Hi All,
I've hit a wall and need to reach out for advice and clarity from this group! :)
Problem:
I keep getting a ClientTransportException:
"com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
I have configured my channel and settings according to the cxf documentation and the many posts I've read by users of this group, most notably Glen Mazza's post (http://www.jroller.com/gmazza/entry/ssl_for_web_services).
Summary:
1. I'm writing the soap client code using 2-way auth. (server self-signed certificate, username/password from me, and over ssl). I'm using cxf 2.5.2
2. I do not have control over the server-side. However, I have verified that the server "works" by hitting the soap service using SoapUI (with auth enabled).
3. It appears the problem is in the way I'm configuring SSL in my client code.
4. my conduit block (in cxf.xml) looks like this:
<http:conduit name="{http://foo.bar.com/service}*.http-conduit">
<http:authorization>
<sec:UserName>myUserName</sec:UserName>
<sec:Password>myPassword</sec:Password>
</http:authorization>
<http:tlsClientParameters disableCNCheck="true" secureSocketProtocol="SSL">
<sec:trustManagers>
<sec:keyStore type="JKS" password="password" file="/Users/myaccount/Downloads/CertStuff/trustcert.jks"/>
</sec:trustManagers>
<sec:keyManagers>
<sec:keyStore type="JKS" password="password" file="/Users/myaccount/Downloads/CertStuff/keystore.jks"/>
</sec:keyManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
5. The above is the only SSL/CXF config I do. The cxf.xml file is properly located in WEB-INF/classes in tomcat.
6. I made the trustcert.jks and keystore.jks files using keytool and the server self-signed certificate .cer file.
7. Programmatically, I verify the target url is the expected "https://...." service end point (from Glen Mazza's blog).
BindingProvider portBP = (BindingProvider) servicePort;
String urlUsed = (String) portBP.getRequestContext().get(BindingProvider.ENDPOINT_ADDRESS_PROPERTY);
System.out.println("Using URL: " + urlUsed);
8. Programmatically, I find that the context does NOT contain the expected username/password from the cxf.xml config file.
String username = (String) portBP.getRequestContext().get(BindingProvider.USERNAME_PROPERTY);
String password = (String) portBP.getRequestContext().get(BindingProvider.PASSWORD_PROPERTY);
(both username and password are null in the above 2 lines of code).
9. Is there anyway I can verify the cxf.xml file is actually processed and the http:conduit conf settings are processed?
10. I would appreciate any and all suggestions as to why I'm getting the ClientTransportException.
Thanks in advance!
Mark
I've hit a wall and need to reach out for advice and clarity from this group! :)
Problem:
I keep getting a ClientTransportException:
"com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
I have configured my channel and settings according to the cxf documentation and the many posts I've read by users of this group, most notably Glen Mazza's post (http://www.jroller.com/gmazza/entry/ssl_for_web_services).
Summary:
1. I'm writing the soap client code using 2-way auth. (server self-signed certificate, username/password from me, and over ssl). I'm using cxf 2.5.2
2. I do not have control over the server-side. However, I have verified that the server "works" by hitting the soap service using SoapUI (with auth enabled).
3. It appears the problem is in the way I'm configuring SSL in my client code.
4. my conduit block (in cxf.xml) looks like this:
<http:conduit name="{http://foo.bar.com/service}*.http-conduit">
<http:authorization>
<sec:UserName>myUserName</sec:UserName>
<sec:Password>myPassword</sec:Password>
</http:authorization>
<http:tlsClientParameters disableCNCheck="true" secureSocketProtocol="SSL">
<sec:trustManagers>
<sec:keyStore type="JKS" password="password" file="/Users/myaccount/Downloads/CertStuff/trustcert.jks"/>
</sec:trustManagers>
<sec:keyManagers>
<sec:keyStore type="JKS" password="password" file="/Users/myaccount/Downloads/CertStuff/keystore.jks"/>
</sec:keyManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
5. The above is the only SSL/CXF config I do. The cxf.xml file is properly located in WEB-INF/classes in tomcat.
6. I made the trustcert.jks and keystore.jks files using keytool and the server self-signed certificate .cer file.
7. Programmatically, I verify the target url is the expected "https://...." service end point (from Glen Mazza's blog).
BindingProvider portBP = (BindingProvider) servicePort;
String urlUsed = (String) portBP.getRequestContext().get(BindingProvider.ENDPOINT_ADDRESS_PROPERTY);
System.out.println("Using URL: " + urlUsed);
8. Programmatically, I find that the context does NOT contain the expected username/password from the cxf.xml config file.
String username = (String) portBP.getRequestContext().get(BindingProvider.USERNAME_PROPERTY);
String password = (String) portBP.getRequestContext().get(BindingProvider.PASSWORD_PROPERTY);
(both username and password are null in the above 2 lines of code).
9. Is there anyway I can verify the cxf.xml file is actually processed and the http:conduit conf settings are processed?
10. I would appreciate any and all suggestions as to why I'm getting the ClientTransportException.
Thanks in advance!
Mark
