You've told Java on the client, 'here is a truststore to use with all SSL
connections.' once you do that, it will check all SERVER certificates
against that truststore.
Yes I agree, that is what defining these properties on the command line
is doing.
I think that you need to add you web service's
server certificate to the truststore.
I don't think this Web Service provides such a certificate, or, if it
does, at any rate, it does not require it and works perfectly well
without it when these properties are undefined. Therefore I need some
way of using certificates with one connection, and not the other. Is
there some other way to configure the application which provides the
level of flexibility I require?
Benson Margulies wrote:
You've told Java on the client, 'here is a truststore to use with all SSL
connections.' once you do that, it will check all SERVER certificates
against that truststore. I think that you need to add you web service's
server certificate to the truststore.
The real experts may yet emerge with a recipe for setting the truststore
more selectively so that it applies to MySQL and not to CXF.
On Tue, Sep 22, 2009 at 12:42 PM, Steve Cohen <[email protected]>wrote:
Thanks, but I don't think that's it. As I indicated originally
This connection is over https to a Web Server
that does not require or accept certificates.
There IS no certificate to add. I don't want this connection to check
certificates.
Stan Lewis wrote:
It looks like the client is complaining that it doesn't trust the
server's certificate. You probably just need to add the CA for the
server's certificate to the truststore that you're passing on the
command line, so you'd have the CA and certificate for your MySQL
server + the CA for the web service server that your client is
connecting to.
On Tue, Sep 22, 2009 at 11:48 AM, Steve Cohen <[email protected]>
wrote:
I have a backend application that makes several types of connections. One
is
to a Web Service whose client was built with Apache CXF. The other is to
a
MySQL database. Because of the unusual security situation in which the
servers are forced to live (DMZ) we need to encrypt the transmissions to
the
DB server, so we are going to use MySQL's "REQUIRE SSL" functionality
which
requires a certificate from a CA to achieve logon as the database user.
This
cert is placed in a truststore which becomes known to the application at
startup via command-line defines:
-Djavax.net.ssl.trustStore=/path/to/truststore
-Djavax.net.ssl.trustStorePassword=secret
Since we are not using MySQL's "REQUIRE X509", we no not need client
certificates and keys.
This all works fine.
However ...
I have now discovered that making these command-line defines breaks the
CXF-based Web Service client. This connection is over https to a Web
Server
that does not require or accept certificates. When this connection is
attempted with the application in this mode (i.e. with the two defines in
the System properties), it fails with:
2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR
address.AddressValidator - [SOAP-ENV:Fault: null]
javax.xml.ws.soap.SOAPFaultException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find
valid certification path to requested target
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192)
at $Proxy32.validateLocation(Unknown Source)
...
Caused by: org.apache.cxf.interceptor.Fault:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find
valid certification path to requested target
at
org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:93)
at
org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInterceptor.java:68)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:221)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171)
... 8 more
Caused by: com.ctc.wstx.exc.WstxIOException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find
valid certification path to requested target
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
at
org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:91)
... 14 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find
valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1807)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1765)
at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)
... 15 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable
to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
at sun.security.validator.Validator.validate(Validator.java:218)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
... 38 more
If I turn off the SSL requirement and remove the command line defines,
this
connection works as designed.
So the question is
where is the hook, either in Java or CXF by which I can configure this to
use the SSL cert for the connections to the MySQL server but not for
other
types of connection?
