You've told Java on the client, 'here is a truststore to use with all SSL connections.' once you do that, it will check all SERVER certificates against that truststore. I think that you need to add you web service's server certificate to the truststore.
The real experts may yet emerge with a recipe for setting the truststore more selectively so that it applies to MySQL and not to CXF. On Tue, Sep 22, 2009 at 12:42 PM, Steve Cohen <[email protected]>wrote: > Thanks, but I don't think that's it. As I indicated originally > >> This connection is over https to a Web Server >> that does not require or accept certificates. >> > There IS no certificate to add. I don't want this connection to check > certificates. > > > Stan Lewis wrote: > >> It looks like the client is complaining that it doesn't trust the >> server's certificate. You probably just need to add the CA for the >> server's certificate to the truststore that you're passing on the >> command line, so you'd have the CA and certificate for your MySQL >> server + the CA for the web service server that your client is >> connecting to. >> >> On Tue, Sep 22, 2009 at 11:48 AM, Steve Cohen <[email protected]> >> wrote: >> >> >>> I have a backend application that makes several types of connections. One >>> is >>> to a Web Service whose client was built with Apache CXF. The other is to >>> a >>> MySQL database. Because of the unusual security situation in which the >>> servers are forced to live (DMZ) we need to encrypt the transmissions to >>> the >>> DB server, so we are going to use MySQL's "REQUIRE SSL" functionality >>> which >>> requires a certificate from a CA to achieve logon as the database user. >>> This >>> cert is placed in a truststore which becomes known to the application at >>> startup via command-line defines: >>> >>> -Djavax.net.ssl.trustStore=/path/to/truststore >>> -Djavax.net.ssl.trustStorePassword=secret >>> >>> Since we are not using MySQL's "REQUIRE X509", we no not need client >>> certificates and keys. >>> >>> This all works fine. >>> >>> However ... >>> >>> I have now discovered that making these command-line defines breaks the >>> CXF-based Web Service client. This connection is over https to a Web >>> Server >>> that does not require or accept certificates. When this connection is >>> attempted with the application in this mode (i.e. with the two defines in >>> the System properties), it fails with: >>> >>> >>> 2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR >>> address.AddressValidator - [SOAP-ENV:Fault: null] >>> javax.xml.ws.soap.SOAPFaultException: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>> find >>> valid certification path to requested target >>> at >>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192) >>> at $Proxy32.validateLocation(Unknown Source) >>> ... >>> Caused by: org.apache.cxf.interceptor.Fault: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>> find >>> valid certification path to requested target >>> at >>> >>> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:93) >>> at >>> >>> org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInterceptor.java:68) >>> at >>> >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:221) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222) >>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) >>> at >>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171) >>> ... 8 more >>> Caused by: com.ctc.wstx.exc.WstxIOException: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>> find >>> valid certification path to requested target >>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313) >>> at >>> >>> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:91) >>> ... 14 more >>> Caused by: javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>> find >>> valid certification path to requested target >>> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) >>> at >>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611) >>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) >>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181) >>> at >>> >>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035) >>> at >>> >>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124) >>> at >>> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) >>> at >>> >>> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454) >>> at >>> >>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884) >>> at >>> >>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112) >>> at >>> >>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139) >>> at >>> >>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123) >>> at >>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434) >>> at >>> >>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166) >>> at >>> >>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904) >>> at >>> >>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230) >>> at >>> >>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1807) >>> at >>> >>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1765) >>> at >>> >>> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42) >>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96) >>> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214) >>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311) >>> ... 15 more >>> Caused by: sun.security.validator.ValidatorException: PKIX path building >>> failed: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable >>> to find valid certification path to requested target >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285) >>> at >>> >>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191) >>> at sun.security.validator.Validator.validate(Validator.java:218) >>> at >>> >>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126) >>> at >>> >>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209) >>> at >>> >>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249) >>> at >>> >>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014) >>> ... 32 more >>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at >>> >>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174) >>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) >>> ... 38 more >>> >>> If I turn off the SSL requirement and remove the command line defines, >>> this >>> connection works as designed. >>> >>> So the question is >>> >>> where is the hook, either in Java or CXF by which I can configure this to >>> use the SSL cert for the connections to the MySQL server but not for >>> other >>> types of connection? >>> >>> >>> >> >> >> >> > >
