i am trying to connect to ldap server over ssl, and i got the server certificate and installed it as follows:
keytool -keystore cacerts -importcert -alias ldapCert -file LdapCert.cer
and i got certificate was installed successfully message, and i can verify that certificate was installed with the command:
keytool -list -keystore cacerts
and i can find my certificate in the list of trusted certificates.
here's how i am connecting to ldap server:
String host = "server.ip.here;
String userDN = "CN=myuser,OU=EmployeesOU,OU=MainOU,dc=mydomain,dc=net";
String userPassword = "mypassword";
boolean ssl = true;
public static LdapContext connectToLdap(String host,
String userDN, String userPassword,
boolean ssl) throws Exception {
System.out.println("connectToLdap");
String hostPrefix = "ldap";
String ldapPort = "389";
if (ssl) {
hostPrefix = "ldaps";
ldapPort = "636";
}
String providerUrl = hostPrefix + "://" + host + ":" + ldapPort;
//System.out.println("####### LDAP URL: " + providerUrl);
LdapContext ldapContext;
Hashtable<String, String> ldapEnv = new Hashtable<String, String>(11);
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
ldapEnv.put(Context.PROVIDER_URL, providerUrl);
ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
ldapEnv.put(Context.SECURITY_PRINCIPAL, userDN);
ldapEnv.put(Context.SECURITY_CREDENTIALS, userPassword);
ldapEnv.put("com.sun.jndi.ldap.read.timeout", 1000 * 10 + "");
if (ssl) {
ldapEnv.put(Context.SECURITY_PROTOCOL, "ssl");
}
ldapEnv.put(Context.REFERRAL, "ignore");
try {
ldapContext = new InitialLdapContext(ldapEnv, null);
System.out.println("success connection to ldap");
return ldapContext;
} catch (Exception e) {
System.out.println("failure connection to ldap");
e.printStackTrace();
return null;
}
}
after installing the certificate from cmd, and trying to run the application i am still getting the exception:
javax.naming.CommunicationException: simple bind failed: server.ip:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at ldap.LDAPUtils.connectToLdap(LDAPUtils.java:58)
at Test.main(Test.java:43)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1074)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:744)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
at com.sun.jndi.ldap.Connection.run(Connection.java:808)
at java.lang.Thread.run(Thread.java:619)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:325)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:219)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:320)
i tried to use the disableCertificateValidation method before connecting to ldap as in the post Java client certificates over HTTPS/SSL
but it also gives same exception.
please advise why i am still getting this error.
You shouldn't modify the cacerts file that comes with the JDK. Copy it and add the certificate to your own file, and tell JSSE about it via the system property javax.net.ssl.trustStore.
Cause 1: having two conflicting installations of JDK, removed one of them and re imported the key and everything worked fine.
Cause 2: on some test machine i had to copy the generated cacerts file from
java/jdk/jre/lib/security into java/jre/lib/security
Cause 3: if you are running the code on websphere server you have to configure key store and certificates from wensphere as mentioned here:
http://www-01.ibm.com/support/docview.wss?uid=swg21316850
Related
Into my application I'm using an HttpClient setting an ssl context:
#Bean
public HttpClient httpClient() throws Exception {
SSLContext sslContext = SSLContextBuilder.create()
.loadKeyMaterial(
new URL(schedulerConfiguration.getKeyStore()),
schedulerConfiguration.getKeyStorePassword().toCharArray(),
schedulerConfiguration.getKeyPassword().toCharArray()
)
.loadTrustMaterial(
new URL(schedulerConfiguration.getTrustStore()),
schedulerConfiguration.getTrustStorePassword().toCharArray()
)
.build();
return HttpClients.custom().setSSLContext(sslContext).build();
}
As you can see I'm loading a keystore and a truststore.
keystore contains the private key and truststore contains all chain certificates.
I'm running against client connections can't be launched due to:
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://balancer:8080/token": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I've built my jks from a .p12 file like this.
