You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Steve Cohen <sc...@javactivity.org> on 2009/09/22 17:48:21 UTC
CXF using SSL certificate where it isn't wanted
I have a backend application that makes several types of connections.
One is to a Web Service whose client was built with Apache CXF. The
other is to a MySQL database. Because of the unusual security situation
in which the servers are forced to live (DMZ) we need to encrypt the
transmissions to the DB server, so we are going to use MySQL's "REQUIRE
SSL" functionality which requires a certificate from a CA to achieve
logon as the database user. This cert is placed in a truststore which
becomes known to the application at startup via command-line defines:
-Djavax.net.ssl.trustStore=/path/to/truststore
-Djavax.net.ssl.trustStorePassword=secret
Since we are not using MySQL's "REQUIRE X509", we no not need client
certificates and keys.
This all works fine.
However ...
I have now discovered that making these command-line defines breaks the
CXF-based Web Service client. This connection is over https to a Web
Server that does not require or accept certificates. When this
connection is attempted with the application in this mode (i.e. with the
two defines in the System properties), it fails with:
2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR
address.AddressValidator - [SOAP-ENV:Fault: null]
javax.xml.ws.soap.SOAPFaultException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192)
at $Proxy32.validateLocation(Unknown Source)
...
Caused by: org.apache.cxf.interceptor.Fault:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:93)
at
org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInterceptor.java:68)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:221)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171)
... 8 more
Caused by: com.ctc.wstx.exc.WstxIOException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
at
org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:91)
... 14 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1807)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1765)
at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)
... 15 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
at sun.security.validator.Validator.validate(Validator.java:218)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
... 38 more
If I turn off the SSL requirement and remove the command line defines,
this connection works as designed.
So the question is
where is the hook, either in Java or CXF by which I can configure this
to use the SSL cert for the connections to the MySQL server but not for
other types of connection?
RE: CXF using SSL certificate where it isn't wanted
Posted by "Purohit, Manoj R " <ma...@citi.com>.
Quick solution would be adding your web server cert into =/path/to/truststore....
Open your truststore.jks/p12 with key tool and add your webserver cert into it.
When you are specifying trustore at jvm arg level it will be used..
even if you are using one way ssl with web server call [Which looks like your call as when you don't specify trustsore it works. Which is a typical one way https call behaviour] ..
server is sending you a cert which does not exist in your truststore.
Even if you find some way to twik this behavior it does not make sense..
TrustStore should be respected.
-----Original Message-----
From: Steve Cohen [mailto:scohen@javactivity.org]
Sent: Tuesday, September 22, 2009 11:48 AM
To: users@cxf.apache.org
Subject: CXF using SSL certificate where it isn't wanted
I have a backend application that makes several types of connections.
One is to a Web Service whose client was built with Apache CXF. The
other is to a MySQL database. Because of the unusual security situation
in which the servers are forced to live (DMZ) we need to encrypt the
transmissions to the DB server, so we are going to use MySQL's "REQUIRE
SSL" functionality which requires a certificate from a CA to achieve
logon as the database user. This cert is placed in a truststore which
becomes known to the application at startup via command-line defines:
-Djavax.net.ssl.trustStore=/path/to/truststore
-Djavax.net.ssl.trustStorePassword=secret
Since we are not using MySQL's "REQUIRE X509", we no not need client
certificates and keys.
This all works fine.
However ...
I have now discovered that making these command-line defines breaks the
CXF-based Web Service client. This connection is over https to a Web
Server that does not require or accept certificates. When this
connection is attempted with the application in this mode (i.e. with the
two defines in the System properties), it fails with:
2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR
address.AddressValidator - [SOAP-ENV:Fault: null]
javax.xml.ws.soap.SOAPFaultException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192)
at $Proxy32.validateLocation(Unknown Source)
...
Caused by: org.apache.cxf.interceptor.Fault:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:93)
at
org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInterceptor.java:68)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:221)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171)
... 8 more
Caused by: com.ctc.wstx.exc.WstxIOException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
at
org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:91)
... 14 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1807)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1765)
at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)
... 15 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
at sun.security.validator.Validator.validate(Validator.java:218)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
... 38 more
If I turn off the SSL requirement and remove the command line defines,
this connection works as designed.
So the question is
where is the hook, either in Java or CXF by which I can configure this
to use the SSL cert for the connections to the MySQL server but not for
other types of connection?
Re: CXF using SSL certificate where it isn't wanted
Posted by Steve Cohen <sc...@javactivity.org>.
Thanks Daniel for your logical explanations. And I should add workable -
it's all good now after importing the cacerts.
Daniel Kulp wrote:
> On Tue September 22 2009 2:28:13 pm Steve Cohen wrote:
>
>>> ONE option could be to grab the certs in:
>>> $JRE_HOME/lib/security/cacerts
>>> and create a new truststore with those certs and your MySQL cert and
>>> point the system property at that.
