Karim L.
Reputation: 43
Receiving HTTP transport error : javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed
I am implementing a jax-ws web service client in a maven sub module using jaxws-maven-plugin with wsimport goal, which is in charge of parsing multiple configured .wsdl files in order to generate the needed artifacts to code the client.
The generation process is working fine, but when implementing the client, I need to use SSL when communicating with the deployed web service. For that, the client provided me with a certificate (cert.p12 file) and a password .
As I don't have access to the HttpsURLConnection to initialize the SSLContext programatically when using the jax-ws generated artifacts to implement the web service client, I've just coded an initProxySettings() method which will be in charge of setting system properties before calling the client as shown below.
private void initProxySettings() {
Properties systemSettings = System.getProperties();
systemSettings.setProperty("proxySet", "true");
systemSettings.setProperty("http.proxyHost", proxyHost);
systemSettings.setProperty("http.proxyPort", "443");
systemSettings.setProperty("https.proxyHost", sslProxyHost);
systemSettings.setProperty("https.proxyPort", sslProxyPort);
systemSettings.setProperty("javax.net.ssl.keyStore", p12FilePath);
systemSettings.setProperty("javax.net.ssl.keyStorePassword",p12FilePassword);
systemSettings.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
systemSettings.setProperty("javax.net.debug", "ssl");
System.setProperties(systemSettings);
}
When trying to run a connected test with the service, I get the following error :
com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:121)
at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:142)
at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:83)
at com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:105)
at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Fiber.java:587)
at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Fiber.java:546)
at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Fiber.java:531)
at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Fiber.java:428)
at com.sun.xml.internal.ws.client.Stub.process(Stub.java:211)
at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(SEIStub.java:124)
at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:98)
at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:107)
at $Proxy95.reportRatesTrade(Unknown Source)
at myCompany.connectivity.myApp.wsconnector.FpmlReportSender.sendRateFpmlReport(FpmlReportSender.java:66)
at myCompany.connectivity.myAPP.wsconnector.FpmlWsClientSender.sendFpmlViaWebService(FpmlWsClientSender.java:67)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.camel.component.bean.MethodInfo.invoke(MethodInfo.java:407)
at org.apache.camel.component.bean.MethodInfo$1.doProceed(MethodInfo.java:278)
at org.apache.camel.component.bean.MethodInfo$1.proceed(MethodInfo.java:251)
at org.apache.camel.component.bean.BeanProcessor.process(BeanProcessor.java:166)
at org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:72)
at org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:398)
at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:191)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:118)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:80)
at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:191)
at org.apache.camel.component.file.GenericFileConsumer.processExchange(GenericFileConsumer.java:401)
at org.apache.camel.component.file.GenericFileConsumer.processBatch(GenericFileConsumer.java:201)
at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:165)
at org.apache.camel.impl.ScheduledPollConsumer.doRun(ScheduledPollConsumer.java:187)
at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:114)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
at java.util.concurrent.FutureTask$Sync.innerRunAndReset(FutureTask.java:317)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:150)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(ScheduledThreadPoolExecutor.java:98)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(ScheduledThreadPoolExecutor.java:181)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:205)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1074)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:109)
... 43 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:325)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:219)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
... 55 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:320)
... 61 more
Here is an excerpt of the SSL debug which I've shorten :
keyStore type is : pkcs12
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : company- [email protected]
chain [0] = [
[
Version: V3
Subject: CN=company99DF011B-51A9-57F9-E341-E0A68D4B9751, OU=USERS, O=KGC0418
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunPKCS11-Solaris RSA public key, 2048 bits (id 139309464, session object)
modulus: 22112756093157512458757695440781457752806273315592450355957740196952202759592017766120571999875831031807562268295134910443622272782776544232874456458580772402436337356828895708779249509298037562892132455656130873883482145964182231114271360652011365917415253840206676718726431817484730833855366587344152579527243740623
public exponent: 65537
Validity: [From: Sun Dec 08 17:31:09 MET 2013,
To: Thu Jan 08 17:31:09 MET 2015]
Issuer: CN=KGC0418 companyPROD, OU=company Authorized Use Only, O=KGC0418, C=US
SerialNumber: [ 03]
Certificate Extensions: 3
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL client
S/MIME
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 1A C2 D9 E5 AC 6D 36 2F 65 F1 4C A2 11 3B 92 EB .....m6/e.L..;..
0010: 9B F9 4B CA ..K.
]
[CN=company Global Root CA, OU=company Authorized Use Only, O=COMPANY, C=US]
SerialNumber: [ 14]
]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
]
]
Algorithm: [SHA1withRSA]
Signature:....
.........
......
.....
.....
***
trustStore is: /usr/jdk/instances/jdk1.6.0/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
.........
........
.........
