I had the same problem in connecting a SOAP Client (over SSL) to a SOAP (Tomcat/Axis) Server. I created my Client using JDK 1.4 (which has SSL packaged).
Here are some notes I wrote up about the subject. Let me know if it helps
Configuring SOAP SSL
Secure Socket Layer (SSL) is a technology that allows Web Clients (Browsers, SOAP Clients, etc etc) and Web Servers to communicate over a secured connection. In this secure connection, the data that is being sent is encrypted before being sent, then decrypted upon receipt and prior to processing. Both the client and the server encrypt all traffic before sending any data.
When a Web Client makes a request via HTTPS to a Web Server, it requires the Public Key of that Web Service (there may be a different Certificate for each Web Service on the Web Server) in order to encrypt the request. The security package in JDK (comes with JDK 1.4) manages the encryption and searches for the Public Key of the remote service in the JDK security database called cacerts (CA Certificates). Therefore, if you wish to communicate with a Web Service, you first need to get the Web Service certificate and import it into your cacerts database. A tool called keytool is available on JDK 1.4 for certificate handling.
All keytool operations require SuperUser access as JDK is installed under root.
All certificates and the cacerts database are located in /usr/java/j2sdk1.4.1_01/jre/lib/security
When JDK 1.4 is installed, there is a base set of default certificates available. To see what is in the cacerts database, perform the following:
keytool -list -keystore cacerts
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
serverca, Jan 2, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 20:D8:1E:2D:8F:BA:28:62:0F:25:52:90:36:1C:37:7B
j2eeca, Jan 2, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 10:AF:DC:59:30:62:3A:F1:4A:B3:FB:0A:1F:05:61:E7
The following operations are required:
- Create a Server Certificate for the "myService" service as follows:
cd /usr/java/j2sdk1.4.1_01/jre/lib/security
keytool -genkey -keyalg RSA -alias myService -keystore myService.jks
Enter keystore password: changeit
What is your first and last name?
[Unknown]: yourHost.yourDomain
What is the name of your organizational unit?
[Unknown]: yourGroupName
What is the name of your organization?
[Unknown]: yourCompany
What is the name of your City or Locality?
[Unknown]: yourLocation
What is the name of your State or Province?
[Unknown]: yourCity
What is the two-letter country code for this unit?
[Unknown]: yourCountry
Is CN=yourHost.yourDomain, OU=yourGroupName, O=yourCompany, L=yourLocation, ST=yourCity, C=yourCountry correct?
[no]: yes
Enter key password for <myService>
(RETURN if same as keystore password):
This operation creates a file called myService.jks which contains a self-signed certificate.
- If you are providing the Server side of the service then enable SSL on the WEB Server and indicate which certificate (ie., myService.jks) is to be used for HTTPS
Edit the file $CATALINA_HOME/conf/server.xml
Uncomment the entry that looks like
<!-- Define an SSL HTTP/1.1 Connector on port 8443 -->
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="10" debug="0" scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
keystoreFile="/usr/java/j2sdk1.4.1_01/jre/lib/security/myService.jks"
clientAuth="false" protocol="TLS"/>
</Connector>
Enter the fully qualified pathname of the certificate that will be used for HTTPS. This means that when a request is made to this WEB Server, the certificate myService.jks will be sent to the Web Client. The Web Client will use the Public Key of the certificate to encrypt the HTTP requests to this Server.
For the configuration change to take effect, Tomcat needs to be stopped ($CATALINA_HOME/bin/shutdown.sh) and restarted ($CATALINA_HOME/bin/startup.sh).
If a Web Client request is made to the Web Server, the following Exception will occur
AxisFault
faultCode: {http://xml.apache.org/axis/}Server.userException
faultString: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Couldn't find trusted certificate
The reason for this is that your Client does not know anything about the certificate it receives back from the Web server when u make this HTTPS request
- In order for a Web Client to communicate with myService over HTTPS, it requires the above certificate. Export the certificate to a file so that it can be imported as a trusted Certificate into the JDK 1.4 cacerts database
keytool -export -alias myService -file myService.cer -keystore myService.jks
Enter keystore password: changeit
Certificate stored in file <myService.cer>
- Import the myService.cer certificate into the JDK 1.4 cacerts database
keytool -import -v -trustcacerts -alias myService -file myService.cer -keystore cacertsHope this helps
Enter keystore password: changeit
Owner: CN=yourHost.yourDomain, OU=yourGroup, O=yourCompany, L=yourLocation, ST=yourCity, C=yourCountry
Issuer: CN=yourHost.yourDomain, OU=yourGroup, O=yourCompany, L=yourLocation, ST=yourCity, C=yourCountry
Serial number: 3a15704c
Valid from: Fri Jan 03 11:13:16 GMT 2003 until: Thu Apr 03 12:13:16 IST 2003
Certificate fingerprints:
MD5: 04:98:7C:07:F9:54:7E:67:DE:AF:D2:68:F5:E5:3B:DA
SHA1: D1:5C:C9:79:D9:F7:E7:19:7E:71:31:C0:48:11:D3:C0:61:2F:60:F7
Trust this certificate? [no]: yes
Certificate was added to keystore
[Saving cacerts]
The above indicates who owns the Certificate and who issued the Certificate. Normally a trusted Third Party (called a Certification Authority) issues the certificates or actually signes the certificate we generated. For testing purposes, I am usign a self signed certificate and I am asking the Client to trust this certificate.
The cacerts databse now has an extra entry, namely the imported myService certificate
keytool -list -keystore cacerts
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 3 entries
serverca, Jan 2, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 20:D8:1E:2D:8F:BA:28:62:0F:25:52:90:36:1C:37:7B
myservice, Jan 3, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 04:98:7C:07:F9:54:7E:67:DE:AF:D2:68:F5:E5:3B:DA
j2eeca, Jan 2, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 10:AF:DC:59:30:62:3A:F1:4A:B3:FB:0A:1F:05:61:E7
At this point, a Web Client can now communicate with the myService Service over HTTPS.
Now, when the Web Client makes a HTTPS request to the Web Service, the Web Service certificate is returned, the Web Client checks in its cacerts databse to determine if it can trust this certificate. If the certificate is there and can be trusted, it will use the Public Key to encrypt the HTTPS request.
Jack
Sean McCauliff wrote:
I get the following error message:
SOAPException: faultCode=SOAP-ENV:Cl
ient; msg=Error opening socket: javax.net.ssl.SSLHandshakeException: java.security.cert.
CertificateException: Couldn't find trusted certificate; targetException=java.l
ang.IllegalArgumentException: Error opening socket: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Couldn't find trusted certificate
I have added the server's public key to /root/.keystore and to tomcat/conf/keystore and this still happens. Any ideas?
Thanks,
Sean
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
