I've a REST web service using Spring in Java 1.7 running on Tomcat 7. I've self signed cert on my dev machine. When I try to invoke the API using rest client, it gives below error:
peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
at org.wiztools.restclient.HTTPClientRequestExecuter.execute(HTTPClientRequestExecuter.java:387)
at org.wiztools.restclient.ui.RESTViewImpl$2.run(RESTViewImpl.java:320)
Can any one tell me how to get rid of this error without making any java code changes?
Note: I've run below command in my env already:
keytool -genkey -v -keyalg RSA -alias tomcat -keypass 12345 -storepass 12345
It looks like the server is requesting client authetication and you are not send one certificate from the client to the server. Try to run the VM with -Djavax.net.debug=all parameter.
And I don't think it is possible to do that without make changes to your code.
I get this problem if I use the jre 1.6. When I switch to jre 1.7 this problem goes away.
Related
I am new in JAVA, Consuming web service(.wsdl) in Web Service Client project. I import the client certificate in java cacerts store in jrd. My code is as follows:
System.setProperty("javax.net.ssl.trustStore","[PATH]/cacerts.jks");
System.setProperty("javax.net.ssl.trustStorePassword","changeit");
ServicesProxy service = new ServicesProxy();
ServiceRequest request = new ServiceRequest(1498);
ServiceResponse response = service.getDetails(request);
I'm failed to handshake, I am getting the following exception:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
I have no clue why there is an exception. Any help will be appreciated.
You probably have to add the key chain in the certificate (PEM format).
CA Root -> Intermediate Cert -> Cert.
Or the certificate cannot be found in the keystore, do you use the correct alias etc.
And I do not recognize the SOAP JAX-WS implementation you use.
Not a solution to your problem, but maybe it helps to find it:
You can start your client with the VM parameter -Djavax.net.debug=all which will give you a lot of information about the SSL connection.
Check here for details about the output:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
Use -Djavax.net.ssl.trustStore property directly instead.
One more thing the server you use in that also u need to place the jks for handshake.
For example server is JBoss then bin
I guess your cacert is not correct or the path is unaccessible. I followed the instructions given here
Use SSL Poke to verify connectivity
Download SSLPoke.class
Execute the class as follows, changing the URL and port:
$JAVA_HOME/bin/java SSLPoke yoururl 443
A successful connection would look like this:
$JAVA_HOME/bin/java SSLPoke yoururl 443
Successfully connected
Try to use a different truststore to connect
$JAVA_HOME/bin/java -Djavax.net.ssl.trustStore=[PATH]/cacerts.jks SSLPoke yoururl 443
If it fails the truststore does not contain the proper certificates.
How to solve it
The solution is extracted from here
Fetch the certificate again from the server:
openssl s_client -connect yoururl:443
You need openssl. Save the output to a file called public.crt. This is how your file should look like:
-----BEGIN CERTIFICATE-----
< Bunch of lines of your certificate >
-----END CERTIFICATE-----
Import the certificate:
$JAVA_HOME/bin/keytool -import -alias -keystore $JAVA_HOME/jre/lib/security/cacerts -file public.crt
Enter the password if prompted (the default is changeit)
Recommendation
In the same post it is not recommended to use a configured trustStore different than the JVM cacert because then java could not access other root certificates.
This is a quite common error while dealing with soap services over SSL, I've had it a few times.
Your certificate may not be correctly installed in your truststore.
You can use openssl to check and install the correct certificate in the truststore, as explained here
Hi Looks like certificates are not imported correctly or path used in code not pointing to correct keystore.
I hope following steps in below article will help you.
http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html
I am trying to access a web service which has SSL enabled from stand alone java program . I was able to generate client from WSDL however when i am trying to invoke web service i get SSL handshake issue . Below is java code
TestWebService sh = (TestWebService) shs.getTestWebServiceExportTestWebServiceHttpPort();
BindingProvider port = (BindingProvider)sh;
port.getRequestContext().put(BindingProvider.
ENDPOINT_ADDRESS_PROPERTY, args[0]);
System.out.println( ((BindingProvider)sh).toString() );
The url that is lets say https://service.test.com/sca/TestWebService?wsdl
Below is the error message
Failed to access the WSDL at:
https://service.testwebservice.com/TestWebServiceExport?wsdl. It failed with:
Got com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Corp Production Root CA V1, O=Cord Inc. is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error while opening stream from https://service.testwebservice.com/TestWebServiceExport?wsdl.
I have installed the ceritificate in IE browser from website but still no luck .
You are on the right track by installing the cert into IE browser - that would allow IE to access the web service without error. However, as your client is Java (and not IE), you need to install the cert into Java.