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1373450395 bytes = { 223, 37, 1, 148, 219, 69, 149, 109, 169, 194, 44, 197, 99, 80, 16, 189, 197, 104, 28, 99, 157, 172, 34, 240, 145, 73, 49, 89 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
Camel (myApp) thread #0 - file://src/test/resources/fpml, WRITE: TLSv1 Handshake, length = 73
Camel (myApp) thread #0 - file://src/test/resources/fpml, WRITE: SSLv2 client hello message, length = 98
Camel (myApp) thread #0 - file://src/test/resources/fpml, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1373446593 bytes = { 83, 8, 141, 30, 34, 196, 26, 7, 232, 255, 119, 56, 80, 5, 201, 181, 68, 107, 17, 160, 109, 152, 79, 219, 19, 16, 181, 222 }
Session ID: {146, 198, 54, 212, 84, 229, 79, 190, 99, 152, 78, 98, 18, 19, 152, 253, 197, 212, 1, 37, 17, 33, 77, 113, 59, 86, 136, 120, 33, 19, 126, 1}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
Camel (myApp) thread #0 - file://src/test/resources/fpml, READ: TLSv1 Handshake, length = 1295
*** Certificate chain
chain [0] = [
[....
.....
.....
.....
[9]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
Data_Encipherment
]
]
Algorithm: [SHA1withRSA]
Signature:...
....
...
]
***
Camel (myApp) thread #0 - file://src/test/resources/fpml, SEND TLSv1 ALERT: fatal, description = certificate_unknown
Camel (myApp) thread #0 - file://src/test/resources/fpml, WRITE: TLSv1 Alert, length = 2
Camel (myApp) thread #0 - file://src/test/resources/fpml, called closeSocket()
Camel (myApp) thread #0 - file://src/test/resources/fpml, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Finalizer, called close()
Finalizer, called closeInternal(true)
Could you tell me if this is the right way to use a .p12 certificate with JAX-WS client ? If my implementation is meaningful, what am I missing then ?
------ UPDATE -------
As suggested by @Jcs in the next post I've created a custom new key store in a JKS format by the following steps :
1/ Extracting the public key from cert.p12 file using the command :
openssl.exe pkcs12 -in cert.p12 -clcerts -nokeys -out publicCert.pem
2/ Creating a new trust store in JKS format using :
keytool -import -alias test -file publicCert.pem -keystore myTrustStore.jks
Then keeping the same configuration for the keyStore, I've configured the trusStore properties to point out this new generated JKS store as follows :
systemSettings.setProperty("javax.net.ssl.trustStore", myTrustStore.jks);
systemSettings.setProperty("javax.net.ssl.trustStorePassword", jksFilePassword);
systemSettings.setProperty("javax.net.ssl.trustStoreType", "JKS");
/*****/
systemSettings.setProperty("javax.net.ssl.keyStore", cert.p12);
systemSettings.setProperty("javax.net.ssl.keyStorePassword", p12FilePassword);
systemSettings.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
Now from what I see in the ssl.debug console, the trustStore points at the one I've set in my implementation :
***
trustStore is: src\test\resources\certificate\myTrustStore.jks
trustStore type is : JKS
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=COMPANY 99DF011B-51A9-57F9-E341-E0A68D4B9751, OU=USERS, O=KGC0418
Issuer: CN=KGC0418 XXXXXXXXX
Algorithm: RSA; Serial number: 0x3
Valid from Sun Dec 08 17:31:09 GMT+01:00 2013 until Thu Jan 08 17:31:09 GMT+01:00 2015
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1373559519 bytes = { 73, 210, 46, 42, 251, 113, 112, 255, 135, 100, 241, 240, 245, 125, 197, 72, 118, 72, 226, 121, 151, 222, 36, 76, 69, 108, 59, 223 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
Camel (camel-2) thread #0 - file://src/test/resources/fpml, WRITE: TLSv1 Handshake, length = 73
Camel (camel-2) thread #0 - file://src/test/resources/fpml, WRITE: SSLv2 client hello message, length = 98
Camel (camel-2) thread #0 - file://src/test/resources/fpml, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1373559520 bytes = { 208, 198, 151, 119, 235, 39, 193, 62, 48, 230, 205, 106, 86, 238, 78, 91, 82, 255, 187, 234, 12, 5, 121, 49, 30, 109, 211, 209 }
Session ID: {6, 28, 249, 26, 112, 151, 19, 203, 2, 16, 79, 111, 188, 253, 24, 4, 247, 139, 66, 144, 210, 30, 101, 226, 40, 73, 228, 161, 55, 230, 221, 114}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
Camel (camel-2) thread #0 - file://src/test/resources/fpml, READ: TLSv1 Handshake, length = 1295
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=xxxxxxxxxxxx
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 26518340377185970618433427871998795874305944949774222457599695023228997443108630011833718821919400987851754545189639992819856454324827540671299918071626122667103792561945932972886083246760975456684092491592159887675835743379582226715892057387136711529603424019350987371140627696296825793550900188321364783977163343619847560039629745177775488269466101953205609461762679291911956872358518707250384413293488030799581673273259857148207483603504965811669522407902645141827155299400058670101699158958543405382995894352227209548308584112363108195961049506258872806165116902528885827281882201616114758666943336739405701681289
public exponent: 65537
Validity: [From: Thu Nov 07 12:56:30 GMT+01:00 2013,
To: Sat Jan 09 18:53:11 GMT+01:00 2016]
Issuer: CN=GeoTrust SSL CA, O="GeoTrust, Inc.", C=US
SerialNumber: [ 02a093]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://gtssl-ocsp.geotrust.com,
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://gtssl-aia.geotrust.com/gtssl.crt]
]
....
