• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JAX-WS Client with SSL certificate

 
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello

I have generated client side classes using wsimport by downloading wsdl file. The url of the wsdl file uses https protocol.
They have provided me a pfx file with password. I converted it into cer file using IE export tool. Then I imported it into tmpkeystore.jks using keytool command with "12345678" password.
Then I have set system property like this

System.setProperty("javax.net.ssl.keyStore", "D:/Documents/tmpkeystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "12345678");
System.setProperty("javax.net.ssl.keyStoreType", "JKS");

After this I am creating here webservice client passing wsdl url with https protocol.

But I get this error

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Please, tell me what am I doing wrong here?

Thanks
 
Ranch Hand
Posts: 264
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Very sad to see no response even after 2 years...

I think there are very less people who know web services on coderanch.
 
Ranch Hand
Posts: 491
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I was given this to trouble shoot:

-Djavax.net.debug=ssl

OR

System.setProperty("javax.net.debug", "ssl");
 
Yogesh Gandhi
Ranch Hand
Posts: 264
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Paul, I'll also definitely try this.

I wish adding debug information prints something that proves useful for me
 
Yogesh Gandhi
Ranch Hand
Posts: 264
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can someone brief me what is difference between keyStore and trustStore?

1) Do they both exist on client side?
2) What is the significance of each?
3) If I need to access a web service running on SSL, do i need to set both ?
4) Is setting the password of keystore mandatory? My client was saying that he didnt' set any password specifically, is that possible?

I am closely watching this topic. So if anybody has any clue, I'll be thankful if someone can answer my questions.
 
H Paul
Ranch Hand
Posts: 491
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The answer is your patience :-D. Quickly scan over these and walk over them slowly.

http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html
http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#SSLOverview

+ Google: How SSL works (like online banking, shopping.)
 
Yogesh Gandhi
Ranch Hand
Posts: 264
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Paul for the reply.

I also found one very useful URL, which makes understand truststore and keystore

http://db.apache.org/derby/docs/dev/adminguide/cadminsslkeys.html

 
Saloon Keeper
Posts: 7582
176
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Yogesh Gandhi wrote:I think there are very less people who know web services on coderanch.


Or possibly people don't feel like answering something for which the solution can be found simply by googling the exception message. The second search result I get is the ultimate problem description and solution, straight from the horse's mouth, i.e. Oracle.
 
Yogesh Gandhi
Ranch Hand
Posts: 264
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
H Paul,

if i set debug proprrty as suggested. where can i see the info getting printed? in seever logs or in my application logs or on console?
 
Yogesh Gandhi
Ranch Hand
Posts: 264
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Manan Panchal,

I know, I am answering it very late, but yes for the sake of others who visit this forum, i want to add my drop.

the file that you have set in trustStore, must be generated on the client side (giving input file as .cer or .crt) using keytool -import command.

I also have seen this problem, and the reason was that I was using a wrong certificate.

Check that if this file was generated on client side.

Moreover, I think this type of exception will come, when you are either using a wrong certificate or no certificate.

Or you can visit this : https://blogs.oracle.com/gc/entry/unable_to_find_valid_certification
 
Manan Panchal
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

The pfx file is provided to me. I know that the file should contain private key and certificate. But, I don't know whom private key it contains. Me or them? I cannot understand how private key can be provided. It is subject to be generated. Right?

I have converted pfx to jks by getting help from this two links
http://sycure.wordpress.com/2008/05/15/tips-using-openssl-to-extract-private-key-pem-file-from-pfx-personal-information-exchange/,
http://www.agentbob.info/agentbob/79-AB.html?branch=1&language=1.
The jks file contains now both private key and certificate.
I am now using the jks as both keystore and truststore. But, I still getting same error. I get "certificate unknown" with ssl debug.

It is working fine with HttpsURLConnection.setDefaultSSLFactory(sslFactory) where sslFactory is created using inputstream of pfx file. But, how can I use above approach?

Thanks.
 
Yogesh Gandhi
Ranch Hand
Posts: 264
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
what happens if you set your trust store to pfx file.

i know that sounds stupid but i want to know.

i am also working on ssl these days and facing an error which says javax.net.ssl.* properties are not set.

struggling with this issue for last 5 days...
 
Yogesh Gandhi
Ranch Hand
Posts: 264
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Now, I am also getting exactly the same exception as you. Still not able to resolve it.

I am trying to call web services from Websphere Application Server.

I have tried everything available on net.
One of my friends in this forum as saying that the solution is directly available on the second link in google. But it didn't help me. It just says that we need to add the certificate to websphere trust store.

I am stuck badly.

I have even tried setting the properties using System.setProperty as Manan was doing. But nothing came to rescue.
 
Manan Panchal
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have never tried to set pfx file as truststore!! It will not work surely.
I create a SSLFactory using pfx file and then I set the SSLFactory to HttpsURLConnection.setDefaultSSLFactory(sslFactory).
This is working for me. But the system properties approach is not working for me.
This is very disappointing.
 
Yogesh Gandhi
Ranch Hand
Posts: 264
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
System properties approach was not working for me as well.
What came to my rescue was the guide of IBM websphere given on

http://www.redbooks.ibm.com/redbooks/SG247660/wwhelp/wwhimpl/js/html/wwhelp.htm

if you search "CellDefaultTrustStore" in the above guide, you'll find a single page.

You can see CellDefaultTrustStore and NodeDefaultTrustStore.

Earlier i was adding certificate only to NodeDefaultTrustStore, but after reading the guide, i just wanted to try setting the certificate in CellDefaultTrustStore as well and it worked for me !!!
 
Manan Panchal
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yogesh Gandhi, I am not using any application server. I am just creating webservice client using wsimport.
And I am simply using this client with desktop application to call webservice.

 
Yogesh Gandhi
Ranch Hand
Posts: 264
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
@Manan,


Two things I would like to say

1) ==============================================================
You said that you problem is solved. But if you still want to explore this area more

You might like to try these sample programs, that make a socket connection over ssl.

http://javakafunda.blogspot.in/2012/04/sample-program-to-test-ssl-connection.html

You can also visit the source URL given in this post if required.

I was able to make a socket connection, when both client and server were on the same machine. But Don't know, it didn't work for me when i actually tested in production (I was getting a handshake failure msg).

If you would like to try them out, please do that, I would like to know the results you get with these programs.

2)====================================================================

Rest all looks OK with the steps you are doing

But what I feel like is that you should be setting these value in trustStore rather than keyStore

WrongValues


System.setProperty("javax.net.ssl.keyStore", "D:/Documents/tmpkeystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "12345678");
System.setProperty("javax.net.ssl.keyStoreType", "JKS");



Right Values


System.setProperty("javax.net.ssl.trustStore", "D:/Documents/tmpkeystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "12345678");
System.setProperty("javax.net.ssl.trustStoreType", "JKS");



Reason for setting the trustStore, I will explain to you once it works.
 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How Can I do the same without using System.setProperty?? I mean, loading a different jks in runtime.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic