Databases
StackOverflow2013
Postsdbo
POCalling WebService and having SSL / cert issue
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POCalling WebService and having SSL / cert issue
    primarykey
    data
    text
    <p>I'll begin with the fact that I have not much knowledge about setting up keystore, etc in Java</p> <p>I am trying to call a SOAP web service, I got the wsdl, generated the code, etc. Everything seems okay until I deployed it and trying to trigger the WS call.</p> <p>Here's my setup:</p> <ul> <li>Tomcat 7.0.35</li> <li>Java, jdk 1.6.0_39</li> <li>pfx file and the password </li> <li>project deployed as standard web app (war) to tomcat</li> </ul> <p>When I run the code, I got the following exception:</p> <pre><code>Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://tallyservices-qa.olson.com/tallyDemo2WebServices/tallyDemo2/sms: Received fatal alert: certificate_unknown at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1336) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1320) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) ... 27 more Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1837) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1019) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1230) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1214) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230) at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:170) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1280) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1231) at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:183) at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1293) ... 30 more </code></pre> <p>I followed the suggestion here: <a href="https://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-keystore-with-private-key">How to convert .pfx file to keystore with private key?</a> to install the cert to my keystore:</p> <pre><code>keytool -importkeystore -srckeystore C:\somefolder\mypfxfile.pxf -srcstoretype pkcs12 -destkeystore C:\somefolder\clientcert.jks -deststoretype JKS </code></pre> <p>and I got:</p> <pre><code>Enter destination keystore password: &lt;mypassword&gt; Re-enter new password: &lt;mypassword&gt; Enter source keystore password: &lt;pxf_password&gt; Entry for alias 67eb31f6 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled </code></pre> <p>So everything looks good so far, I bounced my tomcat and hitting the Servlet again and I still get the same error.</p> <p>What else am I missing here? Do I need to tell tomcat about the certificate or something?</p> <p>Thanks in advance for the help and apology for my noob-ness in keystore and certificate area.</p> <p><strong>EDIT:</strong> So I figured from Carlo Pellegrini`s help, that I need to add the keystore to tomcat: so now, my tomcat is started with additional JAVA_OPTS parameter:</p> <pre><code>"-Djavax.net.ssl.trustStore=C:\somefolder\clientcert.jks -Djavax.net.ssl.trustStorePassword=somepassword" </code></pre> <p>and now I got:</p> <pre><code>Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty </code></pre> <p>From here: <a href="https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty">Error - trustAnchors parameter must be non-empty</a> and <a href="https://stackoverflow.com/questions/6633164/got-java-security-invalidalgorithmparameterexception-the-trustanchors-parameter">got java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty when using cas</a> - seems like my truststore is not found?</p> <p>I figured my earlier command:</p> <pre><code>keytool -importkeystore -srckeystore C:\somefolder\mypfxfile.pxf -srcstoretype pkcs12 -destkeystore C:\somefolder\clientcert.jks -deststoretype JKS </code></pre> <p>Actually put the pxf into the <strong>keystore</strong>, not the truststore ?</p> <p>When I check keystore list:</p> <pre><code>C:\somefolder&gt;keytool -list -keystore "C:\somefolder\clientcert.jks" Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry 67eb31f6, 13-Feb-2013, PrivateKeyEntry, Certificate fingerprint (MD5): ... some fingerprint ... </code></pre> <p>So I am not sure what am I missing here</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USCommunity
    1. USTS-
    plurals
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTLinked
    3. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POCalling WebService and having SSL / cert issue
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POCalling WebService and having SSL / cert issue
      1. This table or related slice is empty.
      1. VTUpMod
    1. COI don't know the exact setup in this case, but if you are signing up or encrypting your messages with your private key, the server should have the public key. If it is only the ssl/tls as the exception suggests, there might be an issue with the server certificate not being trusted?
      singulars
      1. POCalling WebService and having SSL / cert issue
      1. USjhexp
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload