You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Stadelmann Josef <jo...@axa-winterthur.ch> on 2011/12/01 12:33:16 UTC
AW: AW: [Axis2/Rampart] 1.6.1 interop issues
Dear Afkham
I could see myself that I had a configuration problem. BUT what is wrong
configuration?
The issue is as such, and guess it remains an issue unless Rampart
documents add a few things.
1. When one does a default tomcat installation onto a Windows Vista
machine a native library called tcnative-1.dll is installed
2. And by default in the server.xml the following line is turned on
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener SSLEngine="on"
className="org.apache.catalina.core.AprLifecycleListener"/>
is turned on and detects the tcnative-1.dll
and as requested by Rampart samples policy ut-over-https README I added
all for JKS ...
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxHttpHeaderSize="8192"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
truststoreFile="${catalina.home}/rampart-sample-keys.jks"
truststorePass="apache"
truststoreType="JKS"
keystoreFile="${catalina.home}/rampart-sample-keys.jks"
keystorePass="apache" />
3. BUT If the APR library loader detects the tcnative-1.dll the
whole Rampart-game changes !!! does not work any longer as expected by
Rampart developers.
4. that is to say, any JKS file, even properly configured as
explained in the README, and even NOT CORRUPT as same said, has just a
INVALID FILE FORMAT
5. and that results in errors like those in red below, where one can
easy think what is on with this service.jks file (see more below)
E:\>catalina.bat run
USING catalina.bat at E:\tc-60\Apache-Tomcat-6.0.26
Using CATALINA_BASE: "E:\tc-60\Apache-Tomcat-6.0.26"
Using CATALINA_HOME: "E:\tc-60\Apache-Tomcat-6.0.26"
Using CATALINA_TMPDIR: "E:\tc-60\Apache-Tomcat-6.0.26\temp"
Using LOGGING_CONFIG: "-Dnop"
Using JRE_HOME: "C:\Program Files\Java\jdk1.5.0_18"
Using CLASSPATH: "E:\tc-60\Apache-Tomcat-6.0.26\bin\bootstrap.jar"
01.12.2011 12:04:31 org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
01.12.2011 12:04:31 org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
01.12.2011 12:04:31 org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNUNG: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'clientAuth' to 'false' did not find a matching property.
01.12.2011 12:04:31 org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNUNG: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'truststoreFile' to
'E:\tc-60\Apache-Tomcat-6.0.26/rampart-sample-keys.jks' did not find a
matching property.
01.12.2011 12:04:31 org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNUNG: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'truststorePass' to 'apache' did not find a matching property.
01.12.2011 12:04:31 org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNUNG: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'truststoreType' to 'JKS' did not find a matching property.
01.12.2011 12:04:31 org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNUNG: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'keystoreFile' to
'E:\tc-60\Apache-Tomcat-6.0.26/rampart-sample-keys.jks' did not find a
matching property.
01.12.2011 12:04:31 org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNUNG: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'keystorePass' to 'apache' did not find a matching property.
01.12.2011 12:04:31 org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
01.12.2011 12:04:31 org.apache.coyote.http11.Http11AprProtocol init
SCHWERWIEGEND: Error initializing endpoint
java.lang.Exception:
No Certificate file specified or invalid file format
at org.apache.tomcat.jni.SSLContext.setCertificate(Native
Method)
at
org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:720)
at
org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:1
07)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1014)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java
:680)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
95)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at org.apache.catalina.startup.Catalina.load(Catalina.java:548)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
01.12.2011 12:04:31 org.apache.catalina.startup.Catalina load
SCHWERWIEGEND: Catalina.start
LifecycleException: Protocol handler initialization failed:
java.lang.Exception:
No Certificate file specified or invalid file format
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1016)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java
:680)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
95)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at org.apache.catalina.startup.Catalina.load(Catalina.java:548)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
01.12.2011 12:04:31 org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 888 ms
6. But nothing is wrong with your Rampart delivered JKS file and
7. nothing is wrong with the 5 lines added to server.xml
8. The wrong thing is that APR Library Loader should not detect the
tcnative-1.dll (because that changes the game)
9. or it should be turned off somehow in the server.xml
How to cure the problem:? I just renamed tcnative-1.dll to
make_it_invalid_tcnative-1.dll
10. with that file renamed the startup is perfect, still making the
user aware about an not optimal performance due to absence of the native
library.
11. I would like to see that Rampart documents are spending just a bit
more attention to this Windows (Vista) Platform specific issue
12. To be honest,
just looking to the stack trace messages above,
how deep shall a Tomcat novice have to dive into Tomcat code
to understand what is going wrong while just on a different platform all
works best with the same setup,
just because the tcnative-1.dll is not there or APR Listener is not
configured.
13. To be honest: what is a invalid file format if provided by Rampart?
It's all a matter of looking at from various points.
a. looking to the JKS file with APR eyes tells you that this JKS has
invalid format
b. while looking with JSSE based security eyes the same file is very
OK
14. We should make the user really aware of that
Josef
Von: Afkham Azeez [mailto:afkham@gmail.com]
Gesendet: Mittwoch, 30. November 2011 16:30
An: java-user@axis.apache.org
Betreff: Re: AW: [Axis2/Rampart] 1.6.1 interop issues
So one of your primary problems is setting UP HTTPS on Tomcat? If so,
please read the Tomcat docs. It is a very simple thing.
On Nov 30, 2011 8:47 PM, "Stadelmann Josef"
<jo...@axa-winterthur.ch> wrote:
You might be correct.
But is just delivering the service.jks file via
$ ant copy.keys
sufficient to an installation of Apache Tomcat which is to run on a
Windows Vista System AND was never setup for HTTPS?
Setup for HTTPS by server.xml is definitely done. But they way approach
to make it HTTPS aware, as given in the README
is absolute insufficient and does not make tomcat listen on port 8443.
I guess not!
Without having Tomcat setup to use a certificate (even a wrong one) you
will be unable to use it's https connector at port 8443
and that is an issue the axis2/rampart/sample-tomcat/README file does
not address.
I am just about to learn about web service security !
For me it is unclear
do I need a certificate for tomcat; I would guess yes
what type of certificate does tomcat running on windows vista use?
Question for the tomcat windows vista community, I know
In short : I am a bit unhappy that tomcat- (or any other AS-)
prerequisites on setup
or in case there are NONE are not clearly stated by the Rampart
installation.
Josef - lost at the moment
Von: Afkham Azeez [mailto:afkham@gmail.com]
Gesendet: Mittwoch, 30. November 2011 14:05
An: java-user@axis.apache.org
Betreff: Re: [Axis2/Rampart] 1.6.1 interop issues
As per the stacktrace below, it looks like the System properties needed
for talking to the server via HTTPS have not been properly set.
$ ant create.and.run.client
produces
check.tomcat:
clean:
Deleting directory
E:\Users\C770817\SW-PROJEKTE\RampartSamples\policy\sample-tomcat\build
create.and.run.client:
Created dir:
E:\Users\C770817\SW-PROJEKTE\RampartSamples\policy\sample-tomcat\build
Created dir:
E:\Users\C770817\SW-PROJEKTE\RampartSamples\policy\sample-tomcat\build\t
emp_client
Created dir:
E:\Users\C770817\SW-PROJEKTE\RampartSamples\policy\sample-tomcat\build\c
lient_repository
Created dir:
E:\Users\C770817\SW-PROJEKTE\RampartSamples\policy\sample-tomcat\build\c
lient_repository\conf
Created dir:
E:\Users\C770817\SW-PROJEKTE\RampartSamples\policy\sample-tomcat\build\c
lient_repository\modules
Copying 1 file to
E:\Users\C770817\SW-PROJEKTE\RampartSamples\policy\sample-tomcat\build\c
lient_repository\modules
Copying 1 file to
E:\Users\C770817\SW-PROJEKTE\RampartSamples\policy\sample-tomcat\build\c
lient_repository\modules
Compiling 2 source files to
E:\Users\C770817\SW-PROJEKTE\RampartSamples\policy\sample-tomcat\build\t
emp_client
Note:
E:\Users\C770817\SW-PROJEKTE\RampartSamples\policy\sample-tomcat\src\org
\apache\rampart\tomcat\sample\PWCBHandler.java uses or overrides a
deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Copying 1 file to
E:\Users\C770817\SW-PROJEKTE\RampartSamples\policy\sample-tomcat\build
log4j:WARN No appenders could be found for logger
(org.apache.axis2.deployment.FileSystemConfigurator).
log4j:WARN Please initialize the log4j system properly.
Exception in thread "main" org.apache.axis2.AxisFault:
Connection has been shutdown: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
at
org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessage
Formatter.java:78)
at
org.apache.axis2.transport.http.AxisRequestEntity.writeRequest(AxisReque
stEntity.java:84)
at
org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequest
Body(EntityEnclosingMethod.java:499)
at
org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase
.java:2114)
at
org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java
:1096)
at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMe
thodDirector.java:398)
at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMetho
dDirector.java:171)
at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
97)
at
org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(Abstrac
tHTTPSender.java:621)
at
org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:1
93)
at
org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:75)
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageW
ithCommons(CommonsHTTPTransportSender.java:404)
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(Common
sHTTPTransportSender.java:231)
at
org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:443)
at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOper
ation.java:406)
at
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInA
xisOperation.java:229)
at
org.apache.axis2.client.OperationClient.execute(OperationClient.java:165
)
at
org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:555
)
at
org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:531
)
at org.apache.rampart.tomcat.sample.Client.main(Unknown
Source)
Caused by: com.ctc.wstx.exc.WstxIOException: Connection has been
shutdown: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
com.ctc.wstx.sw.BaseStreamWriter.finishDocument(BaseStreamWriter.java:16
92)
at
com.ctc.wstx.sw.BaseStreamWriter.close(BaseStreamWriter.java:288)
at
org.apache.axiom.util.stax.wrapper.XMLStreamWriterWrapper.close(XMLStrea
mWriterWrapper.java:46)
at
org.apache.axiom.om.impl.MTOMXMLStreamWriter.close(MTOMXMLStreamWriter.j
ava:188)
at
org.apache.axiom.om.impl.dom.NodeImpl.serializeAndConsume(NodeImpl.java:
844)
at
org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessage
Formatter.java:74)
... 19 more
Caused by: javax.net.ssl.SSLException: Connection has been
shutdown: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1
293)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java
:1305)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:
43)
at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at
java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at
org.apache.commons.httpclient.ChunkedOutputStream.flush(ChunkedOutputStr
eam.java:191)
at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:99)
at
com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
at
com.ctc.wstx.sw.BufferingXmlWriter.close(BufferingXmlWriter.java:194)
at
com.ctc.wstx.sw.BaseStreamWriter.finishDocument(BaseStreamWriter.java:16
90)
... 24 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649
)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHa
ndshaker.java:1206)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHands
haker.java:136)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:5
29)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java
:893)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSo
cketImpl.java:1138)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.jav
a:632)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:
59)
at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at
java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at
org.apache.commons.httpclient.ChunkedOutputStream.flush(ChunkedOutputStr
eam.java:191)
at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:99)
at
com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
at
com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)
at
org.apache.axiom.util.stax.wrapper.XMLStreamWriterWrapper.flush(XMLStrea
mWriterWrapper.java:50)
at
org.apache.axiom.om.impl.MTOMXMLStreamWriter.flush(MTOMXMLStreamWriter.j
ava:198)
at
org.apache.axiom.om.impl.dom.NodeImpl.serializeAndConsume(NodeImpl.java:
842)
... 20 more
Caused by: sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:2
17)
at
sun.security.validator.Validator.validate(Validator.java:218)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustMana
gerImpl.java:126)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X50
9TrustManagerImpl.java:209)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X50
9TrustManagerImpl.java:249)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHa
ndshaker.java:1185)
... 37 more
Caused by:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPat
hBuilder.java:174)
at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
... 43 more
Java Result: 1
BUILD SUCCESSFUL (total time: 3 seconds)