>>>
>> Would another option be to put the MySQL cert into
>> $JRE_HOME/lib/security/cacerts or is there some good reason you did not
>> suggest that?
>>
>
> That's probably valid, I'm just always scared of touching stuff in the default
> JRE installs. On a shared unix box, you never know what else is using those
> JRE's that could be affected by that. :-)
>
> Plus, if you upgrade your jre, you have to remember to re-add the key and
> such. In general, I like have everything I need to run things kind of self
> contained in my version control system if at all possible.
>
> Dan
>
>
>
>> Daniel Kulp wrote:
>>
>>> The best option is to check the MySQL stuff to see if they have some
>>> non-jvm level methods for controlling the SSL stuff that they use.
>>>
>>> For the webservice connection, if it's using SSL, there is definitely
>>> some cert being used. Most likely, it's signed by some authority that
>>> is available in the default JVM truststore which is why it works fine
>>> without those system properties set.
>>>
>>> ONE option could be to grab the certs in:
>>> $JRE_HOME/lib/security/cacerts
>>> and create a new truststore with those certs and your MySQL cert and
>>> point the system property at that.
>>>
>>> Dan
>>>
>>> On Tue September 22 2009 11:48:21 am Steve Cohen wrote:
>>>
>>>> I have a backend application that makes several types of connections.
>>>> One is to a Web Service whose client was built with Apache CXF. The
>>>> other is to a MySQL database. Because of the unusual security situation
>>>> in which the servers are forced to live (DMZ) we need to encrypt the
>>>> transmissions to the DB server, so we are going to use MySQL's "REQUIRE
>>>> SSL" functionality which requires a certificate from a CA to achieve
>>>> logon as the database user. This cert is placed in a truststore which
>>>> becomes known to the application at startup via command-line defines:
>>>>
>>>> -Djavax.net.ssl.trustStore=/path/to/truststore
>>>> -Djavax.net.ssl.trustStorePassword=secret
>>>>
>>>> Since we are not using MySQL's "REQUIRE X509", we no not need client
>>>> certificates and keys.
>>>>
>>>> This all works fine.
>>>>
>>>> However ...
>>>>
>>>> I have now discovered that making these command-line defines breaks the
>>>> CXF-based Web Service client. This connection is over https to a Web
>>>> Server that does not require or accept certificates. When this
>>>> connection is attempted with the application in this mode (i.e. with the
>>>> two defines in the System properties), it fails with:
>>>>
>>>>
>>>> 2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR
>>>> address.AddressValidator - [SOAP-ENV:Fault: null]
>>>> javax.xml.ws.soap.SOAPFaultException:
>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>> find valid certification path to requested target
>>>> at
>>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192)
>>>> at $Proxy32.validateLocation(Unknown Source)
>>>> ...
>>>> Caused by: org.apache.cxf.interceptor.Fault:
>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>> find valid certification path to requested target
>>>> at
>>>> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(
>>>> Abs tractOutDatabindingInterceptor.java:93) at
>>>> org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInter
>>>> cep tor.java:68) at
>>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
>>>> hai n.java:221) at
>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
>>>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
>>>> at
>>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171)
>>>> ... 8 more
>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>> find valid certification path to requested target
>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
>>>> at
>>>> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(
>>>> Abs tractOutDatabindingInterceptor.java:91) ... 14 more
>>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>> find valid certification path to requested target
>>>> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
>>>> at
>>>>
>>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611
>>>> ) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
>>>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
>>>> at
>>>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHa
>>>> nds haker.java:1035) at
>>>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHands
>>>> hak er.java:124) at
>>>>
>>>> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
>>>> at
>>>> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:4
>>>> 54) at
>>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java
>>>> :88 4) at
>>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSo
>>>> cke tImpl.java:1112) at
>>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
>>>> jav a:1139) at
>>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
>>>> jav a:1123) at
>>>>
>>>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434
>>>> ) at
>>>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Ab
>>>> str actDelegateHttpsURLConnection.java:166) at
>>>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConne
>>>> cti on.java:904) at
>>>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsU
>>>> RLC onnectionImpl.java:230) at
>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHead
>>>> ers TrustCaching(HTTPConduit.java:1807) at
>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWri
>>>> te( HTTPConduit.java:1765) at
>>>> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutpu
>>>> tSt ream.java:42) at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
>>>> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311) ...
>>>> 15 more
>>>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>>>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>>>> unable to find valid certification path to requested target
>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
>>>> at
>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:1
>>>> 91) at sun.security.validator.Validator.validate(Validator.java:218) at
>>>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustMana
>>>> ger Impl.java:126) at
>>>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X50
>>>> 9Tr ustManagerImpl.java:209) at
>>>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X50
>>>> 9Tr ustManagerImpl.java:249) at
>>>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHa
>>>> nds haker.java:1014) ... 32 more
>>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>>>> unable to find valid certification path to requested target
>>>> at
>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPat
>>>> hBu ilder.java:174) at
>>>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at
>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
>>>> ... 38 more
>>>>
>>>> If I turn off the SSL requirement and remove the command line defines,
>>>> this connection works as designed.
>>>>
>>>> So the question is
>>>>
>>>> where is the hook, either in Java or CXF by which I can configure this
>>>> to use the SSL cert for the connections to the MySQL server but not for
>>>> other types of connection?
>>>>
>
>
Re: CXF using SSL certificate where it isn't wanted
Posted by Daniel Kulp <dk...@apache.org>.
On Tue September 22 2009 2:28:13 pm Steve Cohen wrote:
> > ONE option could be to grab the certs in:
> > $JRE_HOME/lib/security/cacerts
> > and create a new truststore with those certs and your MySQL cert and
> > point the system property at that.
>
> Would another option be to put the MySQL cert into
> $JRE_HOME/lib/security/cacerts or is there some good reason you did not
> suggest that?
That's probably valid, I'm just always scared of touching stuff in the default
JRE installs. On a shared unix box, you never know what else is using those
JRE's that could be affected by that. :-)
Plus, if you upgrade your jre, you have to remember to re-add the key and
such. In general, I like have everything I need to run things kind of self
contained in my version control system if at all possible.
Dan
> Daniel Kulp wrote:
> > The best option is to check the MySQL stuff to see if they have some
> > non-jvm level methods for controlling the SSL stuff that they use.
> >
> > For the webservice connection, if it's using SSL, there is definitely
> > some cert being used. Most likely, it's signed by some authority that
> > is available in the default JVM truststore which is why it works fine
> > without those system properties set.
> >
> > ONE option could be to grab the certs in:
> > $JRE_HOME/lib/security/cacerts
> > and create a new truststore with those certs and your MySQL cert and
> > point the system property at that.
> >
> > Dan
> >
> > On Tue September 22 2009 11:48:21 am Steve Cohen wrote:
> >> I have a backend application that makes several types of connections.
> >> One is to a Web Service whose client was built with Apache CXF. The
> >> other is to a MySQL database. Because of the unusual security situation
> >> in which the servers are forced to live (DMZ) we need to encrypt the
> >> transmissions to the DB server, so we are going to use MySQL's "REQUIRE
> >> SSL" functionality which requires a certificate from a CA to achieve
> >> logon as the database user. This cert is placed in a truststore which
> >> becomes known to the application at startup via command-line defines:
> >>
> >> -Djavax.net.ssl.trustStore=/path/to/truststore
> >> -Djavax.net.ssl.trustStorePassword=secret
> >>
> >> Since we are not using MySQL's "REQUIRE X509", we no not need client
> >> certificates and keys.
> >>
> >> This all works fine.
> >>
> >> However ...
> >>
> >> I have now discovered that making these command-line defines breaks the
> >> CXF-based Web Service client. This connection is over https to a Web
> >> Server that does not require or accept certificates. When this
> >> connection is attempted with the application in this mode (i.e. with the
> >> two defines in the System properties), it fails with:
> >>
> >>
> >> 2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR
> >> address.AddressValidator - [SOAP-ENV:Fault: null]
> >> javax.xml.ws.soap.SOAPFaultException:
> >> sun.security.validator.ValidatorException: PKIX path building failed:
> >> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> >> find valid certification path to requested target
> >> at
> >> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192)
> >> at $Proxy32.validateLocation(Unknown Source)
> >> ...
> >> Caused by: org.apache.cxf.interceptor.Fault:
> >> sun.security.validator.ValidatorException: PKIX path building failed:
> >> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> >> find valid certification path to requested target
> >> at
> >> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(
> >>Abs tractOutDatabindingInterceptor.java:93) at
> >> org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInter
> >>cep tor.java:68) at
> >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
> >>hai n.java:221) at
> >> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
> >> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
> >> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> >> at
> >> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171)
> >> ... 8 more
> >> Caused by: com.ctc.wstx.exc.WstxIOException:
> >> sun.security.validator.ValidatorException: PKIX path building failed:
> >> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> >> find valid certification path to requested target
> >> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
> >> at
> >> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(
> >>Abs tractOutDatabindingInterceptor.java:91) ... 14 more
> >> Caused by: javax.net.ssl.SSLHandshakeException:
> >> sun.security.validator.ValidatorException: PKIX path building failed:
> >> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> >> find valid certification path to requested target
> >> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
> >> at
> >>
> >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611
> >>) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
> >> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
> >> at
> >> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHa
> >>nds haker.java:1035) at
> >> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHands
> >>hak er.java:124) at
> >>
> >> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
> >> at
> >> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:4
> >>54) at
> >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java
> >>:88 4) at
> >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSo
> >>cke tImpl.java:1112) at
> >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
> >>jav a:1139) at
> >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
> >>jav a:1123) at
> >>
> >> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434
> >>) at
> >> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Ab
> >>str actDelegateHttpsURLConnection.java:166) at
> >> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConne
> >>cti on.java:904) at
> >> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsU
> >>RLC onnectionImpl.java:230) at
> >> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHead
> >>ers TrustCaching(HTTPConduit.java:1807) at
> >> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWri
> >>te( HTTPConduit.java:1765) at
> >> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutpu
> >>tSt ream.java:42) at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
> >> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
> >> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311) ...
