cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stan Lewis <gashcr...@gmail.com>
Subject Re: CXF using SSL certificate where it isn't wanted
Date Tue, 22 Sep 2009 16:35:01 GMT
It looks like the client is complaining that it doesn't trust the
server's certificate.  You probably just need to add the CA for the
server's certificate to the truststore that you're passing on the
command line, so you'd have the CA and certificate for your MySQL
server + the CA for the web service server that your client is
connecting to.

On Tue, Sep 22, 2009 at 11:48 AM, Steve Cohen <scohen@javactivity.org> wrote:
> I have a backend application that makes several types of connections. One is
> to a Web Service whose client was built with Apache CXF.  The other is to a
> MySQL database. Because of the unusual security situation in which the
> servers are forced to live (DMZ) we need to encrypt the transmissions to the
> DB server, so we are going to use MySQL's "REQUIRE SSL" functionality which
> requires a certificate from a CA to achieve logon as the database user. This
> cert is placed in a truststore which becomes known to the application at
> startup via command-line defines:
>
> -Djavax.net.ssl.trustStore=/path/to/truststore
> -Djavax.net.ssl.trustStorePassword=secret
>
> Since we are not using MySQL's "REQUIRE X509", we no not need client
> certificates and keys.
>
> This all works fine.
>
> However ...
>
> I have now discovered that making these command-line defines breaks the
> CXF-based Web Service client.  This connection is over https to a Web Server
> that does not require or accept certificates.  When this connection is
> attempted with the application in this mode (i.e. with the two defines in
> the System properties), it fails with:
>
>
> 2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR
> address.AddressValidator  - [SOAP-ENV:Fault: null]
> javax.xml.ws.soap.SOAPFaultException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
>   at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192)
>   at $Proxy32.validateLocation(Unknown Source)
> ...
> Caused by: org.apache.cxf.interceptor.Fault:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at
> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:93)
> at
> org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInterceptor.java:68)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:221)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171)
> ... 8 more
> Caused by: com.ctc.wstx.exc.WstxIOException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
> at
> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:91)
> ... 14 more
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
> at
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
> at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1807)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1765)
> at
> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)
> ... 15 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
> at sun.security.validator.Validator.validate(Validator.java:218)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
> ... 32 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
> ... 38 more
>
> If I turn off the SSL requirement and remove the command line defines, this
> connection works as designed.
>
> So the question is
>
> where is the hook, either in Java or CXF by which I can configure this to
> use the SSL cert for the connections to the MySQL server but not for other
> types of connection?
>

Mime
View raw message