Two Laptop Bag*
The moose likes Web Services and the fly likes JAX-WS Client with SSL certificate Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "JAX-WS Client with SSL certificate" Watch "JAX-WS Client with SSL certificate" New topic
Author

JAX-WS Client with SSL certificate

Manan Panchal
Greenhorn

Joined: Nov 17, 2008
Posts: 24
Hello

I have generated client side classes using wsimport by downloading wsdl file. The url of the wsdl file uses https protocol.
They have provided me a pfx file with password. I converted it into cer file using IE export tool. Then I imported it into tmpkeystore.jks using keytool command with "12345678" password.
Then I have set system property like this

System.setProperty("javax.net.ssl.keyStore", "D:/Documents/tmpkeystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "12345678");
System.setProperty("javax.net.ssl.keyStoreType", "JKS");

After this I am creating here webservice client passing wsdl url with https protocol.

But I get this error

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Please, tell me what am I doing wrong here?

Thanks
Yogesh Gandhi
Ranch Hand

Joined: Dec 05, 2008
Posts: 212
Very sad to see no response even after 2 years...

I think there are very less people who know web services on coderanch.
H Paul
Ranch Hand

Joined: Jul 26, 2011
Posts: 471
    
    4
I was given this to trouble shoot:

-Djavax.net.debug=ssl

OR

System.setProperty("javax.net.debug", "ssl");
Yogesh Gandhi
Ranch Hand

Joined: Dec 05, 2008
Posts: 212
Thanks Paul, I'll also definitely try this.

I wish adding debug information prints something that proves useful for me
Yogesh Gandhi
Ranch Hand

Joined: Dec 05, 2008
Posts: 212
Can someone brief me what is difference between keyStore and trustStore?

1) Do they both exist on client side?
2) What is the significance of each?
3) If I need to access a web service running on SSL, do i need to set both ?
4) Is setting the password of keystore mandatory? My client was saying that he didnt' set any password specifically, is that possible?

I am closely watching this topic. So if anybody has any clue, I'll be thankful if someone can answer my questions.
H Paul
Ranch Hand

Joined: Jul 26, 2011
Posts: 471
    
    4
The answer is your patience :-D. Quickly scan over these and walk over them slowly.

http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html
http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#SSLOverview

+ Google: How SSL works (like online banking, shopping.)
Yogesh Gandhi
Ranch Hand

Joined: Dec 05, 2008
Posts: 212
Thanks Paul for the reply.

I also found one very useful URL, which makes understand truststore and keystore

http://db.apache.org/derby/docs/dev/adminguide/cadminsslkeys.html

Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
Yogesh Gandhi wrote:I think there are very less people who know web services on coderanch.

Or possibly people don't feel like answering something for which the solution can be found simply by googling the exception message. The second search result I get is the ultimate problem description and solution, straight from the horse's mouth, i.e. Oracle.
Yogesh Gandhi
Ranch Hand

Joined: Dec 05, 2008
Posts: 212
H Paul,

if i set debug proprrty as suggested. where can i see the info getting printed? in seever logs or in my application logs or on console?
Yogesh Gandhi
Ranch Hand

Joined: Dec 05, 2008
Posts: 212
Manan Panchal,

I know, I am answering it very late, but yes for the sake of others who visit this forum, i want to add my drop.

the file that you have set in trustStore, must be generated on the client side (giving input file as .cer or .crt) using keytool -import command.

I also have seen this problem, and the reason was that I was using a wrong certificate.

Check that if this file was generated on client side.

Moreover, I think this type of exception will come, when you are either using a wrong certificate or no certificate.

Or you can visit this : https://blogs.oracle.com/gc/entry/unable_to_find_valid_certification
Manan Panchal
Greenhorn

Joined: Nov 17, 2008
Posts: 24
Hello,

The pfx file is provided to me. I know that the file should contain private key and certificate. But, I don't know whom private key it contains. Me or them? I cannot understand how private key can be provided. It is subject to be generated. Right?

