Invoking HTPS WebService from java - java

I am trying to access a web service which has SSL enabled from stand alone java program . I was able to generate client from WSDL however when i am trying to invoke web service i get SSL handshake issue . Below is java code
TestWebService sh = (TestWebService) shs.getTestWebServiceExportTestWebServiceHttpPort();
BindingProvider port = (BindingProvider)sh;
port.getRequestContext().put(BindingProvider.
ENDPOINT_ADDRESS_PROPERTY, args[0]);
System.out.println( ((BindingProvider)sh).toString() );
The url that is lets say https://service.test.com/sca/TestWebService?wsdl
Below is the error message
Failed to access the WSDL at:
https://service.testwebservice.com/TestWebServiceExport?wsdl. It failed with:
Got com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Corp Production Root CA V1, O=Cord Inc. is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error while opening stream from https://service.testwebservice.com/TestWebServiceExport?wsdl.
I have installed the ceritificate in IE browser from website but still no luck .

You are on the right track by installing the cert into IE browser - that would allow IE to access the web service without error. However, as your client is Java (and not IE), you need to install the cert into Java.
The Java command for doing this is as follows:
$JAVAHOME/bin/keytool -import -alias service.test.com -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/certfile.pem
Note: this will install the cert into the default keystore for that Java install. This will affect all Java processes using that JVM. The default password for the keystore is 'changeit'

Related

Error while consuming secure SOAP base web service in JAVA

I am new in JAVA, Consuming web service(.wsdl) in Web Service Client project. I import the client certificate in java cacerts store in jrd. My code is as follows:
System.setProperty("javax.net.ssl.trustStore","[PATH]/cacerts.jks");
System.setProperty("javax.net.ssl.trustStorePassword","changeit");
ServicesProxy service = new ServicesProxy();
ServiceRequest request = new ServiceRequest(1498);
ServiceResponse response = service.getDetails(request);
I'm failed to handshake, I am getting the following exception:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
I have no clue why there is an exception. Any help will be appreciated.
You probably have to add the key chain in the certificate (PEM format).
CA Root -> Intermediate Cert -> Cert.
Or the certificate cannot be found in the keystore, do you use the correct alias etc.
And I do not recognize the SOAP JAX-WS implementation you use.
Not a solution to your problem, but maybe it helps to find it:
You can start your client with the VM parameter -Djavax.net.debug=all which will give you a lot of information about the SSL connection.
Check here for details about the output:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
Use -Djavax.net.ssl.trustStore property directly instead.
One more thing the server you use in that also u need to place the jks for handshake.
For example server is JBoss then bin
I guess your cacert is not correct or the path is unaccessible. I followed the instructions given here
Use SSL Poke to verify connectivity
Download SSLPoke.class
Execute the class as follows, changing the URL and port:
$JAVA_HOME/bin/java SSLPoke yoururl 443
A successful connection would look like this:
$JAVA_HOME/bin/java SSLPoke yoururl 443
Successfully connected
Try to use a different truststore to connect
$JAVA_HOME/bin/java -Djavax.net.ssl.trustStore=[PATH]/cacerts.jks SSLPoke yoururl 443
If it fails the truststore does not contain the proper certificates.
How to solve it
The solution is extracted from here
Fetch the certificate again from the server:
openssl s_client -connect yoururl:443
You need openssl. Save the output to a file called public.crt. This is how your file should look like:
-----BEGIN CERTIFICATE-----
< Bunch of lines of your certificate >
-----END CERTIFICATE-----
Import the certificate:
$JAVA_HOME/bin/keytool -import -alias -keystore $JAVA_HOME/jre/lib/security/cacerts -file public.crt
Enter the password if prompted (the default is changeit)
Recommendation
In the same post it is not recommended to use a configured trustStore different than the JVM cacert because then java could not access other root certificates.
This is a quite common error while dealing with soap services over SSL, I've had it a few times.
Your certificate may not be correctly installed in your truststore.
You can use openssl to check and install the correct certificate in the truststore, as explained here
Hi Looks like certificates are not imported correctly or path used in code not pointing to correct keystore.
I hope following steps in below article will help you.
http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html

