I am testing a web service hosted on https. I use jaxws for the connection.
This retrieves the wsdl first but that's where the error occurs. I saved the certificate in IE on my local machine and created a keystore from it, as described in JAX-WS-https-client and changed JVM arguments so that the keystore loads.
This did achieve that the url used to retrieve the wsdl contained protocol https instead of http, so things started to look better. But now I get the following error:
SystemException: PropagatedException: WSDLException: faultCode=OTHER_ERROR: Unable to resolve imported document at 'https://www.eway.com.au/gateway/rebill/test/manageRebill_test.asmx?wsdl'.: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Does this mean that the certificate was copied to filesystem incorrectly?
Is something else wrong? What to do?
I should note that when exporting a certificate from IE, the option is given to export the private key or not. When not exporting the private key, then it can be saved as .cer file which is necessary for creating the keystore. On the other hand, when I try to export the private key, the file extension is .pfx and this cannot be converted to a keystore.
My bad - I had Fiddler running and thus used a certificate issued by Fiddler.
When I added the real certificate to the keystore, the webservice call was OK.
Related
I am trying to setup a Kafka cluster with mTLS authentication using certificates signed by GCP's CAS (Certificate Authority Service). I have three Kafka nodes: a master and two workers. Each node has a PEM truststore containing the CA Root certificate from the authority on CAS and a PEM keystore containing a signed certificate from CAS and the private key. I followed this webpage for the setup.
This is the server.properties file for the master node. Other nodes have a similar config except the ssl.keystore.location property.
listeners=INTERNAL://:port,EXTERNAL://:port
advertised.listeners=INTERNAL://:port,EXTERNAL://:port
listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL
inter.broker.listener.name=INTERNAL
ssl.enabled.protocols=TLSv1.2
ssl.endpoint.identification.algorithm=
producer.ssl.endpoint.identification.algorithm=
consumer.ssl.endpoint.identification.algorithm=
ssl.client.auth=required
ssl.truststore.type=PEM
ssl.truststore.location=/path/ca.crt
ssl.keystore.type=PEM
ssl.key.password=<password>
ssl.keystore.location=/path/master.pem
The truststore is the ca.crt (Root CA certificate) file and the keystore has the private key and the signed certificate. There are no intermediate certificates, the certificates in the keystore are directly signed by the root certificate.
When I try to start the server on any nodes I am getting the following error. I am not sure why.
ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings.
P.S. I have already tried using the truststore and keystore in JKS and PKCS12 format. I keep getting the same error.
From what you shared, it doesn't seem that you've created valid keystores for the cert and CA.
ssl.truststore.location=/path/ca.crt
...
ssl.keystore.location=/path/master.pem
You're merely pointing to the original files. You need to create two valid java keystores with a JDK's keytool tool and import the files into each one. Depending on your certificate format you might need to convert them with openssl.
See https://stackoverflow.com/a/11954816/50114 for an example.
You mentioned earlier that you got the same error with JKS keystore and truststore. From the error message, it sounds like the keystore may not contain the whole chain. Can you first try with a JKS truststore containing the root cert and a JKS keystore containing the private key and the whole certificate chain (i.e. including root cert)?
If that run gives the same error, you could enable "javax.net.debug=ssl". If using Kafka scripts to start the broker, you can first export KAFKA_OPTS=javax.net.debug=ssl. Broker performs extra validation by attempting handshake using the provided keystore and truststore for the inter-broker listener. It looks like that validation is failing in your case. The extra debug may help to understand why.
Once you have the broker running with JKS, you can switch to PEM if required.
What does your keystore PEM file look like?
Does it have clear separate sections (with BEGIN and END)? See https://docs.progress.com/en-US/bundle/datadirect-hybrid-data-pipeline-installation-46/page/PEM-file-format.html
Can you try adding the Root CA in the PEM file too, after the signed certificate?
I need to be able to hit a web service using SoapUI to inspect the request and response. I was previously provided with a certificate in the form of a .PFX file, along with the keystore password, which I could import into SoapUI and successfully hit the service.
The certificate I was provided recently expired, and my company has now deployed a new certificate via SCCM to my machine. I have the certificate installed in both Local Machine and Current User.
My question is:
Is there a way to use an installed certificate (meaning I can't export it first) to complete the SSL/TLS handshake when making a request via SoapUI?
Everything I've been able to find on the web has referenced exporting the certificate and setting the SSL settings in SoapUI (like I did before). Unfortunately, I do not have required authority to export the certificate to a .PFX file with a keystore password...
I assume there has to be a configuration setting of some sort in SoapUI that will let me hit the service with my installed certificate, but I can't find it for the life of me. Any help is greatly appreciated!
Even confirmation that it's impossible is appreciated; just not as much as I would appreciate a solution ;)
Thanks in advance!
I have one .cer file which is a self-signed public certificate. I have added it in a truststore, configured it in a https connector, and referenced it in the WSC component. But while trying to run the code, I am getting a "no trusted certificate found error". Do I need to configure keystore or anything else?
Self signed certs can be used by the <tls:context> component. After configuration you're able to use it for http other other supported components.
<tls:context name="customContext">
<tls:trust-store path="/etc/mule/tls/.." password="yourPass"/>
<tls:key-store path="/etc/mule/tls/.." keyPassword="yourKeyPass" password="yourPass"/>
</tls:context>
More can be found at https://docs.mulesoft.com/mule-runtime/4.2/tls-configuration
Using the wso2 identity server in my on production site I try to access to "dashboard jaggery apps" for manage own user account (change password, etc). But when I try to login in there (using SAML2 in the https production domain) shows the following error,
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
We write the keystore path in the auth_config.json inside repository/deployment/server/jaggeryapps/dashboard/authentication, but it does not work.
We have other application using the same fingerprint and/or x.509 hash correctly (with SAML2), but this app we can't configure.
here the complete error http://pastebin.com/tgJenydM
Any suggestions? Thanks.
update:
When I use the backend IP the error is not raised, but when I change to the domain name yes. (This error really make me crazy)
Did you change the default keystore of WSO2IS server ? If, Could you pleas let us know whether you import your new certificate in to the trust store file (client-truststore.jks) of WSO2IS server. If it is not, This can be the issue. Please export the certificate from Keystore and import it in to the trust store of the server. You can use jave keytool command to do it.
When you are working on dashboard (not in localhost), there are some few configuration you need to do . You can find them from here
I have generated client stub using wsdl2java.
I am able to call webservices of HTTP server.
But I have HTTPS server with self signed certificate.
When I called same service for HTTPS server, its throwing exception :
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
How to modify client stub to accept all certificates?
You have one of two options:
Trust the cert. One possible approach is this: http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/
Alternatively, choose to ignore the error and keep going. See this stackoverflow q: How to ignore PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException?
Google is your friend...