i assume they copied <OptionalPrefix>cacerts $JAVA_HOME\jre\lib\security?
make sure validation dates are correct for Certificate a self-signed cert is designed to work on the machine where you created the cert only *CN* to implement a cert that will work on FQDN with correct dates you will need a REAL cert from verisign / thawte / DigiCert Fixing PKIX Errors: http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/ Making Self-Signed Certs http://torlanglo.wordpress.com/2008/05/03/how-to-create-a-ssl-certificate-with-custom-domain-name-for-use-in-iis7-web-sites/ Get your 'REAL CERTS' here http://safire.net/support/verisign.html Martin > Date: Tue, 18 Mar 2014 17:58:32 -0400 > From: mariacristinasi...@sourcecable.net > To: users@tomcat.apache.org > Subject: jax-ws and tomcat 7 with ssl > > Hi, > > I developed a web service using jax-ws and configured Tomcat to support > SSL connection. Here are my steps: > > ****** Step 1 - Generate a self-signed server certificate > > Use JDK 1.7 keytool: > > keytool -genkey -alias trackerdev -keypass changeit -storepass changeit > -keystore D:\Tomcat7\htdkeystore\trackerdev.ks –ext san=ip:xx.x.x.xxx > > Is CN=xx.x.x.xxx, OU=it, O=companynamehere, L=citynamehere, > ST=provincenamehere, C=ca correct? > [no]: yes > > ****** Step 2 – Configure Tomcat to support SSL connection > > On the dev server: > > Modify TOMCAT_HOME\conf\server.xml by adding the following block where > keystoreFile and keystorePass are set to values from the previous step: > > <Connector port="8444" protocol="HTTP/1.1" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" clientAuth="false" > sslProtocol="TLS" > keystoreFile="htdkeystore/trackerdev.ks" > keystorePass="changeit" /> > > ****** Step 3 - Export the generated server certificate to a > certificate file > > On the dev server: > > keytool –export -alias trackerdev -storepass changeit –file > D:\Tomcat7\htdkeystore\serverdev.cer -keystore > D:\Tomcat7\htdkeystore\trackerdev.ks > > ****** Step 4 - Import the server certificate into the truststore file > (Open an administrator cmd window and hit Shift, Ctrl, Enter) > > Copy serverdev.cer from the dev server and on the local machine: > > keytool –import –v –trustcacerts –alias trackerdev –file > C:\fromdevserver\serverdev.cer –keystore "C:\Program > Files\Java\jdk1.7.0_51\jre\lib\security\cacerts" -keypass changeit > -storepass changeit > > Trust this certificate? [no]: yes > > ****** Step 5 – Modify webapps’s web.xml > > Add the following: > <listener> > <listener-class> > com.sun.xml.ws.transport.http.servlet.WSServletContextListener > </listener-class> > </listener> > <servlet> > <servlet-name>tracker</servlet-name> > <servlet-class> > com.sun.xml.ws.transport.http.servlet.WSServlet > </servlet-class> > </servlet> > <servlet-mapping> > <servlet-name>tracker</servlet-name> > <url-pattern>/tracker</url-pattern> > </servlet-mapping> > <security-constraint> > <web-resource-collection> > <web-resource-name>securedapp</web-resource-name> > <url-pattern>/tracker</url-pattern> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > ****** MY QUESTION IS THIS: > > I tested the web service using https and it worked for me. I provided > another team with my server certificate so that they could add it to > their truststore file but I have no idea if they did or not. All I know > is that they got an error loading the wsdl. The exception they got was: > > Error loading [https://xx.x.x.xxx:8444/appname/tracker?wsdl] > org.apache.xmlbeans.XmlException: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > > They claim that the certificate is not properly signed. Well, I don't > know. It is a self-signed certificate. > > Any ideas would help! > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >