Hi, I would recommend to add "-Djavax.net.debug=ssl" option to your tomcat jvm, it gives a bit more information about the problem. From the first view the message " unable to find valid certification path to requested target" says that issuer/CA certificate signing actual SSL certificate is not found.
Regards, Andrei. > -----Original Message----- > From: Giriraj Bhojak [mailto:[email protected]] > Sent: Donnerstag, 10. Juli 2014 16:39 > To: [email protected] > Subject: Re: Using SSL with CXF web service > > Now I am stuck with following error: > > javax.xml.ws.soap.SOAPFaultException: Problem writing SAAJ model to stream: > javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:157) > at com.sun.proxy.$Proxy53.service(Unknown Source) > at com.mycompany.Service.service(Service.java:47) > at com.mycompany.TestService.testClient(TestService.java:56) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java: > 88) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorI > mpl.java:55) > at java.lang.reflect.Method.invoke(Method.java:618) > at > org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMe > thod.java:44) > at > org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java: > 15) > at > org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMeth > od.java:41) > at > org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.jav > a:20) > at > org.springframework.test.context.junit4.statements.RunBeforeTestMethodCallb > acks.evaluate(RunBeforeTestMethodCallbacks.java:74) > at > org.springframework.test.context.junit4.statements.RunAfterTestMethodCallba > cks.evaluate(RunAfterTestMethodCallbacks.java:83) > at > org.springframework.test.context.junit4.statements.SpringRepeat.evaluate(Spri > ngRepeat.java:72) > at > org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(Spri > ngJUnit4ClassRunner.java:231) > at > org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(Spri > ngJUnit4ClassRunner.java:88) > at org.junit.runners.ParentRunner$3.run(ParentRunner.java:231) > at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:60) > at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:229) > at org.junit.runners.ParentRunner.access$000(ParentRunner.java:50) > at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:222) > at > org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbac > ks.evaluate(RunBeforeTestClassCallbacks.java:61) > at > org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks > .evaluate(RunAfterTestClassCallbacks.java:71) > at org.junit.runners.ParentRunner.run(ParentRunner.java:292) > at > org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUn > it4ClassRunner.java:174) > at > org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestRefere > nce.java:50) > at > org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38) > at > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRu > nner.java:467) > at > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRu > nner.java:683) > at > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner. > java:390) > at > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunne > r.java:197) > Caused by: javax.xml.stream.XMLStreamException: > javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure > at > com.ibm.xml.xlxp2.api.stax.msg.StAXMessageProvider.throwXMLStreamExcepti > on(StAXMessageProvider.java:67) > at > com.ibm.xml.xlxp2.api.stax.XMLStreamWriterImpl.flush(XMLStreamWriterImpl > .java:766) > at > com.ibm.xml.xlxp2.api.stax.XMLOutputFactoryImpl$XMLStreamWriterProxy.flu > sh(XMLOutputFactoryImpl.java:155) > at > org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingIntercepto > r.handleMessage(SAAJOutInterceptor.java:213) > at > org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingIntercepto > r.handleMessage(SAAJOutInterceptor.java:172) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai > n.java:272) > > For client, truststore and keystore are same in my case: > > <http:conduit name="{ > http://com.mycompany/serviceOne}ServiceOnePort.http-conduit";> > <http:tlsClientParameters secureSocketProtocol="SSL"> > <sec:keyManagers keyPassword="cstorepass"> > <sec:keyStore > file="src/test/resources/com/mycompany/ClientKeyNew.jks" > password="cstorepass" type="JKS" /> > </sec:keyManagers> > <sec:trustManagers> > <sec:keyStore > file="src/test/resources/com/mycompany/ClientKeyNew.jks" > password="cstorepass" type="JKS" /> > </sec:trustManagers> > <sec:cipherSuitesFilter> > <!-- these filters ensure that a ciphersuite with > export-suitable or > null encryption is used, but exclude anonymous > Diffie-Hellman key > change > as this is vulnerable to man-in-the-middle attacks --> > <sec:include>.*_EXPORT_.*</sec:include> > <sec:include>.*_EXPORT1024_.*</sec:include> > <sec:include>.*_WITH_DES_.*</sec:include> > <sec:include>.*_WITH_AES_.*</sec:include> > <sec:include>.*_WITH_NULL_.*</sec:include> > <sec:exclude>.*_DH_anon_.