Hi Glen, Thanks! I'll try that and report my findings back to the list.
One question though: I'm still baffled why the username/password were null when I tried to access them programmatically. It makes me wonder if the cxf.xml file is even being processed. Any ideas? Thanks again! Mark On Apr 17, 2012, at 6:14 PM, Glen Mazza wrote: > My guess is that your SOAP client is not detecting the truststore that you've > configured for it (configuration syntax problem somewhere), and is instead > looking for the server's public key in the JRE's truststore (the cacerts > file) instead, and not finding it. (See Step #8 of my SSL tutorial you've > referenced.) That error message you're getting is most commonly because of > that. You can probably confirm that's the issue by placing the server cert > in the cacerts file and it would probably run without error. > > The name attribute to your http:conduit element might be the configuration > problem -- I'd temporarily switch it to "*.http-conduit" without the > namespace (that should activate that element for every SSL call), then change > it again to the precise port name w/the namespace (don't use an asterisk this > time). > > HTH, > Glen > > > On 04/17/2012 05:44 PM, Mark Thompson wrote: >> Hi All, >> >> I've hit a wall and need to reach out for advice and clarity from this >> group! :) >> >> * >> Problem*: >> I keep getting a ClientTransportException: >> >> "/com.sun.xml.ws.client.ClientTransportException: HTTP transport error: >> javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification path to requested target/" >> >> I have configured my channel and settings according to the cxf documentation >> and the many posts I've read by users of this group, most notably Glen >> Mazza's post (http://www.jroller.com/gmazza/entry/ssl_for_web_services). >> >> >> >> *Summary*: >> 1. I'm writing the soap client code using 2-way auth. (server self-signed >> certificate, username/password from me, and over ssl). I'm using cxf 2.5.2 >> >> 2. I do not have control over the server-side. However, I have verified >> that the server "works" by hitting the soap service using SoapUI (with auth >> enabled). >> >> 3. It appears the problem is in the way I'm configuring SSL in my client >> code. >> >> 4. my conduit block (in cxf.xml) looks like this: >> >> <http:conduit name="{http://foo.bar.com/service}*.http-conduit";> >> <http:authorization> >> <sec:UserName>myUserName</sec:UserName> >> <sec:Password>myPassword</sec:Password> >> </http:authorization> >> >> <http:tlsClientParameters disableCNCheck="true" secureSocketProtocol="SSL"> >> <sec:trustManagers> >> <sec:keyStore type="JKS" password="password" >> file="/Users/myaccount/Downloads/CertStuff/trustcert.jks"/> >> </sec:trustManagers> >> >> <sec:keyManagers> >> <sec:keyStore type="JKS" password="password" >> file="/Users/myaccount/Downloads/CertStuff/keystore.jks"/> >> </sec:keyManagers> >> >> <sec:cipherSuitesFilter> >> <!-- these filters ensure that a ciphersuite with >> export-suitable or null encryption is used, >> but exclude anonymous Diffie-Hellman key change as >> this is vulnerable to man-in-the-middle attacks --> >> <sec:include>.*_EXPORT_.*</sec:include> >> <sec:include>.*_EXPORT1024_.*</sec:include> >> <sec:include>.*_WITH_DES_.*</sec:include> >> <sec:include>.*_WITH_NULL_.*</sec:include> >> <sec:exclude>.*_DH_anon_.*</sec:exclude> >> </sec:cipherSuitesFilter> >> </http:tlsClientParameters> >> </http:conduit> >> >> 5. The above is the only SSL/CXF config I do. The cxf.xml file is properly >> located in WEB-INF/classes in tomcat. >> >> 6. I made the trustcert.jks and keystore.jks files using keytool and the >> server self-signed certificate .cer file. >> >> 7. Programmatically, I verify the target url is the expected "https://...."; >> service end point (from Glen Mazza's blog). >> >> BindingProvider portBP = (BindingProvider) servicePort; >> String urlUsed = (String) >> portBP.getRequestContext().get(BindingProvider.ENDPOINT_ADDRESS_PROPERTY); >> System.out.println("Using URL: " + urlUsed); >> >> >> 8. Programmatically, I find that the context does NOT contain the expected >> username/password from the cxf.xml config file. >> >> String username = (String) >> portBP.getRequestContext().get(BindingProvider.USERNAME_PROPERTY); >> String password = (String) >> portBP.getRequestContext().get(BindingProvider.PASSWORD_PROPERTY); >> >> (both username and password are null in the above 2 lines of >> code). >> >> 9. Is there anyway I can verify the cxf.xml file is actually processed and >> the http:conduit conf settings are processed? >> >> 10. I would appreciate any and all suggestions as to why I'm getting the >> ClientTransportException. >> >> >> Thanks in advance! >> Mark >> >> >> >> >> ** > > > -- > Glen Mazza > Talend Community Coders > coders.talend.com > blog: www.jroller.com/gmazza >
