Hi, I'm using the version 4.5 of HttpClient on a servlet in a WAS 7 calling to another WAS 7. When I test the call with http protocol everything works. But when I try with https the call fails because "Chaining certificate error", the certificate of the CA is not recognized as trusted.
The CA certificate is in the WAS truststore. When we call in another app with a JAX-WS client over https to the same endpoint it works, so it get the CA certificate from the truststore. Also, I capture in the WAS log that when it starts the app server loads the CA certificate as trusted [5/18/17 18:17:39:867 ART] 00000000 CSIServerRI A JSAS0008I: Server request interceptor registered. [5/18/17 18:17:39:878 ART] 00000000 SecurityCompo A JSAS0009I: IOR interceptor registered. [5/18/17 18:17:40:732 ART] 00000000 SystemOut O adding as trusted cert: [5/18/17 18:17:40:734 ART] 00000000 SystemOut O Subject: CN=CABNA, DC=cc, DC=bna, DC=net [5/18/17 18:17:40:737 ART] 00000000 SystemOut O Issuer: CN=CABNA, DC=cc, DC=bna, DC=net [5/18/17 18:17:40:744 ART] 00000000 SystemOut O Algorithm: RSA; Serial number: 0x476da8f2b43899b24dfe7a94e66a1b7f [5/18/17 18:17:40:747 ART] 00000000 SystemOut O Valid from Mon May 09 12:38:13 ART 2016 until Sat May 09 12:48:13 ART 2026 [5/18/17 18:17:40:748 ART] 00000000 SystemOut O But when I call my servlet and this one tries to call with an HttpClient to the other WAS over https, I captured that it does not load the same truststore of the WAS [5/18/17 18:22:36:965 ART] 00000028 SystemOut O keyStore is:* /opt/IBM/WebSphere/AppServer/java/jre/lib/security/cacerts* [5/18/17 18:22:36:965 ART] 00000028 SystemOut O keyStore type is: jks [5/18/17 18:22:36:965 ART] 00000028 SystemOut O keyStore provider is: [5/18/17 18:22:36:965 ART] 00000028 SystemOut O init keystore [5/18/17 18:22:37:237 ART] 0000000d SystemOut O Finalizer thread, called close() [5/18/17 18:22:37:237 ART] 0000000d SystemOut O Finalizer thread, called closeInternal(true) [5/18/17 18:22:37:237 ART] 0000000d SystemOut O Finalizer thread, called close() [5/18/17 18:22:37:237 ART] 0000000d SystemOut O Finalizer thread, called closeInternal(true) [5/18/17 18:22:37:248 ART] 00000028 SystemOut O SSLContextImpl: Using X509ExtendedKeyManager com.ibm.jsse2.hd [5/18/17 18:22:37:250 ART] 00000028 SystemOut O trustStore is: */opt/IBM/WebSphere/AppServer/java/jre/lib/security/cacerts* [5/18/17 18:22:37:250 ART] 00000028 SystemOut O trustStore type is: jks [5/18/17 18:22:37:250 ART] 00000028 SystemOut O trustStore provider is: [5/18/17 18:22:37:250 ART] 00000028 SystemOut O init truststore [5/18/17 18:22:37:253 ART] 00000028 SystemOut O adding as trusted cert: [5/18/17 18:22:37:253 ART] 00000028 SystemOut O Subject: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL [5/18/17 18:22:37:254 ART] 00000028 SystemOut O Issuer: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL [5/18/17 18:22:37:254 ART] 00000028 SystemOut O Algorithm: RSA; Serial number: 0x444c0 [5/18/17 18:22:37:254 ART] 00000028 SystemOut O Valid from Wed Oct 22 10:07:37 ARST 2008 until Mon Dec 31 09:07:37 ART 2029 [5/18/17 18:22:37:254 ART] 00000028 SystemOut O ............. ......... ... and so on seems like the HttpClient loads the certificates in cacerts of the JVM only. So, I modified the creation of the HttpClient and added useSystemProperties() because I read that this might take the truststore of the WAS, but didn't work. Used a Basic connection manager and a Pooled one, but no difference. Also tried to modify the certificate validation, using an strategy that does nothing, but the verification fails anyway. The strategy that validates nothing is never called. The certificate validation failure appears when the HttpClient uses the IBM socket (trace at the bottom of the email). A couple of years ago I used a version of Spring WS with HttpClient 4.1 or 4.2 version and didn't have this problem. Any help or tip is really welcome. Regards, Jonathan. Trace of the certificate verification: [5/18/17 18:22:46:070 ART] 00000028 SystemOut O *** [5/18/17 18:22:46:174 ART] 00000028 SystemOut O %% Invalidated: [Session-8, SSL_RSA_WITH_AES_128_CBC_SHA] [5/18/17 18:22:46:174 ART] 00000028 SystemOut O WebContainer : 0, SEND TLSv1 ALERT: fatal, description = certificate_unknown [5/18/17 18:22:46:174 ART] 00000028 SystemOut O WebContainer : 0, WRITE: TLSv1 Alert, length = 2 [5/18/17 18:22:46:175 ART] 00000028 SystemOut O WebContainer : 0, called closeSocket() [5/18/17 18:22:46:175 ART] 00000028 SystemOut O WebContainer : 0, handling exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN= CABNA, DC=cc, DC=bna, DC=net is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error [5/18/17 18:22:46:217 ART] 00000028 servlet E com.ibm.ws.webcontainer. servlet.ServletWrapper service SRVE0068E: Uncaught exception created in one of the service methods of the servlet ProxyServlet in application BNAFUProxyEAR. Exception created : javax.net.ssl.SSLHandshakeException: com. ibm.jsse2.util.h: PKIX path building failed: java.security.cert. CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN= CABNA, DC=cc, DC=bna, DC=net is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error at