WildFly 11 - Use certificate to make https requests

I'm a bit lost of how I can use certificate in WidlFly 11. I re the doccumentation and found a lot of terms like JSSE, OpenSSL, Elytron, ApplicationRealm.
The problem occurs when I execute the code
final URL url = new URL("https://someUrl");
HttpsURLConnection httpURLConnection = (HttpsURLConnection)url.openConnection();
This exception is thrown sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
So, what exactly need to configure? I tried the section "Enable One-way SSL/TLS for Applications" in Elytron Doccumentation but didn't works.
ps: I'm using java 9.01
ps2: I'm using standalone-full.xml
let me know if you need more informations
This is unrelated to WildFly - you need to configure certificates trusted by java URL connections - you need to create and configure truststore:
create keystore containing certificate of server (if it is self-signed certificate), or better, certificate of its CA:
keytool -import -file myCA.cert -alias myCA -storepass mypassword -noprompt -keystore my.truststore
start using created keystore file as truststore in WildFly by setting javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword system properties:
bin/jboss-cli.sh -c
/system-property=javax.net.ssl.trustStore:add(value="/path/to/my.truststore")
/system-property=javax.net.ssl.trustStorePassword:add(value="mypassword")
Elytron documentation you mention is related only to server side - but this is client side configuration, which is not currently handled by it.
The certificate is not trusted, iirc there is a self-signed certificate in WildFly 11 so yo need to trust it or install a real certificate.
Accept server's self-signed ssl certificate in Java client

SSL Issues with Java PKIX / validator.ValidatorException despite proxy

We're in a scenario where a corporate proxy is decrypting all HTTPS traffic and re-signing it with a CA ROOT which Java does not trust.
We're also in a scenario where we are unable to modify the cacerts file in the Java directory.
We're getting the following issue in many Java applications:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
We don't want to have to add individual certificates.
What we can do is change JVM arguments however:
-Dtrust_all_cert=true has no effect
-Dhttps.proxyHost=localhost -Dhttps.proxyPort=8888 has no effect
With step 2 we are trying to go through Fiddler as a proxy but no requests appear when we do HTTPS requests.
If we set -Dhttp.proxyHost=localhost -Dhttp.proxyPort=8888 and do HTTP requests we see the traffic in Fiddler. So...
Why doesn't trust_all_cert help here?
Why doesn't Java use the https proxy we specify?
NB: We've even tried making a java program hardwired to use localhost:8888 as a proxy. Again, works for HTTP but not HTTPS.
One way is to make a new cacerts file and use that in the JVM:
Download the CA Root certificate (e.g. root.cer)
keytool -import -noprompt -trustcacerts -alias root -file root.cer -keystore .\cacertsnew -storepass ***
java -Dhttps.proxyHost=someproxy -Dhttps.proxyPort=8080 -Djavax.net.ssl.trustStore=cacertsnew ...

issues in connecting to AD server over SSL?

I had to enable SSL over Active Directory server, to do that I followed each and every steps mentioned here: http://www.linuxmail.info/enable-ldap-ssl-active-directory/
Now I am not sure if SSL is really enabled properly?
On server itself if I run ldp, I think I can connect on 636 port. However on my system I don't see SSL option on ldp client?
I've two other LDAP clients (Softerra LDAP Browser and Apache Directory Studio) but I am not able to connect using ldaps (on 636 port). I guess I'll need to import certificate used in AD server so these tools can trust that self sign certificate which I used on AD server.
Using Java code, I've added certificate into cacerts (got certificate using steps mentioned here: http://www.linuxmail.info/export-ssl-certificate-windows-2003/), however I still can't connect to AD using SSL.
I tried SSL as well as TSL:
TLS:
// got LdapContext using ldap (not with ldaps)
StartTlsResponse tls = (StartTlsResponse)ctx.extendedOperation(new StartTlsRequest());
It gives following exception:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
SSL:
String ldapURL = "ldaps://<domain-name>:636";
String keystore = "C:/Oracle/Middleware/jdk160_24/jre/lib/security/cacerts";
System.setProperty("javax.net.ssl.trustStore",keystore);
env.put(Context.SECURITY_PROTOCOL,"ssl");
// other properties are set in env
LdapContext ctx = new InitialLdapContext(env, null);
It gives following exception:
javax.naming.CommunicationException: <domain-name>:636 [Root exception is java.net.ConnectException: Connection timed out: connect]
Can anyone please suggest where I am wrong?
Thanks.
This one was fixed.
I was using wrong (rather incomplete) command to import certificate.
I was using:
keytool -import -alias mycert -keystore cacerts -file d:\mycert.cer
When I used follwing:
keytool -import -noprompt -trustcacerts -alias mycert -file c:/mycert.cer -keystore C:/Oracle/Middleware/jdk160_24/jre/lib/security/cacerts -storepass changeit
And it started working.
If you can't get TLS to work, it is unlikely that SSL will work. Are you sure that you got the right certificate and configured the keystore correctly? Based on the SSLHandshakeException when trying to use TLS, it would seem that may not be set up correctly.
Check out this SO answer for some tips on how to verify that your keystore is correctly set up: https://stackoverflow.com/a/9619478/1792088

com.iplanet.services.comm.client.SendRequestException: sun.security.validator.ValidatorException: PKIX path building failed:

I did with following steps but its throwing exception:
1.I have installed openam 10.0.0 on windows server 2003.
2.Configured tomcat with ssl on the same windows server machine.
3.It is configured correctly and openam url is accessible with https.
4.Installed openam client sdk on another machine which is ubuntu machine and from that ubuntu machin i am trying to login to openam server using
AuthContext lc = new AuthContext("/","https://server.ensarm.com:8443/openam/namingservice");
AuthContext.IndexType indexType = AuthContext.IndexType.MODULE_INSTANCE;
lc.login(indexType, "DataStore");
return lc;
But i am getting following exception:
ERROR: Naming service connection failed for https://server.ensarm.com:8443/openam/namingservice
com.iplanet.services.comm.client.SendRequestException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I didn't understand what could be the problem.Is it due to to my java keystore (needed for ssl configuration) is on windows server machine and i have no keystore on ubuntu machine,
OR
need to import keystore into ubuntu machine.?? Please can anyone help me to get out of this.
“javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:”
It means the server does not have a valid certificate from an Authorized CA.
You are facing this exception because you are try to connect through SSL (https). You would need to import the server certificate into the JRE KeyStore.
Perform the following steps to resolve it:
Getting the certificate: Type the URL (e.g. https://server.ensarm.com:8443/openam/namingservice) in your browser.
You will now probably see a dialog box warning you about the certificate. Now click on the 'View Certificate' and install the certificate. Ignore any warning messages.
Next step would be to install export the certificate and installing it in the jre keystore. Use keytool certificate management utility to perform thishttp://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html .
Exporting certificate: Go to Tools->'Internet Options' ->Content->Certificates. Once you open the certificates, locate the one you just installed under 'Trusted Root Certification Authorities". Select the right one and click on 'export'. You can now save it (DER encoded binary) as e.g. mycert.cer.
Go to JRE\BIN and use the keytool -import command to import the file into your cacerts keystore.
E.g. keytool --import -alias MYCA -keystore ..\lib\security\cacerts -file c:\mycert.cer.
Enter keystore password: (by default it will be “changeit”).Input “yes” to the prompts.
Run command keytool -list -keystore ..\lib\security\cacerts . You will now see a list of all the certificates including the one you just added.

Categories