Re: [esb-java-user] HTTPS connection

Thu, 21 Feb 2008 09:06:35 -0800 

Hi Stefan

In order to setup an SSL connection with the Axis2-based client, we've added
the following: "System.setProperty("javax.net.ssl.trustStore",
"d:/path_to_file/name_of_keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "secret");".

In ESB, I've changed the value of the "truststore" parameter to use the same
truststore used by the Axis2-based client. I've also created a Proxy that
points to the https webservice. When calling this Proxy, the following error
is generated: "Caused by: sun.security.validator.ValidatorException: PKIX
path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target". The used truststore contains
the SSL certificate of the site.
Which "truststore" parameter did you change? Since you are "calling" and external HTTPS service, you must edit the HTTPS Transport Sender configuration as follows, and not the Listener
<transportSender name="https" class="org.apache.synapse.transport.nhttp.HttpCoreNIOSSLSender"> 
       <parameter name="non-blocking" locked="false">true</parameter>
       <parameter name="keystore" locked="false">
           <KeyStore>
               <Location>identity.jks</Location>
               <Type>JKS</Type>
               <Password>password</Password>
               <KeyPassword>password</KeyPassword>
           </KeyStore>
       </parameter>
       *<parameter name="truststore" locked="false">
           <TrustStore>
               <Location>trust.jks</Location>
               <Type>JKS</Type>
               <Password>password</Password>
           </TrustStore>
       </parameter>*
<!--<parameter name="HostnameVerifier">DefaultAndLocalhost</parameter> supports Strict|AllowAll|DefaultAndLocalhost or the default if none specified --> 
   </transportSender>


I'm aware that this question is more related to JKS and SSL configuration,
but - although I found it out for the Axis2-based client - I'm unable to
configure it correctly for ESB.
I am confident that this works without any issues if the keystores are properly configured. Basically I would expect the truststore to contain the CA certificate of your external server as a "trusted certificate" in the keystore
If you can also send me the output of "keytool -v -list -keystore trust.jks" for your JKS, that would be helpful (please remember to hide your password from the output generated before you post it here :-)) 

asankha

_______________________________________________
Esb-java-user mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user

Reply via email to