> >> 15 more
> >> Caused by: sun.security.validator.ValidatorException: PKIX path building
> >> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> >> unable to find valid certification path to requested target
> >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
> >> at
> >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:1
> >>91) at sun.security.validator.Validator.validate(Validator.java:218) at
> >> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustMana
> >>ger Impl.java:126) at
> >> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X50
> >>9Tr ustManagerImpl.java:209) at
> >> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X50
> >>9Tr ustManagerImpl.java:249) at
> >> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHa
> >>nds haker.java:1014) ... 32 more
> >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> >> unable to find valid certification path to requested target
> >> at
> >> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPat
> >>hBu ilder.java:174) at
> >> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at
> >> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
> >> ... 38 more
> >>
> >> If I turn off the SSL requirement and remove the command line defines,
> >> this connection works as designed.
> >>
> >> So the question is
> >>
> >> where is the hook, either in Java or CXF by which I can configure this
> >> to use the SSL cert for the connections to the MySQL server but not for
> >> other types of connection?
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: CXF using SSL certificate where it isn't wanted
Posted by Steve Cohen <sc...@javactivity.org>.
>
> ONE option could be to grab the certs in:
> $JRE_HOME/lib/security/cacerts
> and create a new truststore with those certs and your MySQL cert and point the
> system property at that.
Would another option be to put the MySQL cert into
$JRE_HOME/lib/security/cacerts or is there some good reason you did not
suggest that?
Daniel Kulp wrote:
> The best option is to check the MySQL stuff to see if they have some non-jvm
> level methods for controlling the SSL stuff that they use.
>
> For the webservice connection, if it's using SSL, there is definitely some
> cert being used. Most likely, it's signed by some authority that is
> available in the default JVM truststore which is why it works fine without
> those system properties set.
>
> ONE option could be to grab the certs in:
> $JRE_HOME/lib/security/cacerts
> and create a new truststore with those certs and your MySQL cert and point the
> system property at that.
>
> Dan
>
>
> On Tue September 22 2009 11:48:21 am Steve Cohen wrote:
>
>> I have a backend application that makes several types of connections.
>> One is to a Web Service whose client was built with Apache CXF. The
>> other is to a MySQL database. Because of the unusual security situation
>> in which the servers are forced to live (DMZ) we need to encrypt the
>> transmissions to the DB server, so we are going to use MySQL's "REQUIRE
>> SSL" functionality which requires a certificate from a CA to achieve
>> logon as the database user. This cert is placed in a truststore which
>> becomes known to the application at startup via command-line defines:
>>
>> -Djavax.net.ssl.trustStore=/path/to/truststore
>> -Djavax.net.ssl.trustStorePassword=secret
>>
>> Since we are not using MySQL's "REQUIRE X509", we no not need client
>> certificates and keys.
>>
>> This all works fine.
>>
>> However ...
>>
>> I have now discovered that making these command-line defines breaks the
>> CXF-based Web Service client. This connection is over https to a Web
>> Server that does not require or accept certificates. When this
>> connection is attempted with the application in this mode (i.e. with the
>> two defines in the System properties), it fails with:
>>
>>
>> 2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR
>> address.AddressValidator - [SOAP-ENV:Fault: null]
>> javax.xml.ws.soap.SOAPFaultException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>> at
>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192)
>> at $Proxy32.validateLocation(Unknown Source)
>> ...
>> Caused by: org.apache.cxf.interceptor.Fault:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>> at
>> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(Abs
>> tractOutDatabindingInterceptor.java:93) at
>> org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutIntercep
>> tor.java:68) at
>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai
>> n.java:221) at
>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
>> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171)
>> ... 8 more
>> Caused by: com.ctc.wstx.exc.WstxIOException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
>> at
>> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(Abs
>> tractOutDatabindingInterceptor.java:91) ... 14 more
>> Caused by: javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) at
>> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181) at
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHands
>> haker.java:1035) at
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshak
>> er.java:124) at
>> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
>> at
>> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:88
>> 4) at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocke
>> tImpl.java:1112) at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.jav
>> a:1139) at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.jav
>> a:1123) at
>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
>> at
>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Abstr
>> actDelegateHttpsURLConnection.java:166) at
>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnecti
>> on.java:904) at
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLC
>> onnectionImpl.java:230) at
>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeaders
>> TrustCaching(HTTPConduit.java:1807) at
>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(
>> HTTPConduit.java:1765) at
>> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputSt
>> ream.java:42) at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
>> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)
>> ... 15 more
>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
>> at
>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
>> at sun.security.validator.Validator.validate(Validator.java:218)
>> at
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManager
>> Impl.java:126) at
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tr
>> ustManagerImpl.java:209) at
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tr
>> ustManagerImpl.java:249) at
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHands
>> haker.java:1014) ... 32 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBu
>> ilder.java:174) at
>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at
>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) ...
