Hello,
I have setup a CXF endpoint on Tomcat. I have enabled SSL on tomcat.
I am able to access the deployed webservice using
http://localhost:8080/webapp/services/one.
When I use the SSL port(https://localhost:8443/webapp/services/one) and try
accessing the same webservice thru my java program, I get following:
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX
path building failed: java.security.cert.CertPathBuilderException: unable
to find valid certification path to requested target
at com.ibm.jsse2.j.a(j.java:36)
at com.ibm.jsse2.qc.a(qc.java:199)
at com.ibm.jsse2.ab.a(ab.java:171)
at com.ibm.jsse2.ab.a(ab.java:180)
at com.ibm.jsse2.bb.a(bb.java:346)
at com.ibm.jsse2.bb.a(bb.java:559)
at com.ibm.jsse2.ab.r(ab.java:554)
at com.ibm.jsse2.ab.a(ab.java:325)
at com.ibm.jsse2.qc.a(qc.java:617)
at com.ibm.jsse2.qc.h(qc.java:103)
at com.ibm.jsse2.qc.a(qc.java:166)
at com.ibm.jsse2.qc.startHandshake(qc.java:649)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:62)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:22)
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1103)
at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:16)
at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:174)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1290)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1246)
at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:201)
Then I added http-conduit as per this link
<http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html>,
to spring beans definition as follows:
<http:conduit name="{http://com.mycompany/services}ONEPort.http-conduit
">
<http:tlsClientParameters>
<sec:keyManagers keyPassword="keyPassword">
<sec:keyStore file="src/test/resources/keystore.jks"
password="keyStorepassword" type="JKS" />
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore file="src/test/resources/keystore.jks"
password="keyStorepassword" type="JKS" />
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or
null encryption is used, but exclude anonymous
Diffie-Hellman key change
as this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
Now I get:
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at com.ibm.crypto.provider.s.recover(s.java:90)
at
com.ibm.crypto.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:256)
at java.security.KeyStore.getKey(KeyStore.java:803)
at com.ibm.jsse2.uc.<init>(uc.java:113)
at com.ibm.jsse2.cc$a_.engineInit(cc$a_.java:15)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:16)
at
org.apache.cxf.configuration.jsse.TLSParameterJaxBUtils.getKeyManagers(TLSParameterJaxBUtils.java:279)
at
org.apache.cxf.configuration.jsse.TLSClientParametersConfig.createTLSClientParametersFromType(TLSClientParametersConfig.java:110)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:618)
at
org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:160)
Could anyone please point me what am I doing wrong here?
Is there anything I need to do in web service endpoint spring configuration
(apart from setting Tomcat for SSL) to ensure I can access web service
using https?
I know I need to add http-conduit element on client side. But I seem to be
doing something wrong.
Thanks,
Giriraj.
