SSLHandshakeException - Calling webservice from web application using self signed certificate

0
votes

My web application and Web Services are running in the same tomcat container. If I am not using HTTPS, everything is working fine.
When I am running the web application and web services both on HTTPS, I am getting SSLHandshakeException when web application is trying to call webservices.

CASE 1

I have created a local self-signed certificate file using below command

%JAVA_HOME%\bin\keytool -genkeypair -alias test1 -keyalg RSA -keystore c:/apps/test1.crt

A certificate file named test1.crt has been created in folder C:\apps.

Now, I want to import this certificate in the Java keystore, with the below command 

%JAVA_HOME%\bin\keytool -import -alias test1 -file c:/apps/test1.crt-keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit

I am getting below error -

Key tool error: java.lang.Exception: The entry is not an X.509 certificate

When I am using this certificate file in Tomcat, with below setting 

<Connector port="8443"
    maxHttpHeaderSize="8192"
    maxThreads="150"
    minSpareThreads="25"
    maxSpareThreads="75"
    enableLookups="false"
    disableUploadTimeout="true"
    acceptCount="100"
    scheme="https"
    secure="true"
    clientAuth="false"
    sslProtocol="TLS"
    SSLEnabled="true"
    URIEncoding="UTF-8" 
    keystorePass="changeit" 
    keystoreFile="C:/apps/test2.crt" />

I am not getting any error at server startup. When I call webservices from the application, I am getting SSLHandshakeException

CASE 2

I have added a local self signed certificate in the Java keystore, with below command 

%JAVA_HOME%/bin/keytool -genkeypair -alias test2 -keyalg RSA -validity 1000 -keysize 2048 -keystore %JAVA_HOME%/jre/lib/security/cacerts

A certificate has been added, which I have verfied with below command 

JAVA_HOME%\bin\keytool -list -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit

Now, I have exported a certificate file from the Java keystore, with below command 

%JAVA_HOME%/bin/keytool -export -alias test2 -keystore %JAVA_HOME%/jre/lib/security/cacerts -rfc -file C:/apps/test2.crt

A certificate file named test2.crt has been created in folder C:\apps.

When I am using this certificate file in Tomcat, with below setting 

<Connector port="8443"
    maxHttpHeaderSize="8192"
    maxThreads="150"
    minSpareThreads="25"
    maxSpareThreads="75"
    enableLookups="false"
    disableUploadTimeout="true"
    acceptCount="100"
    scheme="https"
    secure="true"
    clientAuth="false"
    sslProtocol="TLS"
    SSLEnabled="true"
    URIEncoding="UTF-8" 
    keystorePass="changeit" 
    keystoreFile="C:/apps/test2.crt" />

I am getting the below error

at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Invalid keystore format
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1044)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
... 13 more

Caused by: java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:663)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:160)

Although server started and I am able to use my application. But when I am trying to call web services, I am getting

Here is the log of SSLHandshakeException

nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Error: (org.apache.axis.AxisFault) --> [; nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

1
javaweb-servicessslaxis2

1 Answers

0
votes

I think for Tomcat the keystoreFile is "%JAVA_HOME%/jre/lib/security/cacerts" and rather you don't have to indicate any keystore becouse you added a keypair to the jre common keystore but it's exactly incorrect to use "C:/apps/test2.crt".

Also try to add the server certificate to the truststore file:

 JAVA_HOME%\bin\keytool -import -v -trustcacerts -alias test2 -file C:/apps/test2.crt -keystore  %JAVA_HOME%/jre/lib/security/cacerts -keypass changeit -storepass changeit