cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <bimargul...@gmail.com>
Subject Re: CXF using SSL certificate where it isn't wanted
Date Tue, 22 Sep 2009 16:46:16 GMT
You've told Java on the client, 'here is a truststore to use with all SSL
connections.' once you do that, it will check all SERVER certificates
against that truststore. I think that you need to add you web service's
server certificate to the truststore.

The real experts may yet emerge with a recipe for setting the truststore
more selectively so that it applies to MySQL and not to CXF.


On Tue, Sep 22, 2009 at 12:42 PM, Steve Cohen <scohen@javactivity.org>wrote:

> Thanks, but I don't think that's it.  As I indicated originally
>
>> This connection is over https to a Web Server
>> that does not require or accept certificates.
>>
> There IS no certificate to add.  I don't want this connection to check
> certificates.
>
>
> Stan Lewis wrote:
>
>> It looks like the client is complaining that it doesn't trust the
>> server's certificate.  You probably just need to add the CA for the
>> server's certificate to the truststore that you're passing on the
>> command line, so you'd have the CA and certificate for your MySQL
>> server + the CA for the web service server that your client is
>> connecting to.
>>
>> On Tue, Sep 22, 2009 at 11:48 AM, Steve Cohen <scohen@javactivity.org>
>> wrote:
>>
>>
>>> I have a backend application that makes several types of connections. One
>>> is
>>> to a Web Service whose client was built with Apache CXF.  The other is to
>>> a
>>> MySQL database. Because of the unusual security situation in which the
>>> servers are forced to live (DMZ) we need to encrypt the transmissions to
>>> the
>>> DB server, so we are going to use MySQL's "REQUIRE SSL" functionality
>>> which
>>> requires a certificate from a CA to achieve logon as the database user.
>>> This
>>> cert is placed in a truststore which becomes known to the application at
>>> startup via command-line defines:
>>>
>>> -Djavax.net.ssl.trustStore=/path/to/truststore
>>> -Djavax.net.ssl.trustStorePassword=secret
>>>
>>> Since we are not using MySQL's "REQUIRE X509", we no not need client
>>> certificates and keys.
>>>
>>> This all works fine.
>>>
>>> However ...
>>>
>>> I have now discovered that making these command-line defines breaks the
>>> CXF-based Web Service client.  This connection is over https to a Web
>>> Server
>>> that does not require or accept certificates.  When this connection is
>>> attempted with the application in this mode (i.e. with the two defines in
>>> the System properties), it fails with:
>>>
>>>
>>> 2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR
>>> address.AddressValidator  - [SOAP-ENV:Fault: null]
>>> javax.xml.ws.soap.SOAPFaultException:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find
>>> valid certification path to requested target
>>>  at
>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192)
>>>  at $Proxy32.validateLocation(Unknown Source)
>>> ...
>>> Caused by: org.apache.cxf.interceptor.Fault:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find
>>> valid certification path to requested target
>>> at
>>>
>>> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:93)
>>> at
>>>
>>> org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInterceptor.java:68)
>>> at
>>>
>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:221)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
>>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
>>> at
>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171)
>>> ... 8 more
>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find
>>> valid certification path to requested target
>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
>>> at
>>>
>>> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:91)
>>> ... 14 more
>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find
>>> valid certification path to requested target
>>> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
>>> at
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
>>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
>>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
>>> at
>>> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
>>> at
>>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
>>> at
>>>
>>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
>>> at
>>>
>>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
>>> at
>>>
>>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
>>> at
>>>
>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1807)
>>> at
>>>
>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1765)
>>> at
>>>
>>> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
>>> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)
>>> ... 15 more
>>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable
>>> to find valid certification path to requested target
>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
>>> at
>>>
>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
>>> at sun.security.validator.Validator.validate(Validator.java:218)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
>>> ... 32 more
>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>> at
>>>
>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
>>> ... 38 more
>>>
>>> If I turn off the SSL requirement and remove the command line defines,
>>> this
>>> connection works as designed.
>>>
>>> So the question is
>>>
>>> where is the hook, either in Java or CXF by which I can configure this to
>>> use the SSL cert for the connections to the MySQL server but not for
>>> other
>>> types of connection?
>>>
>>>
>>>
>>
>>
>>
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message