Hi Xilai, Thank you for the reply. I did check the passwords and they were correct. It turns out that the keystore and key passwords need to be same. Once I used a new key store with with identical passwords for key and the store itself, the error went away.
Is this a limitation of Merlin or java keystore in general? Now I have moved onto different errors. Thanks, Giriraj. On Jul 9, 2014 10:09 PM, "XiLai Dai" <[email protected]> wrote: > Hi, > > This exception may because that you had provided a wrong key password > (password for alias). Please check again. > > Regards. > Xilai Dai > -----Original Message----- > From: Giriraj Bhojak [mailto:[email protected]] > Sent: Thursday, July 10, 2014 5:36 AM > To: [email protected] > Subject: Using SSL with CXF web service > > Hello, > > I have setup a CXF endpoint on Tomcat. I have enabled SSL on tomcat. > I am able to access the deployed webservice using > http://localhost:8080/webapp/services/one. > When I use the SSL port(https://localhost:8443/webapp/services/one) and > try accessing the same webservice thru my java program, I get following: > > Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX > path building failed: java.security.cert.CertPathBuilderException: unable > to find valid certification path to requested target > at com.ibm.jsse2.j.a(j.java:36) > at com.ibm.jsse2.qc.a(qc.java:199) > at com.ibm.jsse2.ab.a(ab.java:171) > at com.ibm.jsse2.ab.a(ab.java:180) > at com.ibm.jsse2.bb.a(bb.java:346) > at com.ibm.jsse2.bb.a(bb.java:559) > at com.ibm.jsse2.ab.r(ab.java:554) > at com.ibm.jsse2.ab.a(ab.java:325) > at com.ibm.jsse2.qc.a(qc.java:617) > at com.ibm.jsse2.qc.h(qc.java:103) > at com.ibm.jsse2.qc.a(qc.java:166) > at com.ibm.jsse2.qc.startHandshake(qc.java:649) > at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:62) > at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:22) > at > > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1103) > at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:16) > at > > org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:174) > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1290) > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1246) > at > > org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:201) > > > Then I added http-conduit as per this link < > http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html > >, > to spring beans definition as follows: > > <http:conduit name="{ > http://com.mycompany/services}ONEPort.http-conduit > "> > <http:tlsClientParameters> > <sec:keyManagers keyPassword="keyPassword"> > <sec:keyStore file="src/test/resources/keystore.jks" > password="keyStorepassword" type="JKS" /> > </sec:keyManagers> > <sec:trustManagers> > <sec:keyStore file="src/test/resources/keystore.jks" > password="keyStorepassword" type="JKS" /> > </sec:trustManagers> > <sec:cipherSuitesFilter> > <!-- these filters ensure that a ciphersuite with > export-suitable or > null encryption is used, but exclude anonymous > Diffie-Hellman key change > as this is vulnerable to man-in-the-middle attacks --> > <sec:include>.*_EXPORT_.*</sec:include> > <sec:include>.*_EXPORT1024_.*</sec:include> > <sec:include>.*_WITH_DES_.*</sec:include> > <sec:include>.*_WITH_AES_.*</sec:include> > <sec:include>.*_WITH_NULL_.*</sec:include> > <sec:exclude>.*_DH_anon_.*</sec:exclude> > </sec:cipherSuitesFilter> > </http:tlsClientParameters> > </http:conduit> > > Now I get: > > Caused by: java.security.UnrecoverableKeyException: Cannot recover key > at com.ibm.crypto.provider.s.recover(s.java:90) > at > com.ibm.crypto.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:256) > at java.security.KeyStore.getKey(KeyStore.java:803) > at com.ibm.jsse2.uc.<init>(uc.java:113) > at com.ibm.jsse2.cc$a_.engineInit(cc$a_.java:15) > at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:16) > at > > org.apache.cxf.configuration.jsse.TLSParameterJaxBUtils.getKeyManagers(TLSParameterJaxBUtils.java:279) > at > > org.apache.cxf.configuration.jsse.TLSClientParametersConfig.createTLSClientParametersFromType(TLSClientParametersConfig.java:110) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88) > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) > at java.lang.reflect.Method.invoke(Method.java:618) > at > > org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:160) > > Could anyone please point me what am I doing wrong here? > > Is there anything I need to do in web service endpoint spring > configuration (apart from setting Tomcat for SSL) to ensure I can access > web service using https? > I know I need to add http-conduit element on client side. But I seem to be > doing something wrong. > > Thanks, > Giriraj. >