[2]: ObjectId: 2.xx.xx.17 Criticality=false
....
[3]: ObjectId: 2.xx.xx.35 Criticality=false
...
[4]: ObjectId: 2.xx.xx.14 Criticality=false
....
[5]: ObjectId: 2.xx.xx.32 Criticality=false
....
[6]: ObjectId: 2.xx.xx.19 Criticality=true
....
[7]: ObjectId: 2.xx.xx.37 Criticality=false
....
[8]: ObjectId: 2.xx.xx.31 Criticality=false
..
.
[9]: ObjectId: 2.xx.xx.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
Data_Encipherment
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 14 EB 1F A8 91 DE F0 A6 54 B4 BB D1 6F E4 10 63 ........T...o..c
]
***
Camel (camel-2) thread #0 - file://src/test/resources/fpml, SEND TLSv1 ALERT: fatal, description = certificate_unknown
Camel (camel-2) thread #0 - file://src/test/resources/fpml, WRITE: TLSv1 Alert, length = 2
Camel (camel-2) thread #0 - file://src/test/resources/fpml, called closeSocket()
Camel (camel-2) thread #0 - file://src/test/resources/fpml, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Camel (camel-2) thread #0 - file://src/test/resources/fpml, called close()
Camel (camel-2) thread #0 - file://src/test/resources/fpml, called closeInternal(true)
but I'm still having the same error :
com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:121)
at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:142)
at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:83)
at com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:105)
at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Fiber.java:587)
at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Fiber.java:546)
at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Fiber.java:531)
at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Fiber.java:428)
at com.sun.xml.internal.ws.client.Stub.process(Stub.java:211)
at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(SEIStub.java:124)
at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:98)
at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:107)
at $Proxy102.reportRatesTrade(Unknown Source)
at myCompany.connectivity.myApp.wsconnector.FpmlReportSender.sendRateFpmlReport(FpmlReportSender.java:75)
at myCompany.connectivity.myApp.wsconnector.FpmlWsClientSender.sendFpmlViaWebService(FpmlWsClientSender.java:67)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.camel.component.bean.MethodInfo.invoke(MethodInfo.java:407)
at org.apache.camel.component.bean.MethodInfo$1.doProceed(MethodInfo.java:278)
at org.apache.camel.component.bean.MethodInfo$1.proceed(MethodInfo.java:251)
at org.apache.camel.component.bean.BeanProcessor.process(BeanProcessor.java:166)
at org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:72)
at org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:398)
at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:191)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:118)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:80)
at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:191)
at org.apache.camel.component.file.GenericFileConsumer.processExchange(GenericFileConsumer.java:401)
at org.apache.camel.component.file.GenericFileConsumer.processBatch(GenericFileConsumer.java:201)
at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:165)
at org.apache.camel.impl.ScheduledPollConsumer.doRun(ScheduledPollConsumer.java:187)
at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:114)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
at java.util.concurrent.FutureTask$Sync.innerRunAndReset(FutureTask.java:317)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:150)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(ScheduledThreadPoolExecutor.java:98)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(ScheduledThreadPoolExecutor.java:181)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:205)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1074)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:109)
... 43 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
... 55 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
... 61 more
Did I set both the keyStore and the trustStore correctly ?
Upvotes: 3
Views: 27526
Answers (1)
Jcs
Reputation: 13709
As far as I see, you are correctly using the PKCS#12 file. The problem is caused by the server certificate. Since you did not set any trustStore the default trustStore is used. This is written in this log line:
trustStore is: /usr/jdk/instances/jdk1.6.0/jre/lib/security/cacerts
However SSL implementation was not able to attach the server certificate chain to any trusted certificate in this store. Maybe this server certificate is self-signed, maybe it is issued by a dedicated in-house certification authority or maybe it has just been issued by a certification authority which is not listed here.
To fix it, ask your client for the root CA certificate and add it into the cacerts file or create a custom new keystore. You can use the keytool -importcert command.
If you create a new keystore, you'll need to add this to your code:
systemSettings.setProperty("javax.net.ssl.trustStore", "/path/to/trust/store");
systemSettings.setProperty("javax.net.ssl.trustStorePassword", "trustStorePassword");
Upvotes: 4
Related Questions
- Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
- PKIX path building failed: unable to find valid certification path to requested target
- SSLHandshakeException: PKIX path building failed SunCertPathBuilderException: unable to find valid certification path to requested target
- "sun.security.validator.ValidatorException: PKIX path building failed: Exception: unable to find valid certification path to requested target"
- Getting sun.security.validator.ValidatorException: PKIX path building failed Error
- PKIX path building failed. Should we be importing the certificate?
- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed
- Java "sun.security.validator.ValidatorException: PKIX path building failed" certificate validation error
- Securing webservice: valid SSL key error "ValidatorException: PKIX path building failed"
- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: