i assume they copied <OptionalPrefix>cacerts $JAVA_HOME\jre\lib\security?


make sure validation dates are correct for Certificate
a self-signed cert is designed to work on the machine where you created the 
cert only *CN*
to implement a cert that will work on FQDN with correct dates you will need a 
REAL cert from verisign / thawte / DigiCert


Fixing PKIX Errors:

http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/

 

Making Self-Signed Certs

http://torlanglo.wordpress.com/2008/05/03/how-to-create-a-ssl-certificate-with-custom-domain-name-for-use-in-iis7-web-sites/

 

Get your 'REAL CERTS' here

http://safire.net/support/verisign.html


Martin 


  



> Date: Tue, 18 Mar 2014 17:58:32 -0400
> From: mariacristinasi...@sourcecable.net
> To: users@tomcat.apache.org
> Subject: jax-ws and tomcat 7 with ssl
> 
> Hi,
> 
> I developed a web service using jax-ws and configured Tomcat to support 
> SSL connection. Here are my steps:
> 
> ****** Step 1 - Generate a self-signed server certificate
> 
> Use JDK 1.7 keytool:
> 
> keytool -genkey -alias trackerdev -keypass changeit -storepass changeit 
> -keystore D:\Tomcat7\htdkeystore\trackerdev.ks –ext san=ip:xx.x.x.xxx
> 
> Is CN=xx.x.x.xxx, OU=it, O=companynamehere, L=citynamehere, 
> ST=provincenamehere, C=ca correct?
> [no]: yes
> 
> ****** Step 2 – Configure Tomcat to support SSL connection
> 
> On the dev server:
> 
> Modify TOMCAT_HOME\conf\server.xml by adding the following block where 
> keystoreFile and keystorePass are set to values from the previous step:
> 
> <Connector port="8444" protocol="HTTP/1.1" SSLEnabled="true" 
> maxThreads="150" scheme="https" secure="true" clientAuth="false" 
> sslProtocol="TLS"
> keystoreFile="htdkeystore/trackerdev.ks" 
> keystorePass="changeit" />
> 
> ****** Step 3 - Export the generated server certificate to a 
> certificate file
> 
> On the dev server:
> 
> keytool –export -alias trackerdev -storepass changeit –file 
> D:\Tomcat7\htdkeystore\serverdev.cer -keystore 
> D:\Tomcat7\htdkeystore\trackerdev.ks
> 
> ****** Step 4 - Import the server certificate into the truststore file 
> (Open an administrator cmd window and hit Shift, Ctrl, Enter)
> 
> Copy serverdev.cer from the dev server and on the local machine:
> 
> keytool –import –v –trustcacerts –alias trackerdev –file 
> C:\fromdevserver\serverdev.cer –keystore "C:\Program 
> Files\Java\jdk1.7.0_51\jre\lib\security\cacerts" -keypass changeit 
> -storepass changeit
> 
> Trust this certificate? [no]: yes
> 
> ****** Step 5 – Modify webapps’s web.xml
> 
> Add the following:
> <listener>
> <listener-class>
> com.sun.xml.ws.transport.http.servlet.WSServletContextListener
> </listener-class>
> </listener>
> <servlet>
> <servlet-name>tracker</servlet-name>
> <servlet-class>
> com.sun.xml.ws.transport.http.servlet.WSServlet
> </servlet-class>
> </servlet>
> <servlet-mapping>
> <servlet-name>tracker</servlet-name>
> <url-pattern>/tracker</url-pattern>
> </servlet-mapping>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>securedapp</web-resource-name>
> <url-pattern>/tracker</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> 
> ****** MY QUESTION IS THIS:
> 
> I tested the web service using https and it worked for me. I provided 
> another team with my server certificate so that they could add it to 
> their truststore file but I have no idea if they did or not. All I know 
> is that they got an error loading the wsdl. The exception they got was:
> 
> Error loading [https://xx.x.x.xxx:8444/appname/tracker?wsdl]
> org.apache.xmlbeans.XmlException: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to 
> find valid certification path to requested target
> 
> They claim that the certificate is not properly signed. Well, I don't 
> know. It is a self-signed certificate.
> 
> Any ideas would help!
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
                                          

Reply via email to