>> 38 more
>>
>> If I turn off the SSL requirement and remove the command line defines,
>> this connection works as designed.
>>
>> So the question is
>>
>> where is the hook, either in Java or CXF by which I can configure this
>> to use the SSL cert for the connections to the MySQL server but not for
>> other types of connection?
>>
>>
>
>
Re: CXF using SSL certificate where it isn't wanted
Posted by Daniel Kulp <dk...@apache.org>.
The best option is to check the MySQL stuff to see if they have some non-jvm
level methods for controlling the SSL stuff that they use.
For the webservice connection, if it's using SSL, there is definitely some
cert being used. Most likely, it's signed by some authority that is
available in the default JVM truststore which is why it works fine without
those system properties set.
ONE option could be to grab the certs in:
$JRE_HOME/lib/security/cacerts
and create a new truststore with those certs and your MySQL cert and point the
system property at that.
Dan
On Tue September 22 2009 11:48:21 am Steve Cohen wrote:
> I have a backend application that makes several types of connections.
> One is to a Web Service whose client was built with Apache CXF. The
> other is to a MySQL database. Because of the unusual security situation
> in which the servers are forced to live (DMZ) we need to encrypt the
> transmissions to the DB server, so we are going to use MySQL's "REQUIRE
> SSL" functionality which requires a certificate from a CA to achieve
> logon as the database user. This cert is placed in a truststore which
> becomes known to the application at startup via command-line defines:
>
> -Djavax.net.ssl.trustStore=/path/to/truststore
> -Djavax.net.ssl.trustStorePassword=secret
>
> Since we are not using MySQL's "REQUIRE X509", we no not need client
> certificates and keys.
>
> This all works fine.
>
> However ...
>
> I have now discovered that making these command-line defines breaks the
> CXF-based Web Service client. This connection is over https to a Web
> Server that does not require or accept certificates. When this
> connection is attempted with the application in this mode (i.e. with the
> two defines in the System properties), it fails with:
>
>
> 2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR
> address.AddressValidator - [SOAP-ENV:Fault: null]
> javax.xml.ws.soap.SOAPFaultException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192)
> at $Proxy32.validateLocation(Unknown Source)
> ...
> Caused by: org.apache.cxf.interceptor.Fault:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at
> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(Abs
> tractOutDatabindingInterceptor.java:93) at
> org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutIntercep
> tor.java:68) at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai
> n.java:221) at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171)
> ... 8 more
> Caused by: com.ctc.wstx.exc.WstxIOException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
> at
> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(Abs
> tractOutDatabindingInterceptor.java:91) ... 14 more
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181) at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHands
> haker.java:1035) at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshak
> er.java:124) at
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
> at
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:88
> 4) at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocke
> tImpl.java:1112) at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.jav
> a:1139) at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.jav
> a:1123) at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Abstr
> actDelegateHttpsURLConnection.java:166) at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnecti
> on.java:904) at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLC
> onnectionImpl.java:230) at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeaders
> TrustCaching(HTTPConduit.java:1807) at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(
> HTTPConduit.java:1765) at
> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputSt
> ream.java:42) at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)
> ... 15 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
> at sun.security.validator.Validator.validate(Validator.java:218)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManager
> Impl.java:126) at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tr
> ustManagerImpl.java:209) at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tr
> ustManagerImpl.java:249) at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHands
> haker.java:1014) ... 32 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBu
> ilder.java:174) at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) ...
> 38 more
>
> If I turn off the SSL requirement and remove the command line defines,
> this connection works as designed.
>
> So the question is
>
> where is the hook, either in Java or CXF by which I can configure this
> to use the SSL cert for the connections to the MySQL server but not for
> other types of connection?
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: CXF using SSL certificate where it isn't wanted
Posted by Steve Cohen <sc...@javactivity.org>.
>
> You've told Java on the client, 'here is a truststore to use with all SSL
> connections.' once you do that, it will check all SERVER certificates
> against that truststore.
Yes I agree, that is what defining these properties on the command line
is doing.
> I think that you need to add you web service's
> server certificate to the truststore.
I don't think this Web Service provides such a certificate, or, if it
does, at any rate, it does not require it and works perfectly well
without it when these properties are undefined. Therefore I need some
way of using certificates with one connection, and not the other. Is
there some other way to configure the application which provides the
level of flexibility I require?
Benson Margulies wrote:
> You've told Java on the client, 'here is a truststore to use with all SSL
> connections.' once you do that, it will check all SERVER certificates
> against that truststore. I think that you need to add you web service's
> server certificate to the truststore.
>
> The real experts may yet emerge with a recipe for setting the truststore
> more selectively so that it applies to MySQL and not to CXF.
>
>
> On Tue, Sep 22, 2009 at 12:42 PM, Steve Cohen <sc...@javactivity.org>wrote:
>
>
>> Thanks, but I don't think that's it. As I indicated originally
>>
>>
>>> This connection is over https to a Web Server
>>> that does not require or accept certificates.
>>>
>>>
>> There IS no certificate to add. I don't want this connection to check
>> certificates.
>>
>>
>> Stan Lewis wrote:
>>
>>
>>> It looks like the client is complaining that it doesn't trust the
>>> server's certificate. You probably just need to add the CA for the
>>> server's certificate to the truststore that you're passing on the
>>> command line, so you'd have the CA and certificate for your MySQL
>>> server + the CA for the web service server that your client is
>>> connecting to.
>>>
>>> On Tue, Sep 22, 2009 at 11:48 AM, Steve Cohen <sc...@javactivity.org>
>>> wrote:
>>>
>>>
>>>
>>>> I have a backend application that makes several types of connections. One
>>>> is
>>>> to a Web Service whose client was built with Apache CXF. The other is to
>>>> a
>>>> MySQL database. Because of the unusual security situation in which the
>>>> servers are forced to live (DMZ) we need to encrypt the transmissions to
>>>> the
>>>> DB server, so we are going to use MySQL's "REQUIRE SSL" functionality
>>>> which
>>>> requires a certificate from a CA to achieve logon as the database user.
>>>> This
>>>> cert is placed in a truststore which becomes known to the application at
>>>> startup via command-line defines:
>>>>
>>>> -Djavax.net.ssl.trustStore=/path/to/truststore
>>>> -Djavax.net.ssl.trustStorePassword=secret
>>>>
>>>> Since we are not using MySQL's "REQUIRE X509", we no not need client
>>>> certificates and keys.
>>>>
>>>> This all works fine.
>>>>
>>>> However ...
>>>>
>>>> I have now discovered that making these command-line defines breaks the
>>>> CXF-based Web Service client. This connection is over https to a Web
>>>> Server
>>>> that does not require or accept certificates. When this connection is
>>>> attempted with the application in this mode (i.e. with the two defines in
>>>> the System properties), it fails with:
>>>>
>>>>
>>>> 2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR
>>>> address.AddressValidator - [SOAP-ENV:Fault: null]
>>>> javax.xml.ws.soap.SOAPFaultException:
>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>> find
>>>> valid certification path to requested target
>>>> at
>>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192)
>>>> at $Proxy32.validateLocation(Unknown Source)
>>>> ...
>>>> Caused by: org.apache.cxf.interceptor.Fault:
>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>> find
>>>> valid certification path to requested target
>>>> at
>>>>
>>>> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:93)
>>>> at
>>>>
>>>> org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInterceptor.java:68)
>>>> at
>>>>
>>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:221)
>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
>>>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
>>>> at
>>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171)
>>>> ... 8 more
>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>> find
>>>> valid certification path to requested target
>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
>>>> at
>>>>
>>>> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:91)
>>>> ... 14 more
>>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>> find
>>>> valid certification path to requested target
>>>> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
>>>> at
>>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
>>>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
>>>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
>>>> at
>>>>
>>>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
>>>> at
>>>>
>>>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
>>>> at
>>>> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
>>>> at
>>>>
>>>> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
>>>> at
>>>>
>>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
>>>> at
>>>>
>>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
>>>> at
>>>>
>>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
>>>> at
>>>>
>>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
>>>> at
>>>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
>>>> at
>>>>
>>>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
>>>> at
>>>>
>>>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
>>>> at
>>>>
>>>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
>>>> at
>>>>
>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1807)
>>>> at
>>>>
>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1765)
>>>> at
>>>>
>>>> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
>>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
>>>> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)
>>>> ... 15 more
>>>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>>>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>>>> unable
>>>> to find valid certification path to requested target
>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
>>>> at
>>>>
>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
>>>> at sun.security.validator.Validator.validate(Validator.java:218)
>>>> at
>>>>
>>>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
>>>> at
>>>>
>>>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
>>>> at
>>>>
>>>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
>>>> at
>>>>
>>>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
>>>> ... 32 more
>>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>>>> unable to find valid certification path to requested target
>>>> at
>>>>
>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
>>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
>>>> ... 38 more
>>>>
>>>> If I turn off the SSL requirement and remove the command line defines,
>>>> this
>>>> connection works as designed.
>>>>
>>>> So the question is
>>>>
>>>> where is the hook, either in Java or CXF by which I can configure this to
>>>> use the SSL cert for the connections to the MySQL server but not for
>>>> other
>>>> types of connection?
