PKIX path building failed - cert trust store problem
181 views
Skip to first unread message
Eps
Jun 28, 2010, 11:51:08 AM6/28/10
to Hermes 2.0 Discussion List
Hi,
I am trying to set up hermes2 to talk to a business partner.
I have installed their cert on a windows machine and following the
instructions given by our business partner have extracted a pfx file
(public and private key) from internet explorer. I have moved this
file to a ubuntu box where I have hermes2 and tomcat running, loopback
tests have been successful on this box. I am now trying to send an
ebxml message to our parter as a test.
I have set up the pfx in the corvus.properties.xml file as below in
the enviroment/properties section (I have removed the name of the
store and the password from this message).
<javax.net.ssl.trustStore></javax.net.ssl.trustStore>
<javax.net.ssl.trustStorePassword></
javax.net.ssl.trustStorePassword>
<javax.net.ssl.trustStoreType>PKCS12</javax.net.ssl.trustStoreType>
I am getting the following error in the ebms.log.
hk.hku.cecid.ebms.spa.task.DeliveryException: Cannot send the message
by hk.hku.cecid.piazza.commons.net.ConnectionException: Unable
to send HTTP SOAP request
by javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
by sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
by sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
hk.hku.cecid.ebms.spa.task.OutboxTask.sendMsgByHttp(OutboxTask.java:
577)
at
hk.hku.cecid.ebms.spa.task.OutboxTask.execute(OutboxTask.java:444)
at
hk.hku.cecid.piazza.commons.module.ActiveThread.run(ActiveThread.java:
90)
at java.lang.Thread.run(Thread.java:619)
I have spent a couple of days trying to figure this one out, its
apparently a common java error when the certificate can not be
validated properly, I have made sure that the pfx I exported from IE
included all certificates in the path at the suggestion of our
business partner.
At this point I am not actually too bothered about about whether we
trust their cert or not, I know that their end is locked down pretty
tightly by a firewall and we can conceivably do the same at ours. We
are not planning on messages involving financial transactions so If
its possible to just disable this check that would suit me.
Alternatively if anyone has any ideas or suggestions as to how I can
get this working or how to debug the issue I would be very grateful.
Let me know if you need more information from the config or the logs.
Regards.
--
Andy Burchill
I am trying to set up hermes2 to talk to a business partner.
I have installed their cert on a windows machine and following the
instructions given by our business partner have extracted a pfx file
(public and private key) from internet explorer. I have moved this
file to a ubuntu box where I have hermes2 and tomcat running, loopback
tests have been successful on this box. I am now trying to send an
ebxml message to our parter as a test.
I have set up the pfx in the corvus.properties.xml file as below in
the enviroment/properties section (I have removed the name of the
store and the password from this message).
<javax.net.ssl.trustStore></javax.net.ssl.trustStore>
<javax.net.ssl.trustStorePassword></
javax.net.ssl.trustStorePassword>
<javax.net.ssl.trustStoreType>PKCS12</javax.net.ssl.trustStoreType>
I am getting the following error in the ebms.log.
hk.hku.cecid.ebms.spa.task.DeliveryException: Cannot send the message
by hk.hku.cecid.piazza.commons.net.ConnectionException: Unable
to send HTTP SOAP request
by javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
by sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
by sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
hk.hku.cecid.ebms.spa.task.OutboxTask.sendMsgByHttp(OutboxTask.java:
577)
at
hk.hku.cecid.ebms.spa.task.OutboxTask.execute(OutboxTask.java:444)
at
hk.hku.cecid.piazza.commons.module.ActiveThread.run(ActiveThread.java:
90)
at java.lang.Thread.run(Thread.java:619)
I have spent a couple of days trying to figure this one out, its
apparently a common java error when the certificate can not be
validated properly, I have made sure that the pfx I exported from IE
included all certificates in the path at the suggestion of our
business partner.
At this point I am not actually too bothered about about whether we
trust their cert or not, I know that their end is locked down pretty
tightly by a firewall and we can conceivably do the same at ours. We
are not planning on messages involving financial transactions so If
its possible to just disable this check that would suit me.
Alternatively if anyone has any ideas or suggestions as to how I can
get this working or how to debug the issue I would be very grateful.
Let me know if you need more information from the config or the logs.
Regards.
--
Andy Burchill
Nugroho
Jun 28, 2010, 1:06:47 PM6/28/10
to cecid-...@googlegroups.com
Hi,
I think Java does not support using pkcs12 as trust store. You need to use jks keystore for it.
Regards,
Nugroho
Sent from my mobile phone
--
You received this message because you are subscribed to the Google Groups "Hermes 2.0 Discussion List" group.
To post to this group, send email to cecid-...@googlegroups.com.
To unsubscribe from this group, send email to cecid-hermes...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cecid-hermes2?hl=en.
I think Java does not support using pkcs12 as trust store. You need to use jks keystore for it.
Regards,
Nugroho
Sent from my mobile phone
You received this message because you are subscribed to the Google Groups "Hermes 2.0 Discussion List" group.
To post to this group, send email to cecid-...@googlegroups.com.
