| Author |
Message
|
| Vitor |
 Posted: Thu Aug 09, 2012 6:59 am Post subject: SOAP request over https |
 |
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
DISCLAIMER: this error has the word "java" in it. I accept that I've reacted to this in much the same way my wife reacts to a mouse in the living room. Those who know me personally are at liberty to imagine the runing round, screaming and blind panic.
WMB 7.0.0.3. Flow reads a file, builds a web service request using a deployable WSDL that's deployed. When it calls the web service with https the user trace says:
| Code: |
2012-08-09 10:37:39.651187 6396 SocketException BIP3165S: An error occurred whilst performing an SSL socket operation. Operation: 'connect'. Error Text: 'javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error'.
|
The broker's got a keystore, a truststore and all seems to be configured as you'd expect for an HTTPS request. The broker (a test one) has a self-signed certificate that lists out when I use gsk7cmd.
What am I missing? Clearly something's hosed up in the SSL configuration & it's broken the certificate chain but how & what do I do about it?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Thu Aug 09, 2012 7:03 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Use IE, browse to the IP address you are trying to access, save the SSL cert on your file system, then import the SSL cert into your truststore.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Aug 09, 2012 7:32 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Certificate Chaining error usually indicates that you have imported the cert of the endpoint you're talking to, and their CA, but you have not imported any intermediate certs between the endpoint and CA certs.
As lancelotlink suggests, using a browser to pull down the cert may give you an easy way to get the full signer chain. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Thu Aug 09, 2012 7:37 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Also, if the error persists and if the cert is already in the truststore, this becomes kind of sticky as the only way around the chaining error for me was to have only one root authority, and root authority cert imported first into a pristine truststore file.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| AndreasMartens |
| Posted: Fri Aug 10, 2012 5:40 am Post subject: Which provider? |
|
|
Acolyte
Joined: 30 Jan 2006
Posts: 65
Location: Hursley, UK
|
Some of the Java security providers don't like self-signed certificates or certificates without a parent cert in the trust store.
Have you tried with a "proper" certificate (you can generate a test one using openssl and if you need a gui: tinyca)? Since self-signed certificates aren't worth the paper they could have been printed on, I wouldn't even try using them...
cheers,
Andreas |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Aug 10, 2012 8:28 pm Post subject: Re: Which provider? |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| AndreasMartens wrote: |
Some of the Java security providers don't like self-signed certificates or certificates without a parent cert in the trust store.
Have you tried with a "proper" certificate (you can generate a test one using openssl and if you need a gui: tinyca)? Since self-signed certificates aren't worth the paper they could have been printed on, I wouldn't even try using them...
cheers,
Andreas |
Well self signed certs have their place and worth. Don't forget that the root cert of any Certificate Authority is a self signed certificate... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| AndreasMartens |
| Posted: Mon Aug 13, 2012 3:18 am Post subject: Re: Which provider? |
|
|
Acolyte
Joined: 30 Jan 2006
Posts: 65
Location: Hursley, UK
|
| fjb_saper wrote: |
Well self signed certs have their place and worth. Don't forget that the root cert of any Certificate Authority is a self signed certificate... |
True, proper root certs have the flags set up right so they're "allowed" self-signed, normal self-signed certs generated by keytool don't have these flags and are often rejected.
cheers,
Andreas |
|
| Back to top |
|
|
| rrydziu |
| Posted: Wed Aug 22, 2012 12:27 am Post subject: |
|
|
Newbie
Joined: 21 Dec 2011
Posts: 8
|
maybe restart of execution group may help you.
For me this solved the problem. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Aug 22, 2012 2:42 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rrydziu wrote: |
maybe restart of execution group may help you.
For me this solved the problem. |
I'm not running on Windows.... 
I offer thanks to all who responded. 2 problems have been identified:
- insufficient certs in the truststore
- the target service being configured to allow only certs signed by the correct authority
I've filled out the relevant forms, beaten the money out of my boss and we'll see what happens when I get a signed cert.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| integration |
| Posted: Tue Jun 25, 2013 12:53 am Post subject: |
|
|
Apprentice
Joined: 26 Jun 2007
Posts: 32
|
Hi Vitor,
Could you please let me know how the issue was solved later? |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jun 25, 2013 4:22 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| integration wrote: |
Hi Vitor,
Could you please let me know how the issue was solved later? |
Apologies for not updating this thread as promised. So many problems, so little attention span....
The problem was that self signed certificates (as indicated in this thread) are about as much use as an empty can of dinosaur repellant. We got the broker a proper certificate, rebuilt the truststore, discovered it still didn't work and then added all the intermediate certificates.
(Our certificate was signed by CA 1 which is in a chain with CA X, the service was signed by CA 2 which is in a chain with CA X. Both CA 1 & CA 2 need to be in the truststore).
All done with much huffing, puffing and comments of "none of the other Java apps need all these certificates". Sarcastic comments about WMB being more rigerously secure than Java were made with no confidence about how I stood in terms of fact, but it made me feel better and it all worked when all the certs were added.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| integration |
| Posted: Tue Jun 25, 2013 10:12 pm Post subject: |
|
|
Apprentice
Joined: 26 Jun 2007
Posts: 32
|
Thanks a lot for the infomation.  |
|
| Back to top |
|
|
|
|