com.ibm.jsse2.o.a(o.java:22) at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:423) at com.ibm.jsse2.kb.a(kb.java:192) at com.ibm.jsse2.kb.a(kb.java:176) at com.ibm.jsse2.lb.a(lb.java:53) at com.ibm.jsse2.lb.a(lb.java:464) at com.ibm.jsse2.kb.s(kb.java:545) at com.ibm.jsse2.kb.a(kb.java:530) at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:79) at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:437) at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:142) at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:686) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket( SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket( SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect( DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect( PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec.establishRoute( MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec .java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec .java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec .java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute( InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute( CloseableHttpClient.java:71) at org.apache.http.impl.client.CloseableHttpClient.execute( CloseableHttpClient.java:55) at ar.com.bna.fu.proxy.proxy.ProxyServlet.service(ProxyServlet.java:343) at javax.servlet.http.HttpServlet.service(HttpServlet.java:831) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper .java:1657) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper .java:1597) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter( WebAppFilterChain.java:131) at ar.com.bna.fu.proxy.filter.CachedHttpServletRequestFilter.doFilter( CachedHttpServletRequestFilter.java:49) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter( FilterInstanceWrapper.java:188) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter( WebAppFilterChain.java:116) at ar.com.bna.fu.proxy.filter.dump.DumpFilter.doFilter(DumpFilter.java:37) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter( FilterInstanceWrapper.java:188) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter( WebAppFilterChain.java:116) at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter( WebAppFilterChain.java:77) at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter( WebAppFilterManager.java:908) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest( ServletWrapper.java:934) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest( ServletWrapper.java:502) at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest( ServletWrapperImpl.java:181) at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3935) at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:276) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:931) at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer .java:1592) at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink .java:186) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination (HttpInboundLink.java:452) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest( HttpInboundLink.java:511) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest( HttpInboundLink.java:305) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready( HttpInboundLink.java:276) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback. sendToDiscriminators(NewConnectionInitialReadCallback.java:214) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete( NewConnectionInitialReadCallback.java:113) at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted( AioReadCompletionListener.java:165) at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture .java:217) at com.ibm.io.async.AsyncChannelFuture$1.run(AsyncChannelFuture.java:205) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1613) Caused by: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN= CABNA, DC=cc, DC=bna, DC=net is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error at com.ibm.jsse2.util.f.b(f.java:113) at com.ibm.jsse2.util.f.b(f.java:61) at com.ibm.jsse2.util.e.a(e.java:22) at com.ibm.jsse2.pc.a(pc.java:100) at com.ibm.jsse2.pc.checkServerTrusted(pc.java:15) at com.ibm.jsse2.pc.b(pc.java:76) at com.ibm.jsse2.lb.a(lb.java:104) ... 50 more Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN= CABNA, DC=cc, DC=bna, DC=net is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild( PKIXCertPathBuilderImpl.java:411) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:258) at com.ibm.jsse2.util.f.b(f.java:98) ... 56 more Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=CABNA, DC=cc, DC=bna, DC=net is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111) at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate( PKIXCertPathValidatorImpl.java:176) at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator( PKIXCertPathBuilderImpl.java:737) at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath( PKIXCertPathBuilderImpl.java:649) at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath( PKIXCertPathBuilderImpl.java:595) at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild( PKIXCertPathBuilderImpl.java:357) ... 58 more Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:298) at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108) ... 63 more