The Java command for doing this is as follows:
$JAVAHOME/bin/keytool -import -alias service.test.com -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/certfile.pem
Note: this will install the cert into the default keystore for that Java install. This will affect all Java processes using that JVM. The default password for the keystore is 'changeit'
I need to test web service that is being deployed to pre-release environment that is deployed on HTTPS endpoint. Unfortunatelly SoapUI fails with SSLPeerUnverifiedException: peer not authenticated exception. I used both versions 4.6.4 and very fresh 5.0.
Env:
endpoint is https, startcom certificate, network uses proxy (but same issue without proxy with different network)
I have spent many hours, maybe a day googling for a solution. Especially this link looked promising: https://forum.soapui.org/viewtopic.php?f=13&t=20866
I extracted endpoint certificate via firefox and let it trust. So I modified cacerts from soapui JVM installation:
..\SoapUI-4.6.4\jre\lib\security>keytool -import -alias HOSTNAME
-file endpoint.crt -keystore cacerts -storepass changeit
Restart and then retested - fail.
Then I took different approach and let SoapUI JVM trust all StartCom certificates.
keytool -import -trustcacerts -alias startcom.ca -file ca.crt -keystore cacerts
keytool -import -alias startcom.ca.sub -file sub.class1.server.ca.crt -keystore cacerts
Restart and failed again. What else shall I do now?
EDIT
2014-05-30 08:39:53,782 ERROR [errorlog] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:446)
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:499)
at com.eviware.soapui.impl.wsdl.support.http.SoapUISSLSocketFactory.createLayeredSocket(SoapUISSLSocketFactory.java:268)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.updateSecureConnection(DefaultClientConnectionOperator.java:200)
at org.apache.http.impl.conn.AbstractPoolEntry.layerProtocol(AbstractPoolEntry.java:277)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.layerProtocol(AbstractPooledConnAdapter.java:142)
at org.apache.http.impl.client.DefaultRequestDirector.establishRoute(DefaultRequestDirector.java:758)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:565)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
at com.eviware.soapui.impl.wsdl.support.http.HttpClientSupport$Helper.execute(HttpClientSupport.java:238)
at com.eviware.soapui.impl.wsdl.support.http.HttpClientSupport.execute(HttpClientSupport.java:348)
at com.eviware.soapui.impl.wsdl.submit.transports.http.HttpClientRequestTransport.submitRequest(HttpClientRequestTransport.java:318)
at com.eviware.soapui.impl.wsdl.submit.transports.http.HttpClientRequestTransport.sendRequest(HttpClientRequestTransport.java:232)
at com.eviware.soapui.impl.wsdl.WsdlSubmit.run(WsdlSubmit.java:123)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
SSL debug:
adding as trusted cert:
Subject: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Issuer: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Algorithm: RSA; Serial number: 0x1
Valid from Sun Sep 17 21:46:36 CEST 2006 until Wed Sep 17 21:46:36 CEST 2036
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Thread-20, WRITE: TLSv1 Handshake, length = 186
Thread-20, READ: TLSv1 Alert, length = 2
Thread-20, RECV TLSv1 ALERT: warning, unrecognized_name
SSL - handshake alert: unrecognized_name
Thread-20, handling exception: javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
Thread-20, SEND TLSv1 ALERT: fatal, description = unexpected_message
Thread-20, WRITE: TLSv1 Alert, length = 2
Thread-20, called closeSocket()
Thread-20, IOException in getSession(): javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
09:16:12,482 ERROR [WsdlSubmit] Exception in request: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Ok, the fix for this problem is to set
-Djsse.enableSNIExtension=false
in $SOAPUI_HOME/bin/soapui.bat
The reason is described in this answer: https://stackoverflow.com/a/14884941/1639556
Digest:
Java 7 introduced SNI support which is enabled by default. I have found out that certain misconfigured servers send an "Unrecognized Name" warning in the SSL handshake which is ignored by most clients... except for Java.
Update: for SoapUI 5.2.1 I had to alter a file SoapUI-5.2.1.vmoptions because modifying bat file did not help.
For anybody using a Mac looking for the same answer (sorry, it won't let me comment on the selected answer as I don't have enough reputation points yet to Comment !!!).
Editing soapui.sh won't have any impact if you are launching the App by clicking the icon in your Applications folder or using Spotlight.
/Applications/SoapUI-5.0.0.app/Contents
Edit vmoptions.txt and add -Dcom.sun.net.ssl.checkRevocation=false to the bottom of the file.. Save and re-launch.