To unsubscribe from this group, send email to cecid-hermes...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cecid-hermes2?hl=en.
Torsten Kirschner
Jun 28, 2010, 1:30:40 PM6/28/10
to cecid-...@googlegroups.com, cecid-...@googlegroups.com
Hi Andy, a PKIX path leads to a root/an issuer certificate, i.e. CA
certificate. Did you include that as well? Unless you're using self-
signed certs.
certificate. Did you include that as well? Unless you're using self-
signed certs.
Regards, T
Sendt fra min iPhone
Andy Burchill
Jun 29, 2010, 6:55:27 AM6/29/10
to cecid-...@googlegroups.com
Torsten Kirschner wrote:
> Hi Andy, a PKIX path leads to a root/an issuer certificate, i.e. CA
> certificate. Did you include that as well? Unless you're using
> self-signed certs.> Hi Andy, a PKIX path leads to a root/an issuer certificate, i.e. CA
> certificate. Did you include that as well? Unless you're using
>
> Regards, T
>
> Sendt fra min iPhone
>
> Den 28. juni 2010 kl. 19.06 skrev "Nugroho" <nugroho...@gmail.com>:
Thanks for your replies, I have contacted our business partner about
this problem as well and they have provided me with a cer file
containing a cert for the CA.
I am going to have a go at getting this to work, but my initial attempt
of importing it into a JKS keystore I had created from the PKCS12
keystore I already had has failed.
I am now getting the following error message.
hk.hku.cecid.piazza.commons.net.ConnectionException: Unable to send HTTP
SOAP request
by javax.net.ssl.SSLHandshakeException: Received fatal alert:
bad_certificate
at
hk.hku.cecid.piazza.commons.soap.SOAPHttpConnector.send(SOAPHttpConnector.java:112)
at
hk.hku.cecid.ebms.spa.task.OutboxTask.sendMsgByHttp(OutboxTask.java:574)
at
hk.hku.cecid.ebms.spa.task.OutboxTask.execute(OutboxTask.java:444)
at
hk.hku.cecid.piazza.commons.module.ActiveThread.run(ActiveThread.java:90)
at java.lang.Thread.run(Thread.java:619)
Any suggestions as to how I should be combing the PKCS12 I exported from
internet explorer and the CER file our partner has provided would be
much appreciated.
Regards.
--
Andy Burchill
Nugroho Saputro
Jun 30, 2010, 1:05:10 AM6/30/10
to cecid-...@googlegroups.com
Hi Andy,
You can use Portecle (http://portecle.sourceforge.net/). By using this, it is easy to export, import or convert between one type to another.
The easiest way to convert to JKS is by opening the pkcs12 file from IE then save as to JKS format. Then you can also import CER from provider to the JKS keystore.
Regards,
Nugroho
Regards.
--
Andy Burchill
Eps
Jul 5, 2010, 7:51:24 AM7/5/10
to Hermes 2.0 Discussion List
Thanks to all who replied, I managed to get this working, not entirely
sure how, I ended up setting up the trust and key stores (both pfx) in
the corvus.module.xml file instead of corvus.properties.xml.
On Jun 30, 6:05 am, Nugroho Saputro <nugroho.sapu...@gmail.com> wrote:
> Hi Andy,
>
> You can use Portecle (http://portecle.sourceforge.net/). By using this, it
> is easy to export, import or convert between one type to another.
>
> The easiest way to convert to JKS is by opening the pkcs12 file from IE
> then save as to JKS format. Then you can also import CER from provider to
> the JKS keystore.
>
> Regards,
> Nugroho
>
> > cecid-hermes...@googlegroups.com<cecid-hermes2%2Bunsu...@googlegroups.com>
> > .
sure how, I ended up setting up the trust and key stores (both pfx) in
the corvus.module.xml file instead of corvus.properties.xml.
On Jun 30, 6:05 am, Nugroho Saputro <nugroho.sapu...@gmail.com> wrote:
> Hi Andy,
>
> You can use Portecle (http://portecle.sourceforge.net/). By using this, it
> is easy to export, import or convert between one type to another.
>
> The easiest way to convert to JKS is by opening the pkcs12 file from IE
> then save as to JKS format. Then you can also import CER from provider to
> the JKS keystore.
>
> Regards,
> Nugroho
>
> On Tue, Jun 29, 2010 at 5:55 PM, Andy Burchill <andy.burch...@gmail.com>wrote:
>
> > Torsten Kirschner wrote:
>
> >> Hi Andy, a PKIX path leads to a root/an issuer certificate, i.e. CA
> >> certificate. Did you include that as well? Unless you're using self-signed
> >> certs.
>
> >> Regards, T
>
> >> Sendt fra min iPhone
>
>
> > Torsten Kirschner wrote:
>
> >> Hi Andy, a PKIX path leads to a root/an issuer certificate, i.e. CA
> >> certificate. Did you include that as well? Unless you're using self-signed
> >> certs.
>
> >> Regards, T
>
> >> Sendt fra min iPhone
>
> > .
Reply all
Reply to author
Forward
0 new messages