Return-Path: Delivered-To: apmail-cxf-users-archive@www.apache.org Received: (qmail 20360 invoked from network); 22 Sep 2009 16:35:53 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 22 Sep 2009 16:35:53 -0000 Received: (qmail 5064 invoked by uid 500); 22 Sep 2009 16:35:52 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 4982 invoked by uid 500); 22 Sep 2009 16:35:52 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 4972 invoked by uid 99); 22 Sep 2009 16:35:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Sep 2009 16:35:52 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of gashcrumb@gmail.com designates 209.85.218.228 as permitted sender) Received: from [209.85.218.228] (HELO mail-bw0-f228.google.com) (209.85.218.228) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Sep 2009 16:35:44 +0000 Received: by bwz28 with SMTP id 28so3536845bwz.30 for ; Tue, 22 Sep 2009 09:35:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type :content-transfer-encoding; bh=Z17e5bgbSMTJbCxaoUF9qx66czIMm2wBj0HNHbRPEnw=; b=kjCsrxwRmGATwEiWzi4wdx1budKj5PqMd3iYSucuscmv/yVIyRdliOlrHpL3CQU62Z lpq2s7e9g1z8hwzZ21gvD7Y3mgMTDWC/PbDTGHg1x97qAIL46Y++q0LT70F+PEk1NQeR JRSNabTD3CZcggqA3lx3S5eRafOayhUhQKRt8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; b=tR4e4l0f3aibFQvNhwAABsXb3x1aRjSI9KbxwQxGm9U+gX5sTuyf9EJRCjzim5BZ00 33wYDMR9ALMLK7HclDmjEmEYlrq9LDuPePc60ymZ0yWlk0OM9Haj7THZa3ieORjGT5LF 4ceKH2SrH3APLO+3HkXzv0ImpbdsgN1OIeoD8= MIME-Version: 1.0 Received: by 10.239.168.197 with SMTP id l5mr103134hbe.82.1253637322410; Tue, 22 Sep 2009 09:35:22 -0700 (PDT) In-Reply-To: <4AB8F1C5.7030106@javactivity.org> References: <4AB8F1C5.7030106@javactivity.org> From: Stan Lewis Date: Tue, 22 Sep 2009 12:35:01 -0400 Message-ID: <704b3d9d0909220935g28c620b6ra77d506f1a032af9@mail.gmail.com> Subject: Re: CXF using SSL certificate where it isn't wanted To: users@cxf.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org It looks like the client is complaining that it doesn't trust the server's certificate. You probably just need to add the CA for the server's certificate to the truststore that you're passing on the command line, so you'd have the CA and certificate for your MySQL server + the CA for the web service server that your client is connecting to. On Tue, Sep 22, 2009 at 11:48 AM, Steve Cohen wrot= e: > I have a backend application that makes several types of connections. One= is > to a Web Service whose client was built with Apache CXF. =C2=A0The other = is to a > MySQL database. Because of the unusual security situation in which the > servers are forced to live (DMZ) we need to encrypt the transmissions to = the > DB server, so we are going to use MySQL's "REQUIRE SSL" functionality whi= ch > requires a certificate from a CA to achieve logon as the database user. T= his > cert is placed in a truststore which becomes known to the application at > startup via command-line defines: > > -Djavax.net.ssl.trustStore=3D/path/to/truststore > -Djavax.net.ssl.trustStorePassword=3Dsecret > > Since we are not using MySQL's "REQUIRE X509", we no not need client > certificates and keys. > > This all works fine. > > However ... > > I have now discovered that making these command-line defines breaks the > CXF-based Web Service client. =C2=A0This connection is over https to a We= b Server > that does not require or accept certificates. =C2=A0When this connection = is > attempted with the application in this mode (i.e. with the two defines in > the System properties), it fails with: > > > 2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR > address.AddressValidator =C2=A0- [SOAP-ENV:Fault: null] > javax.xml.ws.soap.SOAPFaultException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to fin= d > valid certification path to requested target > =C2=A0 at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.j= ava:192) > =C2=A0 at $Proxy32.validateLocation(Unknown Source) > ... > Caused by: org.apache.cxf.interceptor.Fault: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to fin= d > valid certification path to requested target > at > org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(A= bstractOutDatabindingInterceptor.java:93) > at > org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInterc= eptor.java:68) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorCh= ain.java:221) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222) > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171= ) > ... 8 more > Caused by: com.ctc.wstx.exc.WstxIOException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to fin= d > valid certification path to requested target > at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313) > at > org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(A= bstractOutDatabindingInterceptor.java:91) > ... 14 more > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to fin= d > valid certification path to requested target > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:16= 11) > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181) > at > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHan= dshaker.java:1035) > at > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandsh= aker.java:124) > at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:51= 6) > at > com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:45= 4) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:= 884) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSoc= ketImpl.java:1112) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.j= ava:1139) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.j= ava:1123) > at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:4= 34) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Abs= tractDelegateHttpsURLConnection.java:166) > at > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnec= tion.java:904) > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsUR= LConnectionImpl.java:230) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeade= rsTrustCaching(HTTPConduit.java:1807) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrit= e(HTTPConduit.java:1765) > at > org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutput= Stream.java:42) > at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96) > at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214) > at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311) > ... 15 more > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unabl= e > to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:19= 1) > at sun.security.validator.Validator.validate(Validator.java:218) > at > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManag= erImpl.java:126) > at > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509= TrustManagerImpl.java:209) > at > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509= TrustManagerImpl.java:249) > at > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHan= dshaker.java:1014) > ... 32 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPath= Builder.java:174) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) > ... 38 more > > If I turn off the SSL requirement and remove the command line defines, th= is > connection works as designed. > > So the question is > > where is the hook, either in Java or CXF by which I can configure this to > use the SSL cert for the connections to the MySQL server but not for othe= r > types of connection? >