In order to build trsutstore:
$ openssl pkcs12 -in fitxers.p12 -nokeys -out cacerts-nokeys.crt
$ keytool -importcert -file cacerts-nokeys.crt -keystore cacerts-pre-splitted.jks
And in order to create my keystore:
$ keytool -importkeystore -srckeystore fitxers.p12 -srcstoretype pkcs12 -destkeystore auth-backoffice-pre.jks -deststoretype jks
Any ideas about what's wrong?
I remember having similar issue when not using aliases properly. Are you using aliases in your original p12 file? If so, I'd recommend using the other method for loading the key material with custom PrivateKeyStrategy.
Also take a look when trying to connect your client with vm option:
-Djavax.net.debug=all
You will be able to see a bit of more information. Hopefully this guides you to your solution!
I'm trying to use Amazon S3 API to encrypt and upload a file.
public class AmazonS3 {
String KmsId = "my_id_comes_here";
private TransferManager getTransferManager() {
AWSCredentials awsCredentials = new ProfileCredentialsProvider().getCredentials();
KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(KmsId);
AmazonS3EncryptionClient s3Client = new AmazonS3EncryptionClient(awsCredentials, materialProvider,
new CryptoConfiguration().withKmsRegion(Regions.EU_CENTRAL_1)).withRegion(Regions.EU_CENTRAL_1);
s3Client.setEndpoint("s3.eu-central-1.amazonaws.com");
TransferManager transferManager = new TransferManager(s3Client);
return transferManager;
}
public void upload(String bucket, String keyName, String filePath)
throws InterruptedException, NoSuchAlgorithmException, IOException, InvalidKeySpecException {
TransferManager transferManager = getTransferManager();
// TransferManager processes all transfers asynchronously, so this call will return immediately.
Upload upload = transferManager.upload(bucket, keyName, new File(filePath));
try {
// Or you can block and wait for the upload to finish
upload.waitForCompletion();
System.out.println("Upload complete.");
} catch (AmazonClientException amazonClientException) {
System.out.println("Unable to upload file, upload was aborted.");
amazonClientException.printStackTrace();
}
}
Which works fine if I don't pass my trustore as arguments to my application.
But, if I initialize my application with my trustore like this:
-Dspring.profiles.active="dev" -Djavax.net.debug=all -Djavax.net.ssl.trustStore=/usr/share/ca-certificates/anevis/java/activemq/client.ts -Djavax.net.ssl.trustStorePassword=changeit
It gives me this error:
com.amazonaws.AmazonClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:516)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:317)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3595)
at com.amazonaws.services.s3.AmazonS3Client.getObjectMetadata(AmazonS3Client.java:999)
at com.amazonaws.services.s3.transfer.TransferManager.doDownload(TransferManager.java:779)
at com.amazonaws.services.s3.transfer.TransferManager.download(TransferManager.java:691)
at com.anevis.documentengine.configuration.jms.AmazonS3.download(AmazonS3.java:57)
at com.anevis.documentengine.configuration.jms.S3UploadTest.testUpload(S3UploadTest.java:25)
at com.anevis.documentengine.configuration.jms.S3UploadTest.main(S3UploadTest.java:9)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:128)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:749)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:505)
... 13 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 38 more
How can I fix this error ?
Your trust store doesn't have the certificate authority that secures the AWS APIs. You need to create a new trust store that combines client.ts with the ones required for AWS. The easiest way to do this is to merge client.ts with the cacerts keystore from the JRE.
Example:
keytool -importkeystore -srckeystore client.ts -destkeystore combined.ts -srcstorepass changeit -deststorepass changeit
keytool -importkeystore -srckeystore $JAVA_HOME/jre/lib/security/cacerts -destkeystore combined.ts -srcstorepass changeit -deststorepass changeit
Then use combined.ts instead of client.ts.
Thank you, we had similar problem but I tweaked response a little bit for our scenario.
I received this com.amazonaws.AmazonClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
exception when trying to connect to AmazonDynamoDB.
When we moved our application to HTTPS we started receiving this error.
So the solution was the same, the only difference was instead of client.ts I had to add certificate into cacerts which was generated during HTTPS migration.
keytool -importkeystore -srckeystore $JAVA_HOME/jre/lib/security/cacerts -destkeystore test.p12 -srcstorepass changeit -deststorepass test;
Thanks,
I get this error while launching the application.
org.jboss.mq.SpyJMSException: Cannot authenticate user; - nested throwable: (javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
org.jboss.mq.SpyJMSException: Cannot authenticate user; - nested throwable: (javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
I set my certificate path by System.setProperty("javax.net.ssl.trustStore", "Path to certificate)..
But this is not working me..Also I have imported the certificate to the "cacerts" of Java Home. But still I am getting the error..
Any help would be appericiated...
The application authenticating the user has a Java keystore as its trust store. The trust store has to contain (as a trusted certificate) the certificate authority that signed the user's certificate. Put the certificate authority in a base-64 ca.cer file and use keytool -import -keystore YourKeystore -alias ca -file ca.cer -trustcacerts.
This question already has answers here:
Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
(33 answers)
Closed 6 years ago.
Update: I never got this working over SSL. I ended up implementing a VPN in order to get the security.
I've been trubleshooting this problem for 2 days and cannot figure it out for the life of me. I've reviewed the following threads:
Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
https://stackoverflow.com/questions/14465089/ssl-connection-in-glassfish-3-1
Among many others.
UPDATE: Sorry, I didn't even post the error I'm getting. Here it is:
javax.naming.CommunicationException: simple bind failed: server.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
I'm also using GlassFish server 3.1.2 and NetBeans 7.3 on Win7 pro.
Here is the code that is causing the error:
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://server.local:636/");
// Specify SSL
env.put(Context.SECURITY_PROTOCOL, "ssl");
// Fill in secuirty/bind variables
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, config.Config.getSECURITY_PRINCIPAL()); //returns user#domain.local
env.put(Context.SECURITY_CREDENTIALS, config.Config.getSECURITY_CREDENTIALS()); //returns password
// Create the initial context
ctx = new InitialDirContext(env); //defined above as InitialDirContext ctx = null;
I have used ldp.exe to confirm that SSL is configured properly on our AD server. Furthermore, I've tried the following:
Importing the client certificate (and the CA root certificate from AD CS) as outlined here
a. I used the following commands:
C:\Program Files (x86)\Java\jdk1.7.0_25>bin\keytool -import -file SBS2011.sage.local_sage-SBS2011-CA.crt -keystore .\jre\lib\security\cacerts -alias SBS2011
Enter keystore password:
Certificate already exists in keystore under alias <mykey>
Do you still want to add it? [no]: yes
Certificate was added to keystore
C:\Program Files (x86)\Java\jdk1.7.0_25>
Uninstalling Java and reinstalling, then repeating step 1.
Adding the following lines of code:
System.setProperty("javax.net.ssl.trustStore", "C:\\Program Files (x86)\\Java\\jdk1.7.0_25\\jre\\lib\\security\\cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Other notes: the code works fine using non-SSL connection but then I get LDAP error 53 when trying to update user's information. In the end if there is a solution that involves not using SSL, I don't mind.
Your truststore doesn't trust the LDAP server certificate.
Your step (3) above is the default.
If your LDAP server has a CA-signed certificate step (1) was unnecessary.
I don't know why you speak of 'client certificate' when it is the LDAP server's certificate you may need to import.
env.put(Context.PROVIDER_URL, "ldap://server.local:636/");
should be
env.put(Context.PROVIDER_URL, "ldaps://server.local:636/");
I have referred to almost every question on this topic on SO but none of the answers gave me a break-through unfortunately.
I am using EWS1.2 and running the following code from within eclipse to connect to our exchange server to send a test email. Please see inline comments as to what I understand that the code is doing.
ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2007_SP1);
/* Our company email id and windows password. We never had to enter a password for outlook.
I guess it is using LDAP authentication. In our outlook it is set to Negotiate Authentication. */
ExchangeCredentials credentials = new WebCredentials("123.abc#xyz.com", "MyWinPassword");
service.setCredentials(credentials);
/* Our proxy server's ip address and port. I am not sure if our exchange server is only accessible through a proxy
but this statement stopped a "connection refused" error that I was getting earlier */
WebProxy webProxy = new WebProxy("our_proxy_ip", 8080);
webProxy.setCredentials("my_win7_user_id", "MyWinPassword", "OurDomain");
service.setWebProxy(webProxy);
try {
service.setUrl(new URI("https://exchange_ip/ews/Exchange.asmx"));
/* Autodiscovery never worked: The Autodiscover service couldn't be located. */
// service.autodiscoverUrl("123.abc#xyz.com");
} catch (URISyntaxException e) {
e.printStackTrace();
}
EmailMessage msg;
try {
msg = new EmailMessage(service);
msg.setSubject("Test Email");
msg.setBody(MessageBody.getMessageBodyFromText("Sent using the EWS API"));
msg.getToRecipients().add("123.abc#xyz.com");
msg.send(); /* This is where we get an exception */
} catch (Exception e) {
e.printStackTrace();
}
which results in the below trace:
microsoft.exchange.webservices.data.ServiceRequestException: The request failed. sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at microsoft.exchange.webservices.data.ServiceRequestBase.getEwsHttpWebResponse(Unknown Source)
at microsoft.exchange.webservices.data.ServiceRequestBase.validateAndEmitRequest(Unknown Source)
at microsoft.exchange.webservices.data.SimpleServiceRequestBase.internalExecute(Unknown Source)
at microsoft.exchange.webservices.data.MultiResponseServiceRequest.execute(Unknown Source)
at microsoft.exchange.webservices.data.ExchangeService.internalCreateItems(Unknown Source)
at microsoft.exchange.webservices.data.ExchangeService.createItem(Unknown Source)
at microsoft.exchange.webservices.data.Item.internalCreate(Unknown Source)
at microsoft.exchange.webservices.data.EmailMessage.internalSend(Unknown Source)
at microsoft.exchange.webservices.data.EmailMessage.send(Unknown Source)
at com.ashok.calsync.Sync.testMethod(Sync.java:39)
at com.ashok.calsync.Sync.main(Sync.java:12)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
... 11 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
... 28 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
... 34 more
I had exported the certificate used by Outlook to a .cer file and imported to cacerts using keytool.
keytool -import -file D:\Ashok\myOutlookCert1.cer -keystore cacerts
-alias myOutlookCert1
The Run configuration in eclipse includes the following under VM Arguments
-Djavax.net.debug=all -Djavax.net.ssl.keyStore="C:\java_jdk\1.6.0_30\jre\lib\security\cacerts"
-Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore="C:\java_jdk\1.6.0_30\jre\lib\security\cacerts"
-Djavax.net.ssl.trustStorePassword=changeit
and the certificate is visible in the debug trace
adding as trusted cert: Subject: CN=123.abc, CN=S, CN=A,
CN=OurDomain, CN=XYZ, CN=pki, DC=xyz, DC=com Issuer: CN=XYZ-CA1-FR,
CN=PKI, DC=XYZ, DC=com Algorithm: RSA; Serial number: 0x43559d09
Valid from Tue Jun 19 13:31:28 IST 2012 until Fri Jun 19 14:01:28 IST
2015
After all these, the exception suggests that the certificate is not found. The questions here are:
How do we confirm that the certificate I imported to cacerts is the one the Server is looking for?
I had exported the certificate from Outlook's Trust Centre (from within Email Security section). Is this the right certificate for connecting to the Exchange Server?
Many thanks in advance for any help.
Regards,
Ashok