I think that you're doing the things good. If you load the server certificate on your truststore the connection must works, maybe something is happening like for example a redirect. If you want you can try to disable the SSL server certificate validation. If you use a SOAPUI standalone version edit the $SOAPUI_HOME/bin/soapui.bat or $SOAPUI_HOME/bin/soapui.sh and add this parameter -Dcom.sun.net.ssl.checkRevocation=false as java option:
soapui.bat
set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.net.ssl.checkRevocation=false
soapui.sh
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.net.ssl.checkRevocation=false"
Hope this helps,
If you are using a proxy, try bypassing the same (via ProxySettings is SoapUI Preferences)
Also make sure you are not running Fiddler, which will try to act as a proxy to any requests made by SoapUI. If you want to make it work with Fiddler, you need to add the Fiddler root certificate to your Java trust store.
See also: SoapUI not working with fiddler for REST service testing
I was also getting following message:
Error getting response; javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
The issue I had was only when going via a proxy server. Connected directly to Internet without a proxy was working.
I tried all these solutions, and none were working.
I even tried to add the trusted CA certificates in a Java key store under WS-Security-Configurations -> Truststores and was still getting the rror.
I upgraded to SoapUI 5.2.1 and issue is now resolved.
It might be worth it for you to try it out.
I tried using both the -Dcom.sun.net.ssl.checkRevocation=false and -Djsse.enableSNIExtension=false options, neither of which appear to work.
What did work was importing the certificate into SoapUI's certificate store. I know the asker specified they've already done this, but it's not clear which cert store SoapUI actually chooses to use.
I was able to import the cert and have it used by doing the following:
Ensure SoapUI is closed.
Download Keystore Explorer from http://keystore-explorer.org/downloads.html (use the "All" version that is standalone) and extract it somewhere.
Run Keystore Explorer from an Administrator Command Prompt and using the bundled SoapUI JVM:
C:\> "C:\Program Files\SmartBear\SoapUI-5.6.0\jre\bin\java.exe" -jar "path\to\kse.jar"
In Keystore Explorer, click "Open the CA Certificates Keystore".
Now go to Examine > Examine SSL, input the URL of your server, click OK to view the "Certificate Details" dialog.
Click the Import button and enter whatever alias you want, click OK.
You should get a dialog stating "Trusted Certificate Import Successful", click OK to dismiss it. Then click OK again to dismiss the "Certificate Details" dialog.
Press Ctrl+S or click the "Save" icon to update the root certificate store. Exit Keystore Explorer.
Run SoapUI and it should no longer fail miserably.
In closing, SoapUI is terrible software and you should try to avoid it if at all possible. But this is common to most Java applications.
I'm trying to get JMX working under Tomcat 7.0.23 with SSL. The servers are located in AWS, which means all the hosts are NATed, and I need to use JmxRemoteLifecycleListener to explicitly set the two ports used by JMX. I've been doing a lot of reading on the subject but I just can't get all the pieces working together properly.
I can get JMX working fine without SSL. I have downloaded the version of catalina-jmx-remote.jar for my version of Tomcat and installed it in my tomcat/lib directory. My server.xml contains:
<Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
rmiRegistryPortPlatform="1099" rmiServerPortPlatform="1098" />
When I launch Tomcat with the following settings I can connect with an insecure session:
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.password.file=/path/to/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/path/to/jmxremote.access
-Djava.rmi.server.hostname=<public IP of server>
-Dcom.sun.management.jmxremote.ssl=false
However if I change these to the following then I'm unable to establish an SSL connection:
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.password.file=/path/to/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/path/to/jmxremote.access
-Djava.rmi.server.hostname=<public IP of server>
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
-Dcom.sun.management.jmxremote.authenticate=true
-Djavax.net.ssl.keyStore=/path/to/keystore.dat
-Djavax.net.ssl.keyStorePassword=<password>
-Djavax.net.ssl.trustStore=/path/to/truststore.dat
-Djavax.net.ssl.trustStorePassword=<password>
keystore.dat contains just a single certificate created via:
openssl x509 -outform der -in cert.pem -out cert.der
keytool -import -alias tomcat -keystore keystore.dat -file cert.der -storepass <password>
truststore.dat contains a full copy of the java cacerts plus the CA cert for my self-signed cert:
cp $JAVA_HOME/jre/lib/security/cacerts truststore.dat
keytool -storepasswd -storepass changeit -new <password> -keystore truststore.dat
keytool -import -trustcacerts -file mycacert.pem -alias myalias -keystore truststore.dat -storepass <password>
After launching Tomcat I've tried connecting via jconsole but it can't establish a connection. I tried to verify SSL using openssl but it looks like Tomcat isn't making use of the cert:
$ openssl s_client -connect <host>:1099
CONNECTED(00000003)
140735160957372:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 322 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
I've verified that my local keystore and truststore are set up properly by exporting the keys and verifying the cert chain (combined.pem is all the CA certs from truststore.dat and cert.pem is my cert from keystore.dat):
$ openssl verify -verbose -purpose sslserver -CAfile combined.pem cert.pem
cert.pem: OK
So now I'm at a complete loss. The cert and CA cert look correct. Unencrypted JMX connections work. But I can't seem to get the connection to use SSL. What am I missing here?
