Java application can't connect to https web service using EJBCA library

Question

I wish that a Java application connects to web service using EJBCA library but it throws an exception. You see the following void method trying to connect to Ejbca

protected void connectToEjbca() {
   
    LOG.info("Establishing Ejbca conecction");
   
    String trustStore = CONFIG.getProperty("truststore");
    String trustStorePassword = CONFIG.getProperty("truststore.password");
    String keyStoreType = CONFIG.getProperty("keystore.type");
    String keyStore = CONFIG.getProperty("keystore");
    String keyStorePassword = CONFIG.getProperty("keystore.password");
    String ejbcaUrl = CONFIG.getProperty("url");
   
    try{
        CryptoProviderTools.installBCProvider();
        KeyManager[] kms = this.getKeyManagers(keyStore, keyStorePassword);
        TrustManager[] tms = this.getTrustManagers(trustStore, trustStorePassword);
        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(kms, tms, null);
             
        HostnameVerifier hv = new HostnameVerifier() {
            public boolean verify(String hostname, SSLSession session) { return true; }
        };
        HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
        HttpsURLConnection.setDefaultHostnameVerifier(hv);
                    
        QName qname = new QName("http://ws.protocol.core.ejbca.org/", "EjbcaWSService");
        EjbcaWSService service = new EjbcaWSService(new URL(ejbcaUrl),qname);
        ws = service.getEjbcaWSPort();
        connect = true;
        LOG.info("EJBCA connection was successfully");
    }catch(Exception ex){
        LOG.info("Error in EJBCA connection: " + ex.getLocalizedMessage());
        connect = false;
        ex.printStackTrace();
    }
}

The code execution fails in line: EjbcaWSService service = new EjbcaWSService(new URL(ejbcaUrl),qname);

And the exceptions says:

org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://192.168.1.30:443/ejbca/ejbcaws/ejbcaws?wsdl'.: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

According to config.properties:

url=https:\//192.168.1.30:443/ejbca/ejbcaws/ejbcaws?wsdl
truststore=E:\\admin_test.jks
keystore=E:\\admin_test.p12
keystore.type=PKCS12

The password variables are Ok.

Additionally, I imported the admin_test.p12 certificate to firefox and the browsers shows the page https://192.168.1.30:443/ejbca/ejbcaws/ejbcaws?wsdl very well.

Also, I imported the admin_test.p12 certificate to Windows Cert Manager. Then. I exported as X.509 cert (admin_test.cert). After that I created a JKS file by KeyStore Explorer and I imported the admin_test.cert.

These two files admin_test.cert and admin_test.p12 are referenced in config.properties

So the url https://192.168.1.30:443/ejbca/ejbcaws/ejbcaws?wsdl work by firefox but the java application doesn't.

I'm suspecting the problem is in jks file that I think is not generated well.

What can I do?

Answer 1

I think you are right. Your error message is "unable to find valid certification path to requested target", which tells that the client can not find the CA certificate as trusted to verify the TLS connection. This is a pure TLS connection establishment issue. truststore must contain the CA certificate of the server certificate chain, and nothing else.