call.java:2443)
           at org.apache.axis.client.Call.invoke(Call.java:2366)
           at org.apache.axis.client.Call.invoke(Call.java:1812)
           at org.tempuri.BasicHttpBinding_IExternalServiceStub.submitAchievementBatchJob(BasicHttpBinding_IExternalServiceStub.java:531)
           at uk.gov.qcf.lrs.api.services.IExternalServiceProxy.submitAchievementBatchJob(IExternalServiceProxy.java:56)
           at uk.org.aqa.main.Main.main(Main.java:111)
      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
           at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
           at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
           at sun.security.validator.Validator.validate(Unknown Source)
           at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
           at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
           at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
           ... 24 more
      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
           at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
           at java.security.cert.CertPathBuilder.build(Unknown Source)
           ... 30 more
      
           {http://xml.apache.org/axis/}hostname:WM8-319
      
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
           at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
           at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154)
           at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
           at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
           at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
           at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
           at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
           at org.apache.axis.client.Call.invoke(Call.java:2767)
           at org.apache.axis.client.Call.invoke(Call.java:2443)
           at org.apache.axis.client.Call.invoke(Call.java:2366)
           at org.apache.axis.client.Call.invoke(Call.java:1812)
           at org.tempuri.BasicHttpBinding_IExternalServiceStub.submitAchievementBatchJob(BasicHttpBinding_IExternalServiceStub.java:531)
           at uk.gov.qcf.lrs.api.services.IExternalServiceProxy.submitAchievementBatchJob(IExternalServiceProxy.java:56)
           at uk.org.aqa.main.Main.main(Main.java:111)
      Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
           at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
           at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
           at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
           at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
           at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
           at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
           at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
           at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
           at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
           at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
           at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
           ... 12 more
      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
           at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
           at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
           at sun.security.validator.Validator.validate(Unknown Source)
           at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
           at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
           at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
           ... 24 more
      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
           at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
           at java.security.cert.CertPathBuilder.build(Unknown Source)
           ... 30 more
      I've looked onliine to try to solve this issue, and it seemed that the answer was the add the certificate to the keystore. I had a lot of issues doing this, due to the certificate being a .pfx file. However, using the following, I was able to do it:
      keytool -importkeystore -srckeystore "sandpit.pfx" -destkeystore "%JAVA_HOME2%\lib\security\cacerts" -srcstoretype pkcs12 -deststoretype jks -srcstorepass password -deststorepass anotherpassword -v
      However, I am still getting the same error. This may be because this isn't the keystore used, but it is located in the area marked as being used in the build path.

      I then looked further, and found that I may need to add:
      System.setProperty("javax.net.ssl.trustStore","myKeystore");
      System.setProperty("javax.net.ssl.trustStorePassword","myPassword");
      altering where appropriate. But this didn't work, and I'm thinking that this would involve a lot more code than just those two lines.

      I'm just not sure what to do, and am hoping someone can help. I didn't think it would be too big an issue to ensure my program used the certificate, but it seems to be. I thought that once it was added to the keystore, that would be it, but it appears not.

      I'm sure this isn't a rare issue, but I just lack the knowledge to make any headway. Please can someone help or point me in the right direction?

      Thank you very much in advance.

      Robin