Fwd: can't configure SSL properly

Mon, 18 Mar 2019 08:49:05 -0700 

Hello CXF Users,

I have the following error when I consume my SOAP WS :

Caused by: org.apache.cxf.service.factory.ServiceConstructionException:
Failed to create service.
        at 
org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:87)
        at 
org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:218)
        at org.apache.cxf.jaxws.ServiceImpl.initialize(ServiceImpl.java:161)
        ... 25 more
Caused by: javax.wsdl.WSDLException: WSDLException:
faultCode=PARSER_ERROR: Problem parsing
'https://myservice.xx/COM_WEB/ComWeb.asmx?wsdl'.:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target       at
com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2198)
        at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2390)
        at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2422)
        at 
org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:238)
        at 
org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:163)
        at 
org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:85)
        ... 27 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
        at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
        at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
        at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
        at 
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
        at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)
        at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
        at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
        at 
com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:647)
        at 
com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(XMLVersionDetector.java:148)
        at 
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:805)
        at 
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:770)
        at 
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
        at 
com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:243)
        at 
com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:339)
        at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2188)
        ... 32 more
Caused by: sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
        at 
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at 
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at 
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at 
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
        at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
        ... 52 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
        at 
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at 
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
        ... 58 more

This is due to server's SSL certificate not present in the default JVM
TrustStore.

I found it was possible to configure client SSL settings for a specific
endpoint :
http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport(includingSSLsupport)-ConfiguringSSLSupport

Here is my cxf.xml

<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:sec="http://cxf.apache.org/configuration/security";
   xmlns:http="http://cxf.apache.org/transports/http/configuration";
xmlns:jaxws="http://java.sun.com/xml/ns/jaxws";
   xsi:schemaLocation="
      http://cxf.apache.org/configuration/security
      http://cxf.apache.org/schemas/configuration/security.xsd
      http://cxf.apache.org/transports/http/configuration
      http://cxf.apache.org/schemas/configuration/http-conf.xsd
      http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>

   <http:conduit name="{http://myservice.xx/comweb/}ComWebSoap.http-conduit";>
      <http:tlsClientParameters disableCNCheck="true">
         <sec:keyManagers>
            <sec:keyStore resource="myservice.jks" type="JKS" />
         </sec:keyManagers>
         <sec:trustManagers>
            <sec:certStore resource="myservice.jks" type="JKS" />
         </sec:trustManagers>
      </http:tlsClientParameters>

   </http:conduit>
</beans>

But I can't make this work.

I suspect error is thrown at the very beggining of the process (when WSDL
is parsed), and cxf.xml is not loaded yet.
If I set trustore via system property like

 System.setProperty("javax.net.ssl.trustStoreType", "JKS");
 System.setProperty("javax.net.ssl.trustStore", "/path/to/myservice.jks");

It works fine, but I don't want to do so globally.

How can I tell CXF to use my custom TrustStore for every SSL connection
made ? Is this a bug ? Please help.

CXF version : 3.1.6

WSDL : ComWeb.wsdl
<http://jira.sylob.local/secure/attachment/517676/517676_ComWeb.wsdl>

-- 
Notice de confidentialité : Les informations contenues dans ce courriel 
sont strictement confidentielles et réservées à l'usage de la ou des 
personne(s) identifiée(s) comme destinataire(s). L'usage, la publication, 
la copie, la divulgation ou la transmission des informations contenues dans 
ce message ou les documents qui y sont attachés est interdit à moins d'y 
avoir été expressément autorisé par l'émetteur. Si vous avez reçu ce 
message par erreur, merci de le supprimer et d'en avertir immédiatement son 
expéditeur.

Reply via email to