tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jose MarĂ­a Zaragoza <demablo...@gmail.com>
Subject Re: jax-ws and tomcat 7 with ssl
Date Tue, 18 Mar 2014 22:41:22 GMT
2014-03-18 22:58 GMT+01:00 Maria Cristina Siena
<mariacristinasiena@sourcecable.net>:
> Hi,
>
> I developed a web service using jax-ws and configured Tomcat to support SSL
> connection. Here are my steps:
>
> ****** Step 1 - Generate a self-signed server certificate
>
> Use JDK 1.7 keytool:
>
> keytool -genkey -alias trackerdev -keypass changeit -storepass changeit
> -keystore D:\Tomcat7\htdkeystore\trackerdev.ks -ext san=ip:xx.x.x.xxx
>
> Is CN=xx.x.x.xxx, OU=it, O=companynamehere, L=citynamehere,
> ST=provincenamehere, C=ca correct?
>   [no]:  yes
>
> ****** Step 2 - Configure Tomcat to support SSL connection
>
> On the dev server:
>
> Modify TOMCAT_HOME\conf\server.xml by adding the following block where
> keystoreFile and keystorePass are set to values from the previous step:
>
>     <Connector port="8444" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true" clientAuth="false"
> sslProtocol="TLS"
>                keystoreFile="htdkeystore/trackerdev.ks"
> keystorePass="changeit" />
>
> ****** Step 3 - Export the generated server certificate to a certificate
> file
>
> On the dev server:
>
> keytool -export -alias trackerdev -storepass changeit -file
> D:\Tomcat7\htdkeystore\serverdev.cer -keystore
> D:\Tomcat7\htdkeystore\trackerdev.ks
>
> ****** Step 4 - Import the server certificate into the truststore file (Open
> an administrator cmd window and hit Shift, Ctrl, Enter)
>
> Copy serverdev.cer from the dev server and on the local machine:
>
> keytool -import -v -trustcacerts -alias trackerdev -file
> C:\fromdevserver\serverdev.cer -keystore "C:\Program
> Files\Java\jdk1.7.0_51\jre\lib\security\cacerts" -keypass changeit
> -storepass changeit
>
> Trust this certificate? [no]:  yes
>
> ****** Step 5 - Modify webapps's web.xml
>
> Add the following:
>         <listener>
>                 <listener-class>
>
> com.sun.xml.ws.transport.http.servlet.WSServletContextListener
>                 </listener-class>
>         </listener>
>         <servlet>
>                 <servlet-name>tracker</servlet-name>
>                 <servlet-class>
>                         com.sun.xml.ws.transport.http.servlet.WSServlet
>                 </servlet-class>
>         </servlet>
>     <servlet-mapping>
>         <servlet-name>tracker</servlet-name>
>         <url-pattern>/tracker</url-pattern>
>     </servlet-mapping>
>     <security-constraint>
>         <web-resource-collection>
>                 <web-resource-name>securedapp</web-resource-name>
>                 <url-pattern>/tracker</url-pattern>
>         </web-resource-collection>
>         <user-data-constraint>
>             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>         </user-data-constraint>
>     </security-constraint>
>
> ****** MY QUESTION IS THIS:
>
> I tested the web service using https and it worked for me. I provided
> another team with my server certificate so that they could add it to their
> truststore file but I have no idea if they did or not. All I know is that
> they got an error loading the wsdl. The exception they got was:
>
> Error loading [https://xx.x.x.xxx:8444/appname/tracker?wsdl]
> org.apache.xmlbeans.XmlException: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
>
> They claim that the certificate is not properly signed. Well, I don't know.
> It is a self-signed certificate.
>
> Any ideas would help!
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


I guess that they must add your PK certificate to their keystore. Ask them

Read the next link ( in Spanish ):
http://danielriab.wordpress.com/2012/08/13/java-pkix-path-building-failed/

Regards

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message