Re: CXF Client - SunCertPathBuilderException: unable to find valid certification path

[Glen Mazza]

Hi Gina, I updated Fediz trunk a few days ago with new specific 
keystores (all provided in the download) for each portion of the 
application and also fully spelled out the trust requirements between 
the various components.  I also provided scripts on how to make your own 
keys should you wish to update yours:
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co
They all work fine with the present samples.  This should show up in the 
next release of Fediz.

I don't know if any of this would help you, if so (or if not...), let me 
know which portion of your questions below remain.

Regards,
Glen


On 07/16/2012 02:28 PM, Gina Choi wrote:
Hi All,

Both my web service and STS are running on different Tomcat instance and
are configured to run on https. When I run CXF client, I was getting "PKIX
path building failed: SunCertPathBuilderException: unable to find valid
certification path to requested target.". So, I exported Tomcat cert and
imported it to Java Keystore.

Then I was getting following error message. I think that this is because my
tomcat keystore uses CN as "localhost" while I am pointing
"wkengchoi.global.sdl.corp" elsewhere. I was too lazy to create Tomcat
keystore or to change my references to "wkengchoi.global.sdl.corp", so I
decided to set "disableCNCheck" to true.

Caused by: com.ctc.wstx.exc.WstxIOException: The https URL hostname does
not match the Common Name (CN) on the server certificate.  To disable this
check (NOT recommended for production) set the CXF client TLS configuration
property "disableCNCheck" to true

So, I added following content to my cxf.xml on the client. I found two
problems here. First, should I reference keyStore to Java keyStore or
clientstore.jks?

    <http:conduit name="https://.*";>

       <http:tlsClientParameters disableCNCheck="true">

         <sec:trustManagers>

            <sec:keyStore type="jks" password="cspass"
resource="clientstore.jks"/>

         </sec:trustManagers>

       </http:tlsClientParameters>
    </http:conduit>

Second, with above configuration, I am getting following error message. It
looks like that I need to add schema file about element "http:conduit". So,
I searched CXF test file, but couldn't find it. I have been spent several
hours to deal with this issue and running out my time for today. Could
anyone tell me what is correct configuration for https in client side?

Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.c: The
matching wildcard is strict, but no declaration can be found for element
'http:conduit'.

Thanks.

Gina



--
Glen Mazza
Talend Community Coders
coders.talend.com
blog: www.jroller.com/gmazza