• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

SSL, AXIS, Web Service

 
Ranch Hand
Posts: 548
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

I have https enabled web service whose wsdl address location is similiar to
https://mysc.mycom.com:443/PtrAcc/DM.

I am behind a firewall and now I have written a web service java client program that uses AXIS Stubs. Also I think this
web service employs 2 way authentication since when I type https://mysc.mycom.com:443/PtrAcc/DM
in my browser I am getting a IE dialog "Client Authentication" saying "The web site you
want to view requests identification. Select the certificate to use when connection" and there are
no certificates available on my client machine to choose from and eventually if I press Ok button of this dialog I am
getting below message in browser :


No service was found matching the request
Requested path: /PtrAcc/DM
Client IP: 343.232.121.99
SOAPAction Header: NULL


Now, I created a an entry in my default keystore file using below keytool command on my windows2000 command prompt :

keytool -genkey -dname "CN=Nick Chase, OU=InformIT, O=Pearson, L=NPR, S=Florida, C=US" -alias nick -storepass mystorepassword -keypass mykeypassword -storetype jks

and I wrote a web service java client program and used below lines inside it :


System.setProperty("http.proxyHost", "343.232.121.99");
System.setProperty("http.proxyPort", "1563");

System.setProperty("javax.net.ssl.trustStore", "C:\\Documents and Settings\\113342\\.keystore");

but when I run my web service client program I am getting below error message :

AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.Validator
Exception: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:130)
at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:382)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:88)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:147)
at org.apache.axis.client.Call.invokeEngine(Call.java:2737)
at org.apache.axis.client.Call.invoke(Call.java:2720)
at org.apache.axis.client.Call.invoke(Call.java:2396)
at org.apache.axis.client.Call.invoke(Call.java:2319)
at org.apache.axis.client.Call.invoke(Call.java:1776)




Guys, what am I missing here. My certificate in .keystore should be imported to server trust store ? Please suggest ...



Thanks & Regards,
 
Greenhorn
Posts: 8
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You may use

System.setProperty("javax.net.debug", "all");

before starting a test...

by this, the soft shows which certificate store file is loaded. So you can check if your setting is taken into account.

In fact, there are 3 properties that should be used (and they are taken into account by/via AXIS).
System.setProperty("javax.net.ssl.keyStore", "...ty\\cacerts");
System.setProperty("javax.net.ssl.keyStorePassword", "");
System.setProperty("javax.net.ssl.trustStore", "...curity\\cacerts");

Alternatively, you can disable certificate checking with

AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");

(of interrest only when it doesnt matter to ensure the servers identity, when e.g. when only the SSL encryption itself is of importance).

Hope this helps
Tasha
 
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I had a the same problem. My company was using some homegrown certs for testing and a thawte cert for production. I had to add the cert to my cacerts file and it worked fine. Here are the steps I used.

Open MS IE and navigate to the URL using https.
Accept and install the cert when prompted.
IE Tools, Options, Content, Certificates, Trusted Root Certs, find the cert you installed. Example Equifax Global Cert
Export the cert using Der x.509 Format. e.g. c:\test\equifax.cer.
Make sure you have Java on your path.
Open a command window.
Navigate to %JAVA_HOME% \jre\lib\security.
Use the keytool to add the certificate to the cacerts file:
keytool -import -alias EquifaxGlobalCert -file c:\test\equifax.cer -keystore cacerts
Password is "changeit"
For WSAD (developers only) using WS4, copy cacert to WSAD's jre.
C:\WSAD\aes_4\java\jre\lib\security


Note, the fakecert mentioned in other posts is probably the way to go, but this worked for me.
 
Rr Kumaran
Ranch Hand
Posts: 548
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Guys, thank you for the inputs. I shall give it a try and 'll update you soon ...
 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Guys,

The information that you have provided here is very hands on and extremely useful. It helped me to make my web services client work with https within minutes of reaching this page.

If you ever come to southern california, the drinks are on me.

Thanks a bunch.

Vikas
 
Rr Kumaran
Ranch Hand
Posts: 548
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Vikas- I dont want any drink. Just let me know more about urself by sending a private message :-)
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

Thanks for your support, but for me I have the following error (in debug mode ) : -Djavax.net.debug=all

main, WRITE: TLSv1 Handshake, length = 32
waiting for close_notify or alert: state 1
Exception while waiting for close java.net.SocketException: Software caused connection abort: recv f
ailed
main, handling exception: java.net.SocketException: Software caused connection abort: recv failed
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
Plaintext before ENCRYPTION: len = 18
0000: 02 0A 57 C5 F1 DA 4E 95 A9 3B CB 31 A3 9C 0D F0 ..W...N..;.1....
0010: 14 7B ..
main, WRITE: TLSv1 Alert, length = 18
Exception sending alert: java.net.SocketException: Software caused connection abort: socket write er
ror
main, called closeSocket()
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: java.net.SocketException: Software caused connection abort: recv failed
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace: java.net.SocketException: Software caused connectio
n abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)


I import the CA.cer and Client.cer with keytool ... here is the command :

java -Djavax.net.ssl.trustStore=C:\newFrontEndApplicationServer\j2sdk1.4.2_05\jre\lib\security\cacer
ts -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.keyStore=C:\newFrontEndApplicationSer
ver\j2sdk1.4.2_05\jre\lib\security\cacerts -Djavax.net.ssl.keyStorePassword=password -Djavax.net.deb
ug=all secured.Client -u tomcat -w tomcat -lhttps://mysite/axisSecurised/services/SecuredService "test"

The password password is ok I test it with keytool -v -list.
 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What are some of the potential risks when using the fake certificate?

I have a client module that connects to a single hard-coded webservice.
The communication between my client and this webservice is locked down by single IP addresses.

Does the information still go out encrypted when using the fake certificate?
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It works perfect to me into JDeveloper 11.1.1.1


Thank you and Regards
 
Ranch Hand
Posts: 136
Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
After doing all these, I am getting
java.security.cert.CertPathValidatorException: Certificate chaining error
reply
    Bookmark Topic Watch Topic
  • New Topic