Hi, This exception may because that you had provided a wrong key password (password for alias). Please check again.
Regards. Xilai Dai -----Original Message----- From: Giriraj Bhojak [mailto:[email protected]] Sent: Thursday, July 10, 2014 5:36 AM To: [email protected] Subject: Using SSL with CXF web service Hello, I have setup a CXF endpoint on Tomcat. I have enabled SSL on tomcat. I am able to access the deployed webservice using http://localhost:8080/webapp/services/one. When I use the SSL port(https://localhost:8443/webapp/services/one) and try accessing the same webservice thru my java program, I get following: Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target at com.ibm.jsse2.j.a(j.java:36) at com.ibm.jsse2.qc.a(qc.java:199) at com.ibm.jsse2.ab.a(ab.java:171) at com.ibm.jsse2.ab.a(ab.java:180) at com.ibm.jsse2.bb.a(bb.java:346) at com.ibm.jsse2.bb.a(bb.java:559) at com.ibm.jsse2.ab.r(ab.java:554) at com.ibm.jsse2.ab.a(ab.java:325) at com.ibm.jsse2.qc.a(qc.java:617) at com.ibm.jsse2.qc.h(qc.java:103) at com.ibm.jsse2.qc.a(qc.java:166) at com.ibm.jsse2.qc.startHandshake(qc.java:649) at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:62) at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:22) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1103) at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:16) at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:174) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1290) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1246) at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:201) Then I added http-conduit as per this link <http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html>, to spring beans definition as follows: <http:conduit name="{http://com.mycompany/services}ONEPort.http-conduit "> <http:tlsClientParameters> <sec:keyManagers keyPassword="keyPassword"> <sec:keyStore file="src/test/resources/keystore.jks" password="keyStorepassword" type="JKS" /> </sec:keyManagers> <sec:trustManagers> <sec:keyStore file="src/test/resources/keystore.jks" password="keyStorepassword" type="JKS" /> </sec:trustManagers> <sec:cipherSuitesFilter> <!-- these filters ensure that a ciphersuite with export-suitable or null encryption is used, but exclude anonymous Diffie-Hellman key change as this is vulnerable to man-in-the-middle attacks --> <sec:include>.*_EXPORT_.*</sec:include> <sec:include>.*_EXPORT1024_.*</sec:include> <sec:include>.*_WITH_DES_.*</sec:include> <sec:include>.*_WITH_AES_.*</sec:include> <sec:include>.*_WITH_NULL_.*</sec:include> <sec:exclude>.*_DH_anon_.*</sec:exclude> </sec:cipherSuitesFilter> </http:tlsClientParameters> </http:conduit> Now I get: Caused by: java.security.UnrecoverableKeyException: Cannot recover key at com.ibm.crypto.provider.s.recover(s.java:90) at com.ibm.crypto.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:256) at java.security.KeyStore.getKey(KeyStore.java:803) at com.ibm.jsse2.uc.<init>(uc.java:113) at com.ibm.jsse2.cc$a_.engineInit(cc$a_.java:15) at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:16) at org.apache.cxf.configuration.jsse.TLSParameterJaxBUtils.getKeyManagers(TLSParameterJaxBUtils.java:279) at org.apache.cxf.configuration.jsse.TLSClientParametersConfig.createTLSClientParametersFromType(TLSClientParametersConfig.java:110) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) at java.lang.reflect.Method.invoke(Method.java:618) at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:160) Could anyone please point me what am I doing wrong here? Is there anything I need to do in web service endpoint spring configuration (apart from setting Tomcat for SSL) to ensure I can access web service using https? I know I need to add http-conduit element on client side. But I seem to be doing something wrong. Thanks, Giriraj.
