The best option is to check the MySQL stuff to see if they have some non-jvm level methods for controlling the SSL stuff that they use.
For the webservice connection, if it's using SSL, there is definitely some cert being used. Most likely, it's signed by some authority that is available in the default JVM truststore which is why it works fine without those system properties set. ONE option could be to grab the certs in: $JRE_HOME/lib/security/cacerts and create a new truststore with those certs and your MySQL cert and point the system property at that. Dan On Tue September 22 2009 11:48:21 am Steve Cohen wrote: > I have a backend application that makes several types of connections. > One is to a Web Service whose client was built with Apache CXF. The > other is to a MySQL database. Because of the unusual security situation > in which the servers are forced to live (DMZ) we need to encrypt the > transmissions to the DB server, so we are going to use MySQL's "REQUIRE > SSL" functionality which requires a certificate from a CA to achieve > logon as the database user. This cert is placed in a truststore which > becomes known to the application at startup via command-line defines: > > -Djavax.net.ssl.trustStore=/path/to/truststore > -Djavax.net.ssl.trustStorePassword=secret > > Since we are not using MySQL's "REQUIRE X509", we no not need client > certificates and keys. > > This all works fine. > > However ... > > I have now discovered that making these command-line defines breaks the > CXF-based Web Service client. This connection is over https to a Web > Server that does not require or accept certificates. When this > connection is attempted with the application in this mode (i.e. with the > two defines in the System properties), it fails with: > > > 2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR > address.AddressValidator - [SOAP-ENV:Fault: null] > javax.xml.ws.soap.SOAPFaultException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192) > at $Proxy32.validateLocation(Unknown Source) > ... > Caused by: org.apache.cxf.interceptor.Fault: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > at > org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(Abs > tractOutDatabindingInterceptor.java:93) at > org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutIntercep > tor.java:68) at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai > n.java:221) at > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222) > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171) > ... 8 more > Caused by: com.ctc.wstx.exc.WstxIOException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313) > at > org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(Abs > tractOutDatabindingInterceptor.java:91) ... 14 more > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611) > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) at > com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181) at > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHands > haker.java:1035) at > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshak > er.java:124) at > com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) > at > com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:88 > 4) at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocke > tImpl.java:1112) at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.jav > a:1139) at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.jav > a:1123) at > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Abstr > actDelegateHttpsURLConnection.java:166) at > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnecti > on.java:904) at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLC > onnectionImpl.java:230) at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeaders > TrustCaching(HTTPConduit.java:1807) at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite( > HTTPConduit.java:1765) at > org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputSt > ream.java:42) at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96) > at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214) > at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311) > ... 15 more > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191) > at sun.security.validator.Validator.validate(Validator.java:218) > at > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManager > Impl.java:126) at > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tr > ustManagerImpl.java:209) at > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tr > ustManagerImpl.java:249) at > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHands > haker.java:1014) ... 32 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBu > ilder.java:174) at > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) ... > 38 more > > If I turn off the SSL requirement and remove the command line defines, > this connection works as designed. > > So the question is > > where is the hook, either in Java or CXF by which I can configure this > to use the SSL cert for the connections to the MySQL server but not for > other types of connection? > -- Daniel Kulp [email protected] http://www.dankulp.com/blog
