wood burning stoves 2.0*
The moose likes Web Services and the fly likes Question on Dynamic SSLConfiguration for axis2 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "Question on Dynamic SSLConfiguration for axis2 " Watch "Question on Dynamic SSLConfiguration for axis2 " New topic
Author

Question on Dynamic SSLConfiguration for axis2

Purujit Saha
Ranch Hand

Joined: Nov 01, 2005
Posts: 86
We are having a web service test client through which we can connect and generate reports from multiple web services instances(Devl / Preprod / Production).
On the service side, in development instance, we are using "self-signed certificate" using keystore type JKS. In Production server, we are using certificate from CA.

The web service is running in Development and in Production.
Now we have developed single test client with a drop down selection for different web services. For example, if we select "Development", the request will go the development web service and if we select "Production", the request will go to Production web service.

Now while connecting to Develpment service, we are settings the below certificates details Because we are using the self signed certificate.
System.setProperty("javax.net.ssl.keyStore",keyStoreFileLocation);
System.setProperty("javax.net.ssl.keyStorePassword",keyStorePassword);
System.setProperty("javax.net.ssl.keyStoreType", keyStoreType);
System.setProperty("javax.net.ssl.trustStoreType",trustStoreType);
System.setProperty("javax.net.ssl.trustStore",trustStoreFileLocation);
System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);

We are clearing the System properties using the System.clearProperty() while pointing to Production service. because in Production we are using the CA certificate from Thawte so these details are not required at all and JRE (java 5) is pre configured to support that CA certificate.

We are using Resin-2.1.12, axis1.2 and java5.

Now the problem is
(1) for the first time, when we send the request to Production Service URL, the report gets generated. For the next time when we are running against Development, it's giving below certificate error.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

(2) Now restart resin and run the test client against Developemnt service URL, here report gets generated and for the next time, run the test client against Production, it's giving the certificate error.
So for the 2nd request, it always gives the error irrespective of the web service instance selected.

On request we can share the code also if required.
So, if any of you can put some light on this, should be appreciated. ....thanks in advance.
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6662
    
    5

Your trust store must contain both CA certificates. My guess is that your trust store contains your CA certificate but not thwate's. The default trust store contains thwate's CA but not yours. You are swapping these keystores for each call

Use 'keytool -list' to list all certs in the keystore to verify this. The verbose option (-v i think) can also come in handy


SCJP 6 articles - SCJP 5/6 mock exams - More SCJP Mocks
Purujit Saha
Ranch Hand

Joined: Nov 01, 2005
Posts: 86
Deepak Bala wrote:Your trust store must contain both CA certificates. My guess is that your trust store contains your CA certificate but not thwate's. The default trust store contains thwate's CA but not yours. You are swapping these keystores for each call

Use 'keytool -list' to list all certs in the keystore to verify this. The verbose option (-v i think) can also come in handy


Thanks for the reply.
Actually my CA certificate is from thwate which has been used on production service box & since JDK by default trust thwate's certificate, i do not need to set any certificate key on the client side.
But in case of devl service instance we have used a test certificate & thats why to trust each other we need to use a certificate key on client side when our client tries to connect devl service. And thats why we set those 6 system properties runtime.
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6662
    
    5

Purujit Saha wrote:
Deepak Bala wrote:Your trust store must contain both CA certificates. My guess is that your trust store contains your CA certificate but not thwate's. The default trust store contains thwate's CA but not yours. You are swapping these keystores for each call

Use 'keytool -list' to list all certs in the keystore to verify this. The verbose option (-v i think) can also come in handy


Thanks for the reply.
Actually my CA certificate is from thwate which has been used on production service box & since JDK by default trust thwate's certificate, i do not need to set any certificate key on the client side.
But in case of devl service instance we have used a test certificate & thats why to trust each other we need to use a certificate key on client side when our client tries to connect devl service. And thats why we set those 6 system properties runtime.


I know that.

My point is that any trust store you point to in the system property should contain both CA certificates.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Question on Dynamic SSLConfiguration for axis2