I have converted pfx to jks by getting help from this two links
http://sycure.wordpress.com/2008/05/15/tips-using-openssl-to-extract-private-key-pem-file-from-pfx-personal-information-exchange/,
http://www.agentbob.info/agentbob/79-AB.html?branch=1&language=1.
The jks file contains now both private key and certificate.
I am now using the jks as both keystore and truststore. But, I still getting same error. I get "certificate unknown" with ssl debug.

It is working fine with HttpsURLConnection.setDefaultSSLFactory(sslFactory) where sslFactory is created using inputstream of pfx file. But, how can I use above approach?

Thanks.
Yogesh Gandhi
Ranch Hand

Joined: Dec 05, 2008
Posts: 212
what happens if you set your trust store to pfx file.

i know that sounds stupid but i want to know.

i am also working on ssl these days and facing an error which says javax.net.ssl.* properties are not set.

struggling with this issue for last 5 days...
Yogesh Gandhi
Ranch Hand

Joined: Dec 05, 2008
Posts: 212
Now, I am also getting exactly the same exception as you. Still not able to resolve it.

I am trying to call web services from Websphere Application Server.

I have tried everything available on net.
One of my friends in this forum as saying that the solution is directly available on the second link in google. But it didn't help me. It just says that we need to add the certificate to websphere trust store.

I am stuck badly.

I have even tried setting the properties using System.setProperty as Manan was doing. But nothing came to rescue.
Manan Panchal
Greenhorn

Joined: Nov 17, 2008
Posts: 24
I have never tried to set pfx file as truststore!! It will not work surely.
I create a SSLFactory using pfx file and then I set the SSLFactory to HttpsURLConnection.setDefaultSSLFactory(sslFactory).
This is working for me. But the system properties approach is not working for me.
This is very disappointing.
Yogesh Gandhi
Ranch Hand

Joined: Dec 05, 2008
Posts: 212
System properties approach was not working for me as well.
What came to my rescue was the guide of IBM websphere given on

http://www.redbooks.ibm.com/redbooks/SG247660/wwhelp/wwhimpl/js/html/wwhelp.htm

if you search "CellDefaultTrustStore" in the above guide, you'll find a single page.

You can see CellDefaultTrustStore and NodeDefaultTrustStore.

Earlier i was adding certificate only to NodeDefaultTrustStore, but after reading the guide, i just wanted to try setting the certificate in CellDefaultTrustStore as well and it worked for me !!!
Manan Panchal
Greenhorn

Joined: Nov 17, 2008
Posts: 24
Yogesh Gandhi, I am not using any application server. I am just creating webservice client using wsimport.
And I am simply using this client with desktop application to call webservice.

Yogesh Gandhi
Ranch Hand

Joined: Dec 05, 2008
Posts: 212
@Manan,


Two things I would like to say

1) ==============================================================
You said that you problem is solved. But if you still want to explore this area more

You might like to try these sample programs, that make a socket connection over ssl.

http://javakafunda.blogspot.in/2012/04/sample-program-to-test-ssl-connection.html

You can also visit the source URL given in this post if required.

I was able to make a socket connection, when both client and server were on the same machine. But Don't know, it didn't work for me when i actually tested in production (I was getting a handshake failure msg).

If you would like to try them out, please do that, I would like to know the results you get with these programs.

2)====================================================================

Rest all looks OK with the steps you are doing

But what I feel like is that you should be setting these value in trustStore rather than keyStore

WrongValues


System.setProperty("javax.net.ssl.keyStore", "D:/Documents/tmpkeystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "12345678");
System.setProperty("javax.net.ssl.keyStoreType", "JKS");



Right Values


System.setProperty("javax.net.ssl.trustStore", "D:/Documents/tmpkeystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "12345678");
System.setProperty("javax.net.ssl.trustStoreType", "JKS");



Reason for setting the trustStore, I will explain to you once it works.
Fernando Ortiz
Greenhorn

Joined: Nov 08, 2013
Posts: 2
How Can I do the same without using System.setProperty?? I mean, loading a different jks in runtime.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JAX-WS Client with SSL certificate