aspose file tools*
The moose likes Ant, Maven and Other Build Tools and the fly likes Maven SSL build issues Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Ant, Maven and Other Build Tools
Bookmark "Maven SSL build issues" Watch "Maven SSL build issues" New topic
Author

Maven SSL build issues

mort sahl
Greenhorn

Joined: Nov 27, 2008
Posts: 18
Help please ... I've tried a number of things with no success.

The backstory ...

I'm writing a soap-based web service app. It's sole purpose is to take requests from users, reformat the request for an internal system which is also soap-based running on an SSL encrypted server. I get a response back from the SSL server, repackage it as a response to the original user request and send it back.

The problem I'm having is for integration tests. In Eclipse, if I Run or Debug, my integration tests run fine ... but I do have to set up JVM parameters in a run configuration, I've got ...

-Djavax.net.ssl.trustStore=C:\apache\apache-tomcat-6.0.20\conf\tokenserver-keystore.jks
-Djavax.net.ssl.trustStorePassword=Pass1word

The jks file contains all the info needed to talk to the SSL server.

The problem ...

When running Maven from inside Eclipse or externally, I get the following exception

WARNING: Interceptor for {http://xc.protegrity.com/ApplicationProtectorWS}ApplicationProtectorWSPortTypeService#{http://xc.protegrity.com/ApplicationProtectorWS}xcCreateSession has thrown exception, unwinding now

org.apache.cxf.interceptor.Fault: Could not send Message.

with the following ...

Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://tokenserver.protegrity.com/ws/services/ApplicationProtectorWS.2.0: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I've tried defining MAVEN_OPTS with those lines pointing to the trust store in a maven_pre.bat file (Windows 7), to a .mavenrc file (when running Cygwin), I even defined MAVEN_OPTS explicitly in Window's environment variables ... but no luck. I still get the exception.

How do I define the trust store that Eclipse accepts but maven does not?

Thanks
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5823
    
    7

You are going to have to configure Maven to also use the truststore. What we did is placed a jssecacarts file containing the certificates into java_home/jre/lib/security directory so that Maven will pick it up automatically. Or you could set up a run configuration in Eclipse, or add the -Djavax.net.ssl.trustStore* setting to mvn.bat (or better yet, create a ~/mavenrc-pre.bat file and place the options in there).


JBoss In Action
mort sahl
Greenhorn

Joined: Nov 27, 2008
Posts: 18
Thanks ... but I've pretty much tried it all, I think.

My maven_pre.bat file located in my Windows7 home directory contains ...

set TRUST_STORE=-Djavax.net.ssl.trustStore=C:\apache\apache-tomcat-6.0.20\conf\tokenserver-keystore.jks
set TRUST_STORE_PASSWORD=-Djavax.net.ssl.trustStorePassword=Pass1word
set MAVEN_OPTS=%TRUST_STORE% %TRUST_STORE_PASSWORD%
echo Done: MAVEN_OPTS=%MAVEN_OPTS%

When I tried .mavenrc in my Cygwin home directory it contained ...

TRUST_STORE=-Djavax.net.ssl.trustStore=C:\apache\apache-tomcat-6.0.20\conf\tokenserver-keystore.jks
TRUST_STORE_PASSWORD=-Djavax.net.ssl.trustStorePassword=Pass1word
MAVEN_OPTS="$TRUST_STORE $TRUST_STORE_PASSWORD"
echo Done: MAVEN_OPTS=$MAVEN_OPTS

I tried setting MAVEN_OPTS as a user variable in Environment Variables with the value of -Djavax.net.ssl.trustStore=C:\apache\apache-tomcat-6.0.20\conf\tokenserver-keystore.jks -Djavax.net.ssl.trustStorePassword=Pass1word

I still get the SSLHandshakException.

All works fine when I run the program as the truststore is setup on tomcat/conf and I can run the tests from inside Eclipse since I set up the truststore in the run configuration. It's just maven that's not cooperating.
If it makes any difference, I'm using Maven v 2.2.1

Thanks


Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5823
    
    7

An obvious question: you are seeing the "Done:" line being echoed when you run Maven and it contains the correct values? Also, double-check the java.exe command line in Task Manager to make sure that the options were passed properly.

The version of Maven shouldn't matter, it doesn't even get involved in this - the JVM networking classes do all of the credential handling.

One more thought - make sure that the alias and the DN for the certificate exactly matches the hostname of the remote server (check it with "keytool -list"). That is, both alias and DN must be "tokenserver.protegrity.com". I had an issue recently with someone who provided a certificate which a generic function name for their .Net web service and we had to generate a second certificate with the hostname to get Java to talk to that service.
mort sahl
Greenhorn

Joined: Nov 27, 2008
Posts: 18
Here's the result of -list ...


c:\Apache\apache-tomcat-6.0.20\conf>keytool -list -v -keystore tokenserver-keystore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: elavon
Creation date: May 8, 2012
Entry type: trustedCertEntry

Owner: CN=tokenserver.protegrity.com, O=Protegrity, C=US
Issuer: CN=tokenserver.protegrity.com, O=Protegrity, C=US
Serial number: d5e8ecedadcb9bd0
Valid from: Mon Apr 23 16:24:49 MDT 2012 until: Thu Apr 21 16:24:49 MDT 2022
Certificate fingerprints:
MD5: 45:A1:DC:C2:89:30:11:9B:AF:CF:C0:3E:7D:39:E2:80
SHA1: F9:6C:BA:6A:E0:62:5F:DC::03:EF:13:04:17:6D:A2:FF:E4:45:AE
Signature algorithm name: SHA1withRSA
Version: 1


*******************************************
*******************************************

So, are you saying that the alias name elavon should be tokenserver.protegrity.com instead?
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5823
    
    7

Yes.

Oh, and in my prior post, replace DN with CN...
mort sahl
Greenhorn

Joined: Nov 27, 2008
Posts: 18
Thanks ... I'll give that a try when I'm back at work on Monday.
mort sahl
Greenhorn

Joined: Nov 27, 2008
Posts: 18
Well ... still no go ... my jks now looks like ...


$ keytool -list -v -keystore keystore.jks
Enter keystore password: Pass1word

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tokenserver.protegrity.com
Creation date: Jun 4, 2012
Entry type: trustedCertEntry

Owner: CN=tokenserver.protegrity.com, O=Protegrity, C=US
Issuer: CN=tokenserver.protegrity.com, O=Protegrity, C=US
Serial number: d5e8ecedadcb9bd0
Valid from: Mon Apr 23 16:24:49 MDT 2012 until: Thu Apr 21 16:24:49 MDT 2022
Certificate fingerprints:
MD5: 45:A1C:C2:89:30:11:9B:AF:CF:C0:3E:7D:39:E2:80
SHA1: F9:6C:BA:6A:E0:62:5FC:03:EF:13:04:17:6D:A2:FF:E4:45:AE
Signature algorithm name: SHA1withRSA
Version: 1


*******************************************
*******************************************



But the same issue ...

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

mort sahl
Greenhorn

Joined: Nov 27, 2008
Posts: 18
I got it working ... I found the answer at https://blogs.oracle.com/gc/entry/unable_to_find_valid_certification

Downloaded and ran the InstallCert program and put the resulting jssecacerts in my ../jre.lib.security directory, re-enabled the maven-failsafe-plugin and my integration tests now run.

Thanks for your help.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Maven SSL build issues