- I have an app acting like a WS client deployed in WL
- The WS server (external company) use a self signed certificate (MUST
be self signed :( . Don't ask why)
- We added the certificate to the custom trust store connfigured in WL
- We configure the managed server to be more "verbose" about SSL stuff
- When the managed server start it outputs the following lines in the log:
<Dec 13, 2010 5:31:21 PM ARST> <Notice> <Security> <BEA-090169>
<Loading trusted certificates from the JKS keystore file
/wldomains/desa_domain/TrustCTWebservices.jks.>
<Dec 13, 2010 5:31:21 PM ARST> <Debug> <SecuritySSL> <BEA-000000>
<SSLContextManager: loaded 1 trusted CAs from
/wldomains/desa_domain/TrustCTWebservices.jks>
<Dec 13, 2010 5:31:21 PM ARST> <Debug> <SecuritySSL> <BEA-000000>
<Subject: CN=jserver, OU=SWG, O=IBM, C=US; Issuer: CN=jserver, OU=SWG,
O=IBM, C=US>
- In this lines, we can see the certificate that interests us (jserver)
- When the app do a WS request we see in the log:
<Dec 13, 2010 5:32:43 PM ARST> <Notice> <Stdout> <BEA-000000>
<trustStore is: /opt/bea/jrockit_160_05/jre/lib/security/cacerts> (THE
VM's DEFAULT KEYSTORE!!!!!!)
- The request fails (unable to find valid certification path to
requested target) Full stack below.
- If we add the cert to
/opt/bea/jrockit_160_05/jre/lib/security/cacerts everything works ok
but I have doubts that this is right.
Should we tell to CXF not to use the default keystore?
Sorry if this question is WL specific
Thank you very much
Regards
2010/12/13 13:13:47.840 [ERROR]
[org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-9]
[ar.com.link.gp.services.impl.WebserviceConfirmacionServiceImpl
- 55] - Error - informarPagos
javax.xml.ws.WebServiceException: Could not send Message.
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
at $Proxy549.confirmaPago(Unknown Source)
at
ar.com.link.gp.services.impl.WebServiceClientServiceImpl.confirmaPago(WebServiceClientServiceImpl.java:103)
at
ar.com.link.gp.services.impl.WebServiceClientServiceSinConceptoDecorator.confirmaPago(WebServiceClientServiceSinConceptoDecorator.java:33)
at
ar.com.link.gp.services.impl.WebserviceConfirmacionServiceImpl.informarPagos(WebserviceConfirmacionServiceImpl.java:50)
at
ar.com.link.gp.services.impl.ConfirmacionServiceImpl.procesarConfirmaciones(ConfirmacionServiceImpl.java:132)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at
ar.com.link.logging.interceptor.LoggingInterceptor.invoke(LoggingInterceptor.java:74)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy136.procesarConfirmaciones(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.util.MethodInvoker.invoke(MethodInvoker.java:276)
at
org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean$MethodInvokingJob.executeInternal(MethodInvokingJobDetailFactoryBean.java:260)
at
org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
at
org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)
Caused by: javax.net.ssl.SSLException: Connection has been shutdown:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1239)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1251)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:43)
at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at
weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
at
weblogic.net.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:238)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1951)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1903)
at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
at
org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1969)
at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
at
org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:188)
at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:637)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:483)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:309)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:261)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
... 25 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:1830)
at weblogic.net.http.HttpsClient.getSSLSession(HttpsClient.java:537)
at
weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:257)
at
weblogic.net.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:237)
... 41 more
Caused by: sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
at sun.security.validator.Validator.validate(Validator.java:218)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
... 51 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
... 57 more
