Discussion:
using certificate to access wsdl file
(too old to reply)
Srikrishna Kalavacharla
2004-05-18 16:08:03 UTC
Permalink
Hi,
I'm trying to access the web services hosted by our client. We were
provided a certificate to use while establishing the connection and
I can use the same to actually look at their wsdl file through the
internet explorer.

I've created a new keystore and imported the certificate provided to
us using the following command.

"keytool -import -v -trustcacerts -alias client -file client.cer
-keystore company.keystore"

This actually creates a file called company.keystore, which can be
used, while generating the java stub files using wsdl2java, by
accessing their url. And my wsdl2java command looks like this.

java -Djavax.net.ssl.trustStore=company.keystore
org.apache.axis.wsdl.WSDL2Java
https://www.client.com/services/hostedWebServices?wsdl

At this point it throws me the following error:

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Sou
rce)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect
(Unknown Source)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
So
urce)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unkn
own Source)
at java.net.URL.openStream(Unknown Source)
at org.apache.crimson.parser.InputEntity.init(Unknown
Source)
at org.apache.crimson.parser.Parser2.parseInternal(Unknown
Source)
at org.apache.crimson.parser.Parser2.parse(Unknown Source)
at org.apache.crimson.parser.XMLReaderImpl.parse(Unknown
Source)
at org.apache.crimson.jaxp.DocumentBuilderImpl.parse(Unknown
Source)
at
org.apache.axis.utils.XMLUtils.newDocument(XMLUtils.java:322)
at
org.apache.axis.utils.XMLUtils.newDocument(XMLUtils.java:367)
at
org.apache.axis.wsdl.symbolTable.SymbolTable.populate(SymbolTable.jav
a:384)
at
org.apache.axis.wsdl.gen.Parser$WSDLRunnable.run(Parser.java:245)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: No trusted
certificate fou
nd
at
sun.security.validator.SimpleValidator.buildTrustedChain(Unknown
Sour
ce)
at
sun.security.validator.SimpleValidator.engineValidate(Unknown
Source)

at sun.security.validator.Validator.validate(Unknown Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(
Unknown Source)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(
Unknown Source)
... 21 more

Here I'm trying to see if I can make a secure connection or not.
I've downloaded their wsdl file and created a small java client
which also bumps into the same error

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Sou
rce)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect
(Unknown Source)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
So
urce)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unkn
own Source)
at java.net.URL.openStream(Unknown Source)
at org.apache.crimson.parser.InputEntity.init(Unknown
Source)
at org.apache.crimson.parser.Parser2.parseInternal(Unknown
Source)
at org.apache.crimson.parser.Parser2.parse(Unknown Source)
at org.apache.crimson.parser.XMLReaderImpl.parse(Unknown
Source)
at org.apache.crimson.jaxp.DocumentBuilderImpl.parse(Unknown
Source)
at
org.apache.axis.utils.XMLUtils.newDocument(XMLUtils.java:322)
at
org.apache.axis.utils.XMLUtils.newDocument(XMLUtils.java:367)
at
org.apache.axis.wsdl.symbolTable.SymbolTable.populate(SymbolTable.jav
a:384)
at
org.apache.axis.wsdl.gen.Parser$WSDLRunnable.run(Parser.java:245)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: No trusted
certificate fou
nd
at
sun.security.validator.SimpleValidator.buildTrustedChain(Unknown
Sour
ce)
at
sun.security.validator.SimpleValidator.engineValidate(Unknown
Source)

at sun.security.validator.Validator.validate(Unknown Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(
Unknown Source)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(
Unknown Source)
... 21 more

Please let me know where I'm doing wrong.

Thanks in advance
Srikrishna

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee®
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Tom Oinn
2004-05-18 19:42:24 UTC
Permalink
Hi,

I believe your problem is that the certificate is a client one. The only
time I've seen that error was when we were missing a server certificate
- the one that is used to authenticate the server rather than the one
used to authenticate the client. The certificate that, say, IE asks you
whether you want to install when you visit a https URL is a server
certificate.

I'm guessing this based on the command line 'client.cer' reference. Try
with the server certificate in your keystore and see if the error is
still there, if it is then double check the certificate (certificate CN
should be equal to the hostname IIRC but you can get around that
sometimes by munging the hosts file on your client... hack hack hack)

HTH,

Tom
Srikrishna Kalavacharla
2004-05-18 20:38:47 UTC
Permalink
Thanks Tom,
I'm assuming the the certificate I'm using is the server certificate. And
the reason is as follows:

We have received a myCertificate.p12 file to be installed on our side. I've
installed the same and when I hit the URL through IE it brings up the list
of certificates which can be used to authenticate us as a valid entity
allowed to access the web services. Here when I selected the installed
"myCertificate" it allows me to go in and see the web services.

