Centaur Tech

Dips

Friday, May 22

1-way ssl setup and cert issues

1-way SSL overview :
 
1-way ssl requires that the client verifies the servers identity , and the server accepts any client request.
When the client sends a server request, the server presents a certificate to the client , and the client verifies the identity of the serverand proceeds if succesful.
For this to happen, the server needs to install certificate and private key on the server, while the client just needs to maintain the corresponding CA certificate (in truststore mostly).
The client truststore location can be specified using system property :
System.setProperty("javax.net.ssl.trustStore", "C:/CIBTAPPS/MyTrust.jks");
 
You might need to download the certificate(download in browser and 'export' as file) and import it in a truststore : 
Use keytool utility from the jdk as follows :
keytool -import -alias csw.dev.wachovia.net -file C:\CIBTAPPS\SSL.crt -keystore C:\CIBTAPPS\MyTrust.jks
 
List the certstore content as follows :
keytool -list -keystore c:\CIBTAPPS\WachoviaTrust.jks
Enter keystore password:  ****
Result will look something like :
Keystore type: jks
Keystore provider: SUN
 
Your keystore contains 2 entries
 
wachovia test ca, Aug 20, 2007, trustedCertEntry,
Certificate fingerprint (MD5): AE:72:8D:E0:55:FA:F4:77:C2:8F:5D:B1:D3:A5:A0:51
enterpriseca, Aug 31, 2007, trustedCertEntry,
Certificate fingerprint (MD5): A3:AC:32:B3:8B:75:96:D9:48:16:46:39:21:C7:3E:0C
myprivateroot, May 19, 2009, trustedCertEntry
 
Troubleshooting :
 
Problem :
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
 at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
 at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
 at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
 at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
 at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
 at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)
 at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
 at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
 at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:861)
 at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
 at org.springframework.ws.transport.http.HttpUrlConnection.getRequestOutputStream(HttpUrlConnection.java:82)
 at org.springframework.ws.transport.AbstractSenderConnection$RequestTransportOutputStream.createOutputStream(AbstractSenderConnection.java:101)
 at org.springframework.ws.transport.TransportOutputStream.getOutputStream(TransportOutputStream.java:41)
 at org.springframework.ws.transport.TransportOutputStream.write(TransportOutputStream.java:60)
 at com.sun.xml.messaging.saaj.soap.MessageImpl.writeTo(MessageImpl.java:1221)
 at org.springframework.ws.soap.saaj.Saaj13Implementation.writeTo(Saaj13Implementation.java:288)
 at org.springframework.ws.soap.saaj.SaajSoapMessage.writeTo(SaajSoapMessage.java:119)
 at org.springframework.ws.transport.AbstractWebServiceConnection.send(AbstractWebServiceConnection.java:42)
 at org.springframework.ws.client.core.WebServiceTemplate.sendRequest(WebServiceTemplate.java:549)
 at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:512)
 at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:465)
 ... 23 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
 at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
 at sun.security.validator.Validator.validate(Validator.java:203)
 at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
 at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
 at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
 ... 45 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
 at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
 ... 50 more

Possible solutions :
Set the system property to appropriate keystore : System.setProperty("javax.net.ssl.trustStore", "C:/CIBTAPPS/MyTrust.jks");
If this is already set, the certificate might not exist in the store. Use keytool list to check the same.
 
Problem :
Caused by: java.io.IOException: HTTPS hostname wrong: should be <nc-sils-f5c-ict01-1wlg-weblogic-sit.test.wachovia.net>
at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java:490)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:861)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at org.springframework.ws.transport.http.HttpUrlConnection.getRequestOutputStream(HttpUrlConnection.java:82)
at org.springframework.ws.transport.AbstractSenderConnection$RequestTransportOutputStream.createOutputStream(AbstractSenderConnection.java:101)
at org.springframework.ws.transport.TransportOutputStream.getOutputStream(TransportOutputStream.java:41)
at org.springframework.ws.transport.TransportOutputStream.write(TransportOutputStream.java:60)
at com.sun.xml.messaging.saaj.soap.MessageImpl.writeTo(MessageImpl.java:1221)
at org.springframework.ws.soap.saaj.Saaj13Implementation.writeTo(Saaj13Implementation.java:288)
at org.springframework.ws.soap.saaj.SaajSoapMessage.writeTo(SaajSoapMessage.java:119)
at org.springframework.ws.transport.AbstractWebServiceConnection.send(AbstractWebServiceConnection.java:42)
at org.springframework.ws.client.core.WebServiceTemplate.sendRequest(WebServiceTemplate.java:549)
at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:512)
at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:465)... 25 more
 
Possible solutions :
The client also verifies hostname aka if the Cert Subject Distinguished Name (DN) contain a Common Name (CN) that exactly matches the hostname in the Web Service URL?
For example, a Web Service hosted at https://www.mycompany.com/services should be protected by an SSL certificate with a CN ofwww.mycompany.com .
In case of mismatch the above exception is seen. You need to have the right certificate with matching url and cn name.
There is no easy way to turn off hostname verification at the webservice client level. Programatically , it can be done as specified here : http://www.theserverside.com/discussions/thread.tss?thread_id=34538

Dips at 5:52 AM

1 comments

1 Comments

at 2:22 PM OpenID dunaj said...

Thanks a lot! Helped me to resolve a problem I'd been struggling for like a day.

 

Post a Comment