Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

certificate not trusted by Websphere

Tags:

java

security

https

ssl

websphere

I have a web application that call a SOAP Web service secured via SSL .(https://zzzzzzzzzzzz/xxxxx).

The server send two certificates (Root and Leaf) so i import the two certificate using the property : com.ibm.websphere.ssl.retrieveLeafCert .

To enable ssl validation on websphere i just add the certificates Into websphere :

SSL certificate and key management -> key stores and certificate -> NodeDefaultTrustStore -> Signer cerificates -> Retrieve from port :

  • host : hostname
  • port : 443
  • alias : alias

The problem is that webshphere not trust the certificate and give me this stacktrace, 

used by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking `https://------------------------------` : com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: T`he certificate issued by CN=-------------------------------------------------------------------- is not trusted`; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.6.0]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:56) ~[na:1.6.0]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:39) ~[na:1.6.0]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:527) ~[na:1.6.0]
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1338) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1322) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.endpoint.ClientImpl.invokeWrapped(ClientImpl.java:354) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.jaxws.DispatchImpl.invoke(DispatchImpl.java:385) ~[cxf-rt-frontend-jaxws-2.7.4.jar:2.7.4]
    ... 100 common frames omitted
`Caused by: javax.net.ssl.SSLHandshakeException`: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: `The certificate issued by CN=--------------------------------------------------------- is not trusted`; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error
    at com.ibm.jsse2.o.a(o.java:8) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:549) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.kb.a(kb.java:355) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.kb.a(kb.java:130) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.lb.a(lb.java:135) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.lb.a(lb.java:368) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.kb.s(kb.java:442) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.kb.a(kb.java:136) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:495) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:223) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:724) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:81) ~[na:6.0 build_20130515]
    at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:8) ~[na:6.0 build_20130515]
    at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:20) ~[na:6.0 build_20130515]
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1043) ~[na:1.6.0]
    at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:85) ~[na:6.0 build_20130515]
    at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1282) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1233) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1295) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    ... 110 common frames omitted
`Caused by: com.ibm.jsse2.util.j: PKIX path building failed:` java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: T`he certificate issued by CN=--------------------------------------------  is not trusted`; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error
    at com.ibm.jsse2.util.h.b(h.java:39) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.util.h.b(h.java:21) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.util.g.a(g.java:1) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.pc.a(pc.java:36) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.pc.checkServerTrusted(pc.java:19) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.pc.b(pc.java:51) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.lb.a(lb.java:65) ~[na:6.0 build_20130515]
    ... 128 common frames omitted
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.
    at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:411) ~[na:na]
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:258) ~[na:na]
    at com.ibm.jsse2.util.h.b(h.java:107) ~[na:6.0 build_20130515]
    ... 134 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=-------------------------------------------------------
    at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111) ~[na:na]
    at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:178) ~[na:na]
    at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737) ~[na:na]
    at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649) ~[na:na]
    at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595) ~[na:na]
    at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:357) ~[na:na]
    ... 136 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
    at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:298) ~[na:na]
    at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108) ~[na:na]
    ... 141 common frames omitted

The same code is tested in my local environement with the simple use of Installcert.java and running my tests with -Djavax.net.ssl.trustStore=jssecacerts (jssecacerts is the file generated by InstallCert.java).

like image 873
Nabil Avatar asked Jan 24 '14 15:01

Nabil

2 Answers

Thanks for all the above response. Able to resolve the issue java.security.cert.CertPathValidatorException: Certificate chaining error with following configuration.

  1. Found that the following javax properties returned null value in the WebSphere.
    • javax.net.ssl.trustStore,
    • javax.net.ssl.trustStorePassword
    • javax.net.ssl.trustStoreType

For more details, please see this link,

java - path to trustStore - set property doesn't work?

  1. Configured the properties as below in the WebSphere

    Select Servers > Application Servers > server_name > Process Definition > Java Virtual Machine > Custom Properties > New.

a) javax.net.ssl.trustStore = jre_install_dir\lib\security\cacerts

Example: C:\Program Files\WebSphere\AppServer\java\jre\lib\security\cacerts

b) javax.net.ssl.trustStorePassword = changeit (default)

c) javax.net.ssl.trustStoreType = jks

For more details, please see this link,

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.isim.doc_6.0%2Finstalling%2Ftsk%2Ftsk_ic_ins_first_security_truststore.htm

After the configuration was able to see in the logs that certificates being added to the trust store.

Thanks, Uday Nilajkar

like image 116
user3458628 Avatar answered Oct 05 '22 21:10

user3458628

I test a million websphere configuration .

The only procedure that work is the procedure described in this link :

http://blog.xebia.com/2012/10/01/mutual-ssl-authentication-using-websphere-application-server-and-cxf/

By defining the cxf intercpter : 

<cxf:bus>
 <cxf:outInterceptors>
   <bean class="---------------------.WebsphereSslOutInterceptor" />
</cxf:outInterceptors>
</cxf:bus>

For more details , please see :

https://github.com/vlussenburg/websphere-cxf-extensions#websphere-cxf-extensions

Thanks a lot for your helps guys .

like image 25
Nabil Avatar answered Oct 05 '22 23:10

Nabil
Sign in to Comment

Related questions

Grizzly Jersey swallowing exceptions
How can I debug a Java Google App Engine app in IDEA while using the GAE Maven plugin?
What does qualify mean?
How do I create an EAttribute whose data type is not an EMF class?
Is this a bug in Java SynchronizedCollection class?
Checking null String in android
How to use Asynchronous/Batch writes feature with Datastax Java driver
What is the use of the @Access annoation in JPA means at the Entity level?
Java monitor active web sessions
Unmarshalling generic list with JAXB
What is the difference between apache camel multicast and recipent-list patterns?
variable r might not have been initialized
AVD Cannot test any application using AVD
YarnException: Unauthorized request to start container
How to get distance between views in pixels?
Selenium Web Driver is unable to locate element
SAXParseException: Content is not allowed in prolog
How to configure organizing of Java imports in Netbeans
XML string resources vs Java Constant Strings?
Eclipse RCP PropertyTester never gets called via menu visibleWhen

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!