I've used this installed "myCertificate" in the internet explorer to export
it into "myCertificate.cer" and import this ".cer" into
"myCertificate.keystore" and use this keystore file for all further secure
communication.

When I try to hit their web services using this "myCertificate.keystore"
file, I can see the CN name is *different* for "myCertificate.cer" which is
imported into "myCertificate.keystore" and does not match with any of the CN
names that come from the server in the certificate chain.

My question is, if this might cause a problem, how come internet explorer is
able to resolve and able to present me as a valid host to the server,
whereas my java client program is not able to do the same?

Thanks in advance
Srikrishna
Subject: Re: using certificate to access wsdl file
Date: Tue, 18 May 2004 20:42:24 +0100
Hi,
I believe your problem is that the certificate is a client one. The only
time I've seen that error was when we were missing a server certificate -
the one that is used to authenticate the server rather than the one used to
authenticate the client. The certificate that, say, IE asks you whether you
want to install when you visit a https URL is a server certificate.
I'm guessing this based on the command line 'client.cer' reference. Try
with the server certificate in your keystore and see if the error is still
there, if it is then double check the certificate (certificate CN should be
equal to the hostname IIRC but you can get around that sometimes by munging
the hosts file on your client... hack hack hack)
HTH,
Tom
_________________________________________________________________
Get 200+ ad-free, high-fidelity stations and LIVE Major League Baseball
Gameday Audio! http://radio.msn.click-url.com/go/onm00200491ave/direct/01/
r***@comcast.net
2004-05-18 21:05:11 UTC
Permalink
Silly suggestion. If you can download the WSDL file from Internet Explorer, why not just save it as a file and then use the tools to generate stubs, etc?

Rick
Post by Srikrishna Kalavacharla
Thanks Tom,
I'm assuming the the certificate I'm using is the server certificate. And
We have received a myCertificate.p12 file to be installed on our side. I've
installed the same and when I hit the URL through IE it brings up the list
of certificates which can be used to authenticate us as a valid entity
allowed to access the web services. Here when I selected the installed
"myCertificate" it allows me to go in and see the web services.
I've used this installed "myCertificate" in the internet explorer to export
it into "myCertificate.cer" and import this ".cer" into
"myCertificate.keystore" and use this keystore file for all further secure
communication.
When I try to hit their web services using this "myCertificate.keystore"
file, I can see the CN name is *different* for "myCertificate.cer" which is
imported into "myCertificate.keystore" and does not match with any of the CN
names that come from the server in the certificate chain.
My question is, if this might cause a problem, how come internet explorer is
able to resolve and able to present me as a valid host to the server,
whereas my java client program is not able to do the same?
Thanks in advance
Srikrishna
Subject: Re: using certificate to access wsdl file
Date: Tue, 18 May 2004 20:42:24 +0100
Hi,
I believe your problem is that the certificate is a client one. The only
time I've seen that error was when we were missing a server certificate -
the one that is used to authenticate the server rather than the one used to
authenticate the client. The certificate that, say, IE asks you whether you
want to install when you visit a https URL is a server certificate.
I'm guessing this based on the command line 'client.cer' reference. Try
with the server certificate in your keystore and see if the error is still
there, if it is then double check the certificate (certificate CN should be
equal to the hostname IIRC but you can get around that sometimes by munging
the hosts file on your client... hack hack hack)
HTH,
Tom
_________________________________________________________________
Get 200+ ad-free, high-fidelity stations and LIVE Major League Baseball
Gameday Audio! http://radio.msn.click-url.com/go/onm00200491ave/direct/01/
Srikrishna Kalavacharla
2004-05-18 21:21:50 UTC
Permalink
Rick,
Actually what Tom said makes sense. I'm able to download the wsdl file from
the internet explorer because I'm presenting the "client certificate" when
asked by the "server certificate" and thereby letting the server know I'm
the same host as specified by the client certificate.

To work over ssl, it is just not enough to generate the stub files and write
a java client program to access the web services. I've to use a keystore
which has the "server certificate" imported instead of the "client
certificate" which I was doing earlier.(Thanks Tom!, I've corrected this and
now it is working partially :)) And I've to present this keystore everytime
I've to make a call to the web services.

After importing the "server certificate" into my keystore and using it along
with my java client, it looks like the connection is being done to the web
services.(by looking at the debug statements). However after some point it
is throwing me the following error.

AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: Received fatal alert:
handsha
ke_failure
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:
javax.net.ssl.SSLHandshakeExcep
tion: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.b(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at
org.apache.axis.transport.http.HTTPSender.readHeadersFromSocket(HTTPS
ender.java:506)
at
org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:127)

at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
y.java:71)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:150)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:120)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:180)
at org.apache.axis.client.Call.invokeEngine(Call.java:2564)
at org.apache.axis.client.Call.invoke(Call.java:2553)
at org.apache.axis.client.Call.invoke(Call.java:2248)
at org.apache.axis.client.Call.invoke(Call.java:2171)
at org.apache.axis.client.Call.invoke(Call.java:1691)


Any ideas?

Thanks in advance,
Srikrishna
Subject: Re: using certificate to access wsdl file
Date: Tue, 18 May 2004 21:05:11 +0000
Silly suggestion. If you can download the WSDL file from Internet
Explorer, why not just save it as a file and then use the tools to generate
stubs, etc?
Rick
Post by Srikrishna Kalavacharla
Thanks Tom,
I'm assuming the the certificate I'm using is the server certificate.
And
Post by Srikrishna Kalavacharla
We have received a myCertificate.p12 file to be installed on our side.
I've
Post by Srikrishna Kalavacharla
installed the same and when I hit the URL through IE it brings up the
list
Post by Srikrishna Kalavacharla
of certificates which can be used to authenticate us as a valid entity
allowed to access the web services. Here when I selected the installed
"myCertificate" it allows me to go in and see the web services.
I've used this installed "myCertificate" in the internet explorer to
export
Post by Srikrishna Kalavacharla
it into "myCertificate.cer" and import this ".cer" into
"myCertificate.keystore" and use this keystore file for all further
secure
Post by Srikrishna Kalavacharla
communication.
When I try to hit their web services using this "myCertificate.keystore"
file, I can see the CN name is *different* for "myCertificate.cer" which
is
Post by Srikrishna Kalavacharla
imported into "myCertificate.keystore" and does not match with any of
the CN
Post by Srikrishna Kalavacharla
names that come from the server in the certificate chain.
My question is, if this might cause a problem, how come internet
explorer is
Post by Srikrishna Kalavacharla
able to resolve and able to present me as a valid host to the server,
whereas my java client program is not able to do the same?
Thanks in advance
Srikrishna
Subject: Re: using certificate to access wsdl file
Date: Tue, 18 May 2004 20:42:24 +0100
Hi,
I believe your problem is that the certificate is a client one. The
only
Post by Srikrishna Kalavacharla
time I've seen that error was when we were missing a server certificate
-
Post by Srikrishna Kalavacharla
the one that is used to authenticate the server rather than the one
used to
Post by Srikrishna Kalavacharla
authenticate the client. The certificate that, say, IE asks you whether
you
Post by Srikrishna Kalavacharla
want to install when you visit a https URL is a server certificate.
I'm guessing this based on the command line 'client.cer' reference. Try
with the server certificate in your keystore and see if the error is
still
Post by Srikrishna Kalavacharla
there, if it is then double check the certificate (certificate CN
should be
Post by Srikrishna Kalavacharla
equal to the hostname IIRC but you can get around that sometimes by
munging
Post by Srikrishna Kalavacharla
the hosts file on your client... hack hack hack)
HTH,
Tom
_________________________________________________________________
Get 200+ ad-free, high-fidelity stations and LIVE Major League Baseball
Gameday Audio!
http://radio.msn.click-url.com/go/onm00200491ave/direct/01/
_________________________________________________________________
Watch LIVE baseball games on your computer with MLB.TV, included with MSN
Premium! http://join.msn.click-url.com/go/onm00200439ave/direct/01/
Tom Oinn
2004-05-18 22:34:20 UTC
Permalink
Srikrishna,

I guess you've already done this, but have you created a client side
certificate / private key pair using keytool -genkey? As I understood it
we needed to generate an arbitrary public/private key pair for the
client as well as importing the server certificate to get this to work.
Because the communication is secured in both directions the ssl layer
needs a public key from each end, if you haven't created a client side
cert it won't be able to establish a communication at all with ssl.

It would seem a bit strange for the service provider to be issuing
client side certificates, mostly because these are identities to be used
by a particular client and as such should be maintained and held by the
client rather than being centrally issued. The server then imports your
client certificate (I think?) as a trusted cert, or, more usually, uses
the information in the certificate chain on the client certificate to
implicitly trust it. *NOTE* I am not a java security expert, so this may
be completely wrong, it's just my understanding as gleaned from some
experience and a lot of web browsing.

It looks like the CN is fine, we were hitting the error earlier than the
stage you reached when we had problems. In our case the problem was
caused by the CN being set to 'bioplanet' (or similar) but the hostname
being bioplanet.ac.jp or somesuch, IE throws up a warning and java
raises an exception under this case. I don't actually think this is your
problem, this is more to put this on the list archive in case anyone
else runs into it :)

HTH,

Tom

Continue reading on narkive:
Loading...