3

I am new in JAVA, Consuming web service(.wsdl) in Web Service Client project. I import the client certificate in java cacerts store in jrd. My code is as follows:

 System.setProperty("javax.net.ssl.trustStore","[PATH]/cacerts.jks"); System.setProperty("javax.net.ssl.trustStorePassword","changeit"); ServicesProxy service = new ServicesProxy(); ServiceRequest request = new ServiceRequest(1498); ServiceResponse response = service.getDetails(request);

I'm failed to handshake, I am getting the following exception: 

 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have no clue why there is an exception. Any help will be appreciated.

Improve this question
3
  • Is that using Apache CXF as the web services client? This uses its own SSL settings in the cxf.xml file - more details here Commented Feb 3, 2019 at 17:50
  • Are you sure the name of your truststore is cacerts.jks and not just cacerts? Commented Feb 8, 2019 at 14:58
  • I tried with cacerts too. Commented Feb 8, 2019 at 15:51

6 Answers 6

Reset to default
3
+25

You probably have to add the key chain in the certificate (PEM format).

CA Root -> Intermediate Cert -> Cert.

Or the certificate cannot be found in the keystore, do you use the correct alias etc.

And I do not recognize the SOAP JAX-WS implementation you use.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Not a solution to your problem, but maybe it helps to find it: You can start your client with the VM parameter -Djavax.net.debug=all which will give you a lot of information about the SSL connection.

Check here for details about the output:

https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html

Improve this answer

Comments

2

Use -Djavax.net.ssl.trustStore property directly instead.

One more thing the server you use in that also u need to place the jks for handshake.

For example server is JBoss then bin

Improve this answer

Comments

2

I guess your cacert is not correct or the path is unaccessible. I followed the instructions given here

Use SSL Poke to verify connectivity

  1. Download SSLPoke.class

  2. Execute the class as follows, changing the URL and port:

    $JAVA_HOME/bin/java SSLPoke yoururl 443

  3. A successful connection would look like this:

    $JAVA_HOME/bin/java SSLPoke yoururl 443

    Successfully connected

  4. Try to use a different truststore to connect

    $JAVA_HOME/bin/java -Djavax.net.ssl.trustStore=[PATH]/cacerts.jks SSLPoke yoururl 443

If it fails the truststore does not contain the proper certificates.

How to solve it

The solution is extracted from here

  1. Fetch the certificate again from the server:

    openssl s_client -connect yoururl:443

You need openssl. Save the output to a file called public.crt. This is how your file should look like:

 -----BEGIN CERTIFICATE----- < Bunch of lines of your certificate > -----END CERTIFICATE-----

  1. Import the certificate:

    $JAVA_HOME/bin/keytool -import -alias -keystore $JAVA_HOME/jre/lib/security/cacerts -file public.crt

Enter the password if prompted (the default is changeit)

Recommendation

In the same post it is not recommended to use a configured trustStore different than the JVM cacert because then java could not access other root certificates.

Improve this answer

Comments

0

This is a quite common error while dealing with soap services over SSL, I've had it a few times.

Your certificate may not be correctly installed in your truststore.

You can use openssl to check and install the correct certificate in the truststore, as explained here

Improve this answer

Comments

0

Hi Looks like certificates are not imported correctly or path used in code not pointing to correct keystore.

I hope following steps in below article will help you.

http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.