Not able to access the HTTPS web service sitting behind a HTTPS load balancer

0
votes

I am developing a webservice client to access a HTTPS webservice that sits behind a HTTPS load balancer. But am getting an exception.

    com.sun.xml.internal.ws.wsdl.parser.InaccessibleWSDLException: 2 counts of InaccessibleWSDLException.
    java.io.IOException: Got java.security.cert.CertificateException: No subject alternative names present while opening stream from https://HOST:PORT/itim/services/WSSessionService/WEB-INF/wsdl/WSSessionService.wsdl
    java.io.IOException: Got java.security.cert.CertificateException: No subject alternative names present while opening stream from https://HOST:PORT/itim/services/WSSessionService/WEB-INF/wsdl/WSSessionService.wsdl?wsdl

The HOST and PORT is the IP address and port of Load balancer.

I am able to access this URL from browser - https://HOST:PORT/itim/services/WSSessionService/WEB-INF/wsdl/WSSessionService.wsdl

But not this - https://HOST:PORT/itim/services/WSSessionService/WEB-INF/wsdl/WSSessionService.wsdl?wsdl

I am ignoring the certificates using this code - 

    TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager(){
        public X509Certificate[] getAcceptedIssuers(){return null;}
        public void checkClientTrusted(X509Certificate[] certs, String authType){}
        public void checkServerTrusted(X509Certificate[] certs, String authType){}
    }};

    // Install the all-trusting trust manager
    try {
        SSLContext sc = SSLContext.getInstance("TLS");
        sc.init(null, trustAllCerts, new SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    } catch (Exception e) {
        ;
    }

This is full stack trace:

    [ERROR   ] SRVE0777E: Exception thrown by application class 'com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex:196'
    com.sun.xml.internal.ws.wsdl.parser.InaccessibleWSDLException: 2 counts of InaccessibleWSDLException.

    java.io.IOException: Got java.security.cert.CertificateException: No subject alternative names present while opening stream from https://HOST:PORT/itim/services/WSSessionService/WEB-INF/wsdl/WSSessionService.wsdl
    java.io.IOException: Got java.security.cert.CertificateException: No subject alternative names present while opening stream from https://HOST:PORT/itim/services/WSSessionService/WEB-INF/wsdl/WSSessionService.wsdl?wsdl

at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:196)
at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:168)
at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:133)
at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:272)
at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:235)
at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:183)
at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:101)
at javax.xml.ws.Service.<init>(Service.java:89)
at com.ibm.itim.ws.services.WSSessionService_Service.<init>(WSSessionService_Service.java:50)
at examples.ws.GenericWSClient.getSessionService(GenericWSClient.java:150)
at examples.ws.MyServlet.doGet(MyServlet.java:59)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:575)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1240)
at [internal classes]
3
javaweb-serviceswsdl

3 Answers

1
votes

  • Create a self signed certificate, like that :
    keytool -genkey -alias YOUR_ALIAS -keyalg RSA -keystore YOUR_PATH_KS
  • When it asking you for "first and last name" put your HOST_NAME
  • Export the certificate from your freshly created key store :
    keytool -exportcert -alias -file YOUR_PATH_CERTIFICATE -keystore YOUR_PATH_KS
  • Import your certificate into the "Trusted Ca Certs" 
    cd %JAVA_HOME%\jre\lib\security
keytool -import -trustcacerts -keystore cacerts -alias YOUR_HOSTNAME -file YOUR_PATH_CERTIFICATE

    • 0
    votes

    Shouldn't your SSLCOntext be initialized with "SSL" instead of "TLS" ? SSLContext sc = SSLContext.getInstance("SSL");
    Also, please try addding a hostname verifier :
    HostnameVerifier hv = new HostnameVerifier() { public boolean verify(String hostname, SSLSession arg1) { if (hostname.equals("your host ip") return true; return false; } }; HttpsURLConnection.setDefaultHostnameVerifier(hv);

    Note that this is a workaround. What needs to happen is that the certificate has to be generated with CN and DNS name of network with Subject Alternative Name entry i.e. san=ip:your host. which could be the actual solution.

    0
    votes

    Thanks for your answers, but I was able to fix this issue by simply adding an entry in the hosts file.

        ip_address     example.com

    where example.com is the CN of the certificate