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>
>
Re: CXF using SSL certificate where it isn't wanted
Posted by Benson Margulies <bi...@gmail.com>.
You've told Java on the client, 'here is a truststore to use with all SSL
connections.' once you do that, it will check all SERVER certificates
against that truststore. I think that you need to add you web service's
server certificate to the truststore.
The real experts may yet emerge with a recipe for setting the truststore
more selectively so that it applies to MySQL and not to CXF.
On Tue, Sep 22, 2009 at 12:42 PM, Steve Cohen <sc...@javactivity.org>wrote:
> Thanks, but I don't think that's it. As I indicated originally
>
>> This connection is over https to a Web Server
>> that does not require or accept certificates.
>>
> There IS no certificate to add. I don't want this connection to check
> certificates.
>
>
> Stan Lewis wrote:
>
>> It looks like the client is complaining that it doesn't trust the
>> server's certificate. You probably just need to add the CA for the
>> server's certificate to the truststore that you're passing on the
>> command line, so you'd have the CA and certificate for your MySQL
>> server + the CA for the web service server that your client is
>> connecting to.
>>
>> On Tue, Sep 22, 2009 at 11:48 AM, Steve Cohen <sc...@javactivity.org>
>> wrote:
>>
>>
>>> I have a backend application that makes several types of connections. One
>>> is
>>> to a Web Service whose client was built with Apache CXF. The other is to
>>> a
>>> MySQL database. Because of the unusual security situation in which the
>>> servers are forced to live (DMZ) we need to encrypt the transmissions to
>>> the
>>> DB server, so we are going to use MySQL's "REQUIRE SSL" functionality
>>> which
>>> requires a certificate from a CA to achieve logon as the database user.
>>> This
>>> cert is placed in a truststore which becomes known to the application at
>>> startup via command-line defines:
>>>
>>> -Djavax.net.ssl.trustStore=/path/to/truststore
>>> -Djavax.net.ssl.trustStorePassword=secret
>>>
>>> Since we are not using MySQL's "REQUIRE X509", we no not need client
>>> certificates and keys.
>>>
>>> This all works fine.
>>>
>>> However ...
>>>
>>> I have now discovered that making these command-line defines breaks the
>>> CXF-based Web Service client. This connection is over https to a Web
>>> Server
>>> that does not require or accept certificates. When this connection is
>>> attempted with the application in this mode (i.e. with the two defines in
>>> the System properties), it fails with:
>>>
>>>
>>> 2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR
>>> address.AddressValidator - [SOAP-ENV:Fault: null]
>>> javax.xml.ws.soap.SOAPFaultException:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find
>>> valid certification path to requested target
>>> at
>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192)
>>> at $Proxy32.validateLocation(Unknown Source)
>>> ...
>>> Caused by: org.apache.cxf.interceptor.Fault:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find
>>> valid certification path to requested target
>>> at
>>>
>>> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:93)
>>> at
>>>
>>> org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInterceptor.java:68)
>>> at
>>>
>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:221)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
>>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
>>> at
>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171)
>>> ... 8 more
>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find
>>> valid certification path to requested target
>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
>>> at
>>>
>>> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:91)
>>> ... 14 more
>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find
>>> valid certification path to requested target
>>> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
>>> at
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
>>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
>>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
>>> at
>>> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
>>> at
>>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
>>> at
>>>
>>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
>>> at
>>>
>>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
>>> at
>>>
>>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
>>> at
>>>
>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1807)
>>> at
>>>
>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1765)
>>> at
>>>
>>> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
>>> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)
>>> ... 15 more
>>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable
>>> to find valid certification path to requested target
>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
>>> at
>>>
>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
>>> at sun.security.validator.Validator.validate(Validator.java:218)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
>>> ... 32 more
>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>> at
>>>
>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
>>> ... 38 more
>>>
>>> If I turn off the SSL requirement and remove the command line defines,
>>> this
>>> connection works as designed.
>>>
>>> So the question is
>>>
>>> where is the hook, either in Java or CXF by which I can configure this to
>>> use the SSL cert for the connections to the MySQL server but not for
>>> other
>>> types of connection?
>>>
>>>
>>>
>>
>>
>>
>>
>
>
Re: CXF using SSL certificate where it isn't wanted
Posted by Steve Cohen <sc...@javactivity.org>.
Thanks, but I don't think that's it. As I indicated originally
> This connection is over https to a Web Server
> that does not require or accept certificates.
There IS no certificate to add. I don't want this connection to check
certificates.
Stan Lewis wrote:
> It looks like the client is complaining that it doesn't trust the
> server's certificate. You probably just need to add the CA for the
> server's certificate to the truststore that you're passing on the
> command line, so you'd have the CA and certificate for your MySQL
> server + the CA for the web service server that your client is
> connecting to.