*</sec:exclude> > </sec:cipherSuitesFilter> > </http:tlsClientParameters> > </http:conduit> > > > I have also imported tomcat certificate(default alias 'tomcat') into the > keystore/truststore identified by ClientKeyNew.jks > > Here is the tomcat entry from server.xml: > > <Connector port="8443" maxHttpHeaderSize="8192" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > acceptCount="100" scheme="https" secure="true" > keystoreFile="/conf/.keystore" keystorePass="changeit" > clientAuth="false" sslProtocol="TLS" algorithm="IbmX509" /> > > Could anyone please help me out with this? > I can't figure out what SSL handshake fails. > > Thanks, > Giriraj. > > > On Thu, Jul 10, 2014 at 9:39 AM, Giriraj Bhojak <[email protected]> wrote: > > > Hi Xilai, > > > > Thank you for the reply. I did check the passwords and they were correct. > > It turns out that the keystore and key passwords need to be same. Once > > I used a new key store with with identical passwords for key and the > > store itself, the error went away. > > > > Is this a limitation of Merlin or java keystore in general? > > > > Now I have moved onto different errors. > > > > Thanks, > > Giriraj. > > On Jul 9, 2014 10:09 PM, "XiLai Dai" <[email protected]> wrote: > > > >> Hi, > >> > >> This exception may because that you had provided a wrong key password > >> (password for alias). Please check again. > >> > >> Regards. > >> Xilai Dai > >> -----Original Message----- > >> From: Giriraj Bhojak [mailto:[email protected]] > >> Sent: Thursday, July 10, 2014 5:36 AM > >> To: [email protected] > >> Subject: Using SSL with CXF web service > >> > >> Hello, > >> > >> I have setup a CXF endpoint on Tomcat. I have enabled SSL on tomcat. > >> I am able to access the deployed webservice using > >> http://localhost:8080/webapp/services/one. > >> When I use the SSL port(https://localhost:8443/webapp/services/one) > >> and try accessing the same webservice thru my java program, I get > following: > >> > >> Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: > >> PKIX path building failed: java.security.cert.CertPathBuilderException: > >> unable to find valid certification path to requested target > >> at com.ibm.jsse2.j.a(j.java:36) > >> at com.ibm.jsse2.qc.a(qc.java:199) > >> at com.ibm.jsse2.ab.a(ab.java:171) > >> at com.ibm.jsse2.ab.a(ab.java:180) > >> at com.ibm.jsse2.bb.a(bb.java:346) > >> at com.ibm.jsse2.bb.a(bb.java:559) > >> at com.ibm.jsse2.ab.r(ab.java:554) > >> at com.ibm.jsse2.ab.a(ab.java:325) > >> at com.ibm.jsse2.qc.a(qc.java:617) > >> at com.ibm.jsse2.qc.h(qc.java:103) > >> at com.ibm.jsse2.qc.a(qc.java:166) > >> at com.ibm.jsse2.qc.startHandshake(qc.java:649) > >> at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:62) > >> at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:22) > >> at > >> > >> > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConn > ection.java:1103) > >> at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:16) > >> at > >> > >> > org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWra > ppedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:174 > ) > >> at > >> > >> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHea > dersTrustCaching(HTTPConduit.java:1290) > >> at > >> > >> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrit > e(HTTPConduit.java:1246) > >> at > >> > >> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionW > >> rappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:201) > >> > >> > >> Then I added http-conduit as per this link < > >> http://cxf.apache.org/docs/client-http-transport-including-ssl-suppor > >> t.html > >> >, > >> to spring beans definition as follows: > >> > >> <http:conduit name="{ > >> http://com.mycompany/services}ONEPort.http-conduit > >> "> > >> <http:tlsClientParameters> > >> <sec:keyManagers keyPassword="keyPassword"> > >> <sec:keyStore file="src/test/resources/keystore.jks" > >> password="keyStorepassword" type="JKS" /> > >> </sec:keyManagers> > >> <sec:trustManagers> > >> <sec:keyStore file="src/test/resources/keystore.jks" > >> password="keyStorepassword" type="JKS" /> > >> </sec:trustManagers> > >> <sec:cipherSuitesFilter> > >> <!-- these filters ensure that a ciphersuite with > >> export-suitable or > >> null encryption is used, but exclude anonymous > >> Diffie-Hellman key change > >> as this is vulnerable to man-in-the-middle attacks --> > >> <sec:include>.*_EXPORT_.*</sec:include> > >> <sec:include>.*_EXPORT1024_.*</sec:include> > >> <sec:include>.*_WITH_DES_.*</sec:include> > >> <sec:include>.*_WITH_AES_.*</sec:include> > >> <sec:include>.*_WITH_NULL_.*</sec:include> > >> <sec:exclude>.*_DH_anon_.*</sec:exclude> > >> </sec:cipherSuitesFilter> > >> </http:tlsClientParameters> > >> </http:conduit> > >> > >> Now I get: > >> > >> Caused by: java.security.UnrecoverableKeyException: Cannot recover key > >> at com.ibm.crypto.provider.s.recover(s.java:90) > >> at > >> com.ibm.crypto.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:256) > >> at java.security.KeyStore.getKey(KeyStore.java:803) > >> at com.ibm.jsse2.uc.<init>(uc.java:113) > >> at com.ibm.jsse2.cc$a_.engineInit(cc$a_.java:15) > >> at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:16) > >> at > >> > >> > org.apache.cxf.configuration.jsse.TLSParameterJaxBUtils.getKeyManagers(TLSP > arameterJaxBUtils.java:279) > >> at > >> > >> > org.apache.cxf.configuration.jsse.TLSClientParametersConfig.createTLSClientPa > rametersFromType(TLSClientParametersConfig.java:110) > >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >> at > >> > >> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java: > 88) > >> at > >> > >> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorI > mpl.java:55) > >> at java.lang.reflect.Method.invoke(Method.java:618) > >> at > >> > >> org.springframework.beans.factory.support.SimpleInstantiationStrategy > >> .instantiate(SimpleInstantiationStrategy.java:160) > >> > >> Could anyone please point me what am I doing wrong here? > >> > >> Is there anything I need to do in web service endpoint spring > >> configuration (apart from setting Tomcat for SSL) to ensure I can > >> access web service using https? > >> I know I need to add http-conduit element on client side. But I seem > >> to be doing something wrong. > >> > >> Thanks, > >> Giriraj. > >> > >
