On Tue September 22 2009 2:28:13 pm Steve Cohen wrote: > > ONE option could be to grab the certs in: > > $JRE_HOME/lib/security/cacerts > > and create a new truststore with those certs and your MySQL cert and > > point the system property at that. > > Would another option be to put the MySQL cert into > $JRE_HOME/lib/security/cacerts or is there some good reason you did not > suggest that?
That's probably valid, I'm just always scared of touching stuff in the default JRE installs. On a shared unix box, you never know what else is using those JRE's that could be affected by that. :-) Plus, if you upgrade your jre, you have to remember to re-add the key and such. In general, I like have everything I need to run things kind of self contained in my version control system if at all possible. Dan > Daniel Kulp wrote: > > The best option is to check the MySQL stuff to see if they have some > > non-jvm level methods for controlling the SSL stuff that they use. > > > > For the webservice connection, if it's using SSL, there is definitely > > some cert being used. Most likely, it's signed by some authority that > > is available in the default JVM truststore which is why it works fine > > without those system properties set. > > > > ONE option could be to grab the certs in: > > $JRE_HOME/lib/security/cacerts > > and create a new truststore with those certs and your MySQL cert and > > point the system property at that. > > > > Dan > > > > On Tue September 22 2009 11:48:21 am Steve Cohen wrote: > >> I have a backend application that makes several types of connections. > >> One is to a Web Service whose client was built with Apache CXF. The > >> other is to a MySQL database. Because of the unusual security situation > >> in which the servers are forced to live (DMZ) we need to encrypt the > >> transmissions to the DB server, so we are going to use MySQL's "REQUIRE > >> SSL" functionality which requires a certificate from a CA to achieve > >> logon as the database user. This cert is placed in a truststore which > >> becomes known to the application at startup via command-line defines: > >> > >> -Djavax.net.ssl.trustStore=/path/to/truststore > >> -Djavax.net.ssl.trustStorePassword=secret > >> > >> Since we are not using MySQL's "REQUIRE X509", we no not need client > >> certificates and keys. > >> > >> This all works fine. > >> > >> However ... > >> > >> I have now discovered that making these command-line defines breaks the > >> CXF-based Web Service client. This connection is over https to a Web > >> Server that does not require or accept certificates. When this > >> connection is attempted with the application in this mode (i.e. with the > >> two defines in the System properties), it fails with: > >> > >> > >> 2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR > >> address.AddressValidator - [SOAP-ENV:Fault: null] > >> javax.xml.ws.soap.SOAPFaultException: > >> sun.security.validator.ValidatorException: PKIX path building failed: > >> sun.security.provider.certpath.SunCertPathBuilderException: unable to > >> find valid certification path to requested target > >> at > >> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192) > >> at $Proxy32.validateLocation(Unknown Source) > >> ... > >> Caused by: org.apache.cxf.interceptor.Fault: > >> sun.security.validator.ValidatorException: PKIX path building failed: > >> sun.security.provider.certpath.SunCertPathBuilderException: unable to > >> find valid certification path to requested target > >> at > >> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts( > >>Abs tractOutDatabindingInterceptor.java:93) at > >> org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInter > >>cep tor.java:68) at > >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC > >>hai n.java:221) at > >> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276) > >> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222) > >> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) > >> at > >> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171) > >> ... 8 more > >> Caused by: com.ctc.wstx.exc.WstxIOException: > >> sun.security.validator.ValidatorException: PKIX path building failed: > >> sun.security.provider.certpath.SunCertPathBuilderException: unable to > >> find valid certification path to requested target > >> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313) > >> at > >> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts( > >>Abs tractOutDatabindingInterceptor.java:91) ... 14 more > >> Caused by: javax.net.ssl.SSLHandshakeException: > >> sun.security.validator.ValidatorException: PKIX path building failed: > >> sun.security.provider.certpath.SunCertPathBuilderException: unable to > >> find valid certification path to requested target > >> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) > >> at > >> > >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611 > >>) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) > >> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181) > >> at > >> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHa > >>nds haker.java:1035) at > >> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHands > >>hak er.java:124) at > >> > >> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) > >> at > >> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:4 > >>54) at > >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java > >>:88 4) at > >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSo > >>cke tImpl.java:1112) at > >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. > >>jav a:1139) at > >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. > >>jav a:1123) at > >> > >> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434 > >>) at > >> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Ab > >>str actDelegateHttpsURLConnection.java:166) at > >> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConne > >>cti on.java:904) at > >> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsU > >>RLC onnectionImpl.java:230) at > >> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHead > >>ers TrustCaching(HTTPConduit.java:1807) at > >> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWri > >>te( HTTPConduit.java:1765) at > >> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutpu > >>tSt ream.java:42) at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96) > >> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214) > >> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311) ... > >> 15 more > >> Caused by: sun.security.validator.ValidatorException: PKIX path building > >> failed: sun.security.provider.certpath.SunCertPathBuilderException: > >> unable to find valid certification path to requested target > >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285) > >> at > >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:1 > >>91) at sun.security.validator.Validator.validate(Validator.java:218) at > >> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustMana > >>ger Impl.java:126) at > >> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X50 > >>9Tr ustManagerImpl.java:209) at > >> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X50 > >>9Tr ustManagerImpl.java:249) at > >> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHa > >>nds haker.java:1014) ... 32 more > >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > >> unable to find valid certification path to requested target > >> at > >> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPat > >>hBu ilder.java:174) at > >> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at > >> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) > >> ... 38 more > >> > >> If I turn off the SSL requirement and remove the command line defines, > >> this connection works as designed. > >> > >> So the question is > >> > >> where is the hook, either in Java or CXF by which I can configure this > >> to use the SSL cert for the connections to the MySQL server but not for > >> other types of connection? > -- Daniel Kulp [email protected] http://www.dankulp.com/blog