I don't know if this is just a red herring or not, but I don't see any way to specify what cert in the keyStore is used by JMX. Some of what I read implies that it just uses a cert with the alias "tomcat". Is that correct?
You are starting the RMI Registry on port 1099. In order for the RMI Registry to utilize SSL you need to pass an additional -Dcom.sun.management.jmxremote.registry.ssl=true argument.
Edit:
Do you use jconsole -J-Djavax.net.ssl.trustStore=truststore -J-Djavax.net.ssl.trustStorePassword=trustword -Djavax.net.ssl.keyStore=keystore -Djavax.net.ssl.keyStorePassword=password to start JConsole? It needs to know where the stores are and the corresponding passwords.
For VisualVM you can install VisualVM-Security plugin which will add a new tab to the Options dialogue allowing you customize the SSL related options in UI.
I wanted tomcat getting to work with jmx and ssl and followed Bruce setup. In case someone runs int the same problem: using the openssl and keytool commands form Bruce I was getting at client ssl errors:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Not sure why but the figerprint on one side was 5 chars longer at the beginning.
I recreated the keystore using:
keytool -genkeypair -alias tomcat -keyalg RSA -keystore keystore.jks -dname cn=test,ou=test,dc=example,dc=com
In tomcat sever.xml I added the listener as Bruce suggested.
Because client auth is set to false I do not add truststore in tomcat jmx configuration. Instead I added registry.ssl:
[...]
-Djavax.net.ssl.keyStorePassword=your_keystore_pass
-Dcom.sun.management.jmxremote.registry.ssl=true
Then on client side as J.B. suggested I download ssl plugin for visualvm and criss-cross the keystore resulting in:
visualvm -J-Djavax.net.ssl.trustStore=keystore.jks -J-Djavax.net.ssl.trustStorePassword=your_keystore_pass
When adding authentication make sure that your jmx access file looks like:
<user_name> readwrite
and your password file looks like:
<user_name> <your_password>
This solved my ssl jmx setup for testing with visualm vm.
Edit:
Had some issues with having the registry also over SSL, set by:
-Dcom.sun.management.jmxremote.registry.ssl=true
leading at client to throw:
Root exception is java.rmi.ConnectIOException: non-JRMP server at remote endpoint
Adding client auth authentication:
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Djavax.net.ssl.trustStore=truststore.jks
-Djavax.net.ssl.trustStorePassword=your_trust_store_pass
solved both jmx and its registry to use ssl.
I'm creating a Java client program that will be sending sensitive information to a Tomcat server. So I need to use SSL Connection so information will be encrypted.
I need to use self-signed untrusted certificate but having problems making connection from java client.
I have successfully setup Tomcat 5.5 to use SSL and tested it through Firefox, which displays warning of self-signed certificate.
I followed the Tomcat 5.5 SSL setup and they mentioned to create a keystore:
keytool -genkey -alias tomcat -keyalg RSA
Then I did an export of the above:
keytool -export -keystore .keystore -alias tomcat -file localhost.cer
Then I did an import of the above certificate into client machine:
keytool -import -alias tomcat -file localhost.cer -keystore "C:\Program Files"\Java\jdk1.6.0_17\jre\lib\security\cacerts"
But when running client I get:
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This is the client code:
URL url = new URL("https://localhost:8443");
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
conn.setSSLSocketFactory(sslsocketfactory);
InputStream inputstream = conn.getInputStream();
Now I just started playing with these certificates today and I'm new to keystores, so please be patient.
Can someone please explain how to export and import the certificate created in Tomcat to client machine?
Thank you.
Atlassian has good instructions on how to fix this.
http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
Another approach is to install less unforgiving certificate validators, but that should only be done as a last resort.
Use Apache HTTP Cleint jar and follow this SSL Guide.
EasySSLProtocolSocketFactory can be used to create SSL connections that allow the target server to authenticate with a self-signed certificate.
I think you should input password using "changeit".