Hi, I'm trying to get my Smart card working with Java web start. A first step was to use the JSE 1.5, since support for Smart Cards is better than previous versions. Now, our application uses SSL and requires client authentication using a Smart Card. We use Java Web Start. The Web Start can authenticate by using the Smart Card, and JARS are downloaded. However, when our actual JAR files start up, the cannot communicate with the server. An java.io.IOException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
is thrown. Must I add some certificates to the keystore, or...? Anyone who can point me in the good direction ?
I think so. In some HTTP / HTTPS work I did recently building a file downloader component, when I encountered this exception:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I solved it by doing this:
1 Browse to the ssl site you're trying to reach so that you get prompted by the browser to accept the untrusted cert: "Security Alert" Yes | No | View Certificate Click the View Certificate button, Details tab, Copy to File button. Save to a file (I chose DER encoded .cer file (named it https.www.ejix.com.cer))
2 Create trusted keystore & import this certificate using this set of commands:
REM Add certificate to trust.keystore %JAVA_HOME%\bin\keytool -import -alias ejix-fileserver -file "https.www.ejix.com.cer" -keystore trust.keystore -storepass password
REM Confirming keystore %JAVA_HOME%\bin\keytool -v -list -keystore trust.keystore -storepass password
Adding the certificate to the trusted keystore solved the problem. Another common pitfall of SSL implementation is making sure the name within the certificate (you can see this while you're viewing the certificate as described above) matches the destination hostname in your https request. For example, www.ejix.com is different than ejix.com.
Alternatively, you could write java code to accept all untrusted or self-signed certificates (see Using SSL with HTTP Commons for examples) but this is obviously a bit of a security vulnerability.
Hope this helps. I'm happy to answer questions if I can. I'm interested in your Java Web Start / Smart Card solution, so perhaps we can compare notes.
Cheers, -Scott [ February 02, 2006: Message edited by: Scott Larson ]