How to associate a keystore with SAAJ SOAP call

Question

I need to make a HTTPs call use a specific SSL keystore (.pfx or .jks). I am using SAAJ implementation to make the SOAP call.

Here are the steps I am following. 1. Set system properties to read the keystore

System.setProperty("javax.net.ssl.trustStore",path to cacerts);
System.setProperty("javax.net.ssl.trustStorePassword",password);
System.setProperty("javax.net.ssl.keyStore",path to keystore (.pfx file));
System.setProperty("javax.net.ssl.keyStorePassword",keystorepassword);
System.setProperty("javax.net.ssl.keyStoreType",(PKC12 or JKS));

2. Then I trust all certificates

   static public void doTrustToCertificates() throws Exception {
     Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
     TrustManager[] trustAllCerts = new TrustManager[] {
      new X509TrustManager() {
       public X509Certificate[] getAcceptedIssuers() {
        return null;
       }
   
       public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException {
        return;
       }
   
       public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException {
        return;
       }
      }
     };
   
     SSLContext sc = SSLContext.getInstance("SSL");
     sc.init(null, trustAllCerts, new SecureRandom());
     HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
     HostnameVerifier hv = new HostnameVerifier() {
      public boolean verify(String urlHostName, SSLSession session) {
       if (!urlHostName.equalsIgnoreCase(session.getPeerHost())) {
        System.out.println("Warning: URL host '" + urlHostName + "' is different to SSLSession host '" + session.getPeerHost() + "'.");
       }
       return true;
      }
     };
     HttpsURLConnection.setDefaultHostnameVerifier(hv);
   

   }

3. Then I try to create a connection and call

           // Send SOAP Message to SOAP Server
           URL url= new URL(endpointURL);
           // Create SOAP Connection
           SOAPConnectionFactory soapConnectionFactory = SOAPConnectionFactory.newInstance();
           SOAPConnection soapConnection = soapConnectionFactory.createConnection();
           SOAPMessage soapResponse;
           try{
               soapResponse = soapConnection.call(message, url);
           }
           finally{
               if (soapConnection!=null){
                   try {
                       soapConnection.close();
                  } catch (SOAPException soape){
                      log.info(" Failed to close SOAPConnection. Error " +soape.getMessage());
                  }
              }
           }
   

But every time I try this I get a error indicating the message send failed because PKIX path building failed. I need to know if I am following the right approach to make the HTTPS call. Also my need is to programmatically associate the certificate and not use keytool.

Partial Stacktrace

com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
    at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(Unknown Source)
    at fASTest.FunctionsKeyWord.InvokeHTTPsSOAPRequest(FunctionsKeyWord.java:319)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at fASTest.FunctionsKeyWord.InvokeActions(FunctionsKeyWord.java:125)
    at fASTest.DriverTestCase.ExecuteTestCaseDriver(DriverTestCase.java:244)
    at fASTest.DriverSuite.ExecuteSuiteDriver(DriverSuite.java:134)
    at fASTest.CallScript.main(CallScript.java:49)
Caused by: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
    at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.post(Unknown Source)
    ... 10 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
    at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getOutputStream(Unknown Source)
    ... 11 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
    at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    ... 24 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)
    ... 30 more

Answer 1

Basically, you need to replace the code within the doTrustToCertificates() method with the following:

static public void doTrustToCertificates() throws Exception 
{
    // Set truststore that contains root / intermediary certs
    System.setProperty("javax.net.ssl.trustStore", "C:\\cert\\trusted.jks");
    System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

    // Set keystore that contains private key
    File pKeyFile = new File("C:\\cert\\privatekey.pfx");
    String pKeyPassword = "Password01";
    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
    KeyStore keyStore = KeyStore.getInstance("PKCS12");
    InputStream keyInput = new FileInputStream(pKeyFile);
    keyStore.load(keyInput, pKeyPassword.toCharArray());
    keyInput.close();
    keyManagerFactory.init(keyStore, pKeyPassword.toCharArray());

    // Set ssl context with private key and truststore details
    SSLContext sc = SSLContext.getInstance("TLSv1");
    sc.init(keyManagerFactory.getKeyManagers(), null, new SecureRandom());
    SSLSocketFactory sockFact = sc.getSocketFactory();

    // Add ssl context to https connection
    HttpsURLConnection.setDefaultSSLSocketFactory(sockFact);
}    

You then call the doTrustToCertificates() method just before the connection.call() method like so:

doTrustToCertificates();
soapResponse = soapConnection.call(message, url);