>
> On Tue, Sep 22, 2009 at 11:48 AM, Steve Cohen <sc...@javactivity.org> wrote:
>
>> I have a backend application that makes several types of connections. One is
>> to a Web Service whose client was built with Apache CXF. The other is to a
>> MySQL database. Because of the unusual security situation in which the
>> servers are forced to live (DMZ) we need to encrypt the transmissions to the
>> DB server, so we are going to use MySQL's "REQUIRE SSL" functionality which
>> requires a certificate from a CA to achieve logon as the database user. This
>> cert is placed in a truststore which becomes known to the application at
>> startup via command-line defines:
>>
>> -Djavax.net.ssl.trustStore=/path/to/truststore
>> -Djavax.net.ssl.trustStorePassword=secret
>>
>> Since we are not using MySQL's "REQUIRE X509", we no not need client
>> certificates and keys.
>>
>> This all works fine.
>>
>> However ...
>>
>> I have now discovered that making these command-line defines breaks the
>> CXF-based Web Service client. This connection is over https to a Web Server
>> that does not require or accept certificates. When this connection is
>> attempted with the application in this mode (i.e. with the two defines in
>> the System properties), it fails with:
>>
>>
>> 2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR
>> address.AddressValidator - [SOAP-ENV:Fault: null]
>> javax.xml.ws.soap.SOAPFaultException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192)
>> at $Proxy32.validateLocation(Unknown Source)
>> ...
>> Caused by: org.apache.cxf.interceptor.Fault:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>> at
>> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:93)
>> at
>> org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInterceptor.java:68)
>> at
>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:221)
>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
>> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171)
>> ... 8 more
>> Caused by: com.ctc.wstx.exc.WstxIOException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
>> at
>> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:91)
>> ... 14 more
>> Caused by: javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
>> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
>> at
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
>> at
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
>> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
>> at
>> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
>> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
>> at
>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
>> at
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
>> at
>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1807)
>> at
>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1765)
>> at
>> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
>> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)
>> ... 15 more
>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
>> to find valid certification path to requested target
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
>> at
>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
>> at sun.security.validator.Validator.validate(Validator.java:218)
>> at
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
>> at
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
>> at
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
>> at
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
>> ... 32 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
>> ... 38 more
>>
>> If I turn off the SSL requirement and remove the command line defines, this
>> connection works as designed.
>>
>> So the question is
>>
>> where is the hook, either in Java or CXF by which I can configure this to
>> use the SSL cert for the connections to the MySQL server but not for other
>> types of connection?
>>
>>
>
>
>
Re: CXF using SSL certificate where it isn't wanted
Posted by Stan Lewis <ga...@gmail.com>.
It looks like the client is complaining that it doesn't trust the
server's certificate. You probably just need to add the CA for the
server's certificate to the truststore that you're passing on the
command line, so you'd have the CA and certificate for your MySQL
server + the CA for the web service server that your client is
connecting to.
On Tue, Sep 22, 2009 at 11:48 AM, Steve Cohen <sc...@javactivity.org> wrote:
> I have a backend application that makes several types of connections. One is
> to a Web Service whose client was built with Apache CXF. The other is to a
> MySQL database. Because of the unusual security situation in which the
> servers are forced to live (DMZ) we need to encrypt the transmissions to the
> DB server, so we are going to use MySQL's "REQUIRE SSL" functionality which
> requires a certificate from a CA to achieve logon as the database user. This
> cert is placed in a truststore which becomes known to the application at
> startup via command-line defines:
>
> -Djavax.net.ssl.trustStore=/path/to/truststore
> -Djavax.net.ssl.trustStorePassword=secret
>
> Since we are not using MySQL's "REQUIRE X509", we no not need client
> certificates and keys.
>
> This all works fine.
>
> However ...
>
> I have now discovered that making these command-line defines breaks the
> CXF-based Web Service client. This connection is over https to a Web Server
> that does not require or accept certificates. When this connection is
> attempted with the application in this mode (i.e. with the two defines in
> the System properties), it fails with:
>
>
> 2009-09-22 09:16:02,122 [robo/AIM:stevecoh43/38] ERROR
> address.AddressValidator - [SOAP-ENV:Fault: null]
> javax.xml.ws.soap.SOAPFaultException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:192)
> at $Proxy32.validateLocation(Unknown Source)
> ...
> Caused by: org.apache.cxf.interceptor.Fault:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at
> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:93)
> at
> org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInterceptor.java:68)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:221)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:171)
> ... 8 more
> Caused by: com.ctc.wstx.exc.WstxIOException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
> at
> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:91)
> ... 14 more
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
> at
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
> at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1807)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1765)
> at
> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)
> ... 15 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
> at sun.security.validator.Validator.validate(Validator.java:218)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
> ... 32 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
> ... 38 more
>
> If I turn off the SSL requirement and remove the command line defines, this
> connection works as designed.
>
> So the question is
>
> where is the hook, either in Java or CXF by which I can configure this to
> use the SSL cert for the connections to the MySQL server but not for other
> types of connection?
>