Thanks Daniel for your logical explanations. And I should add workable -
it's all good now after importing the cacerts.
Daniel Kulp wrote:
On Tue September 22 2009 2:28:13 pm Steve Cohen wrote:
ONE option could be to grab the certs in:
$JRE_HOME/lib/security/cacerts
and create a new truststore with those certs and your MySQL cert and
point the system property at that.
Would another option be to put the MySQL cert into
$JRE_HOME/lib/security/cacerts or is there some good reason you did not
suggest that?
That's probably valid, I'm just always scared of touching stuff in the default
JRE installs. On a shared unix box, you never know what else is using those
JRE's that could be affected by that. :-)
Plus, if you upgrade your jre, you have to remember to re-add the key and
such. In general, I like have everything I need to run things kind of self
contained in my version control system if at all possible.
Dan
Daniel Kulp wrote:
The best option is to check the MySQL stuff to see if they have some
non-jvm level methods for controlling the SSL stuff that they use.
For the webservice connection, if it's using SSL, there is definitely
some cert being used. Most likely, it's signed by some authority that
is available in the default JVM truststore which is why it works fine
without those system properties set.
ONE option could be to grab the certs in:
$JRE_HOME/lib/security/cacerts
and create a new truststore with those certs and your MySQL cert and
point the system property at that.
Dan
On Tue September 22 2009 11:48:21 am Steve Cohen wrote:
I have a backend application that makes several types of connections.
One is to a Web Service whose client was built with Apache CXF. The
other is to a MySQL database. Because of the unusual security situation
in which the servers are forced to live (DMZ) we need to encrypt the
transmissions to the DB server, so we are going to use MySQL's "REQUIRE
SSL" functionality which requires a certificate from a CA to achieve
logon as the database user. This cert is placed in a truststore which
becomes known to the application at startup via command-line defines:
-Djavax.net.ssl.trustStore=/path/to/truststore
-Djavax.net.ssl.trustStorePassword=secret
Since we are not using MySQL's "REQUIRE X509", we no not need client
certificates and keys.
This all works fine.
However ...
I have now discovered that making these command-line defines breaks the
CXF-based Web Service client. This connection is over https to a Web
Server that does not require or accept certificates. When this
connection is attempted with the application in this mode (i.e. with the
two defines in the System properties), it fails with:
2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR
address.AddressValidator - [SOAP-ENV:Fault: null]
javax.xml.ws.soap.SOAPFaultException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192)
at $Proxy32.validateLocation(Unknown Source)
...
Caused by: org.apache.cxf.interceptor.Fault:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(
Abs tractOutDatabindingInterceptor.java:93) at
org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInter
cep tor.java:68) at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hai n.java:221) at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171)
... 8 more
Caused by: com.ctc.wstx.exc.WstxIOException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
at
org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(
Abs tractOutDatabindingInterceptor.java:91) ... 14 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611
) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHa
nds haker.java:1035) at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHands
hak er.java:124) at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:4
54) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java
:88 4) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSo
cke tImpl.java:1112) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
jav a:1139) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
jav a:1123) at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434
) at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Ab
str actDelegateHttpsURLConnection.java:166) at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConne
cti on.java:904) at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsU
RLC onnectionImpl.java:230) at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHead
ers TrustCaching(HTTPConduit.java:1807) at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWri
te( HTTPConduit.java:1765) at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutpu
tSt ream.java:42) at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311) ...
15 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:1
91) at sun.security.validator.Validator.validate(Validator.java:218) at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustMana
ger Impl.java:126) at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X50
9Tr ustManagerImpl.java:209) at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X50
9Tr ustManagerImpl.java:249) at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHa
nds haker.java:1014) ... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPat
hBu ilder.java:174) at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
... 38 more
If I turn off the SSL requirement and remove the command line defines,
this connection works as designed.
So the question is
where is the hook, either in Java or CXF by which I can configure this
to use the SSL cert for the connections to the MySQL server but not for
other types of connection?
