secure web service, The mysterious and never solve case of the SSL exception

1
0
-1

Hello I’m trying to use de SOAP web service connector(6.2.4) to consume a secure service (user and password required) I put all the needed configurations in the connector but I’m receiving this error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target It seems to be the SSL certificate, so I include the server (where the service is running) certificate in the cacert of my jdk and jre, but still don’t work. Is there another truststore specific for bonita? Is there a way to tell bonita where to find the right keystore? What should I do?

Comments

Submitted by rlg on Mon, 04/07/2014 - 09:59

Hi,

could you complete your question by giving us the methods you used to configure the certificate in your JVM?

You may also test in a groovy script the output of:

  1. System.out.println(System.getProperty("javax.net.ssl.trustStore"));
  2. System.out.println(System.getProperty("javax.net.ssl.keyStore"));
Submitted by Ray14 on Mon, 04/07/2014 - 21:36

Hello rig and thanks for your interest, I trying to consume a service that is hosted in my own PC in a web server, So I followed this steps 1. Browse the console of the web server 2. Download the provided .crt 3. Import the .crt in the cacerts file stored C:\Program Files\Java\jdk1.6.0_25\jre\lib\security using the import command of the keytool 4. Say yes at the question of trust When I ask for those properties you told me, I gat null as answer, nevertheless I removed the username and password from the configurations and included some XML headers in the envelope with username, password and timespan and it worked. Thanks again

Submitted by fipries on Wed, 04/09/2014 - 11:01

Hi,

I have exactly the same problem. I am invoking a secured web service. I have add the cert to the java secure truststore (cacert) and I succeed to discovering the ws but invoking it. I get the same PKIX error.

any help?

Submitted by rlg on Fri, 04/11/2014 - 15:35

Hi mordor,

could you create an answer with your solution (with the full example of config and headers)? it seems that other people share your issue ;)

Thx for your support.

2 answers

1
+1
-1

Hello, here I go with a quick guide based on my case, I´m not a Bonita guru, just a starter so maybe this approach could be enhanced: In my case I have to consume a secure web service with a security policy that requires user, password and timestamp also the communication between client (Bonita) and server (service host) will be encrypted using SSL, so the client needs the servers certificate. First you should import the server certificate on the client truststore(as I understand Bonita uses the one provided for the JVM, a file named cacerts located in JAVA_HOME \jre\lib\security). Although the SOAP web service connector comes with some features to configure username, password and headers, I tried it only once and it didn´t worked for me(maybe because I really couldn’t find a lot info in how to use those features, perhaps someone with more knowledge about this matter could make a better explanation here, so we can use them in a better way). So, I didn´t use those features and worked directly on the message structure using the envelope field of the wizard. To construct the message I use SOAPUI (tool that allows test services), using it I came with this message structure for my case:

  1. <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:typ="http://www.wso2.org/types">
  2. <soapenv:Header>
  3. <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  4. <wsu:Timestamp wsu:Id="TS-2">
  5. <wsu:Created>2014-04-07T15:23:34.750Z</wsu:Created>
  6. <wsu:Expires>2020-04-07T15:40:14.750Z</wsu:Expires>
  7. </wsu:Timestamp>
  8. <wsse:UsernameToken wsu:Id="UsernameToken-1">
  9. <wsse:Username>${username}</wsse:Username>
  10. <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">${pass}</wsse:Password>
  11. <wsu:Created>2014-04-07T15:23:34.750Z </wsu:Created>
  12. </wsse:UsernameToken>
  13. </wsse:Security>
  14. </soapenv:Header>
  15. <soapenv:Body>
  16. <typ:greet>
  17. <!--Optional:-->
  18. <name>${greet}</name>
  19. </typ:greet>
  20. </soapenv:Body>
  21. </soapenv:Envelope>

As you can see, I added some headers containing username, password and timestamp. Adding a groovy connector to specify the properties that rig told me before, could be useful to be sure that Bonita is using the right truststore.

  1. System.setProperty("javax.net.ssl.trustStore", "path to your truststore");
  2. System.setProperty("javax.net.ssl.trustStorePassword", "password of your truststore");

Hope this could help you

1
0
-1

We need to import a certificate means we need to use :

keytool 
 -importcert 
 -file  
 -keystore  
 -alias ""

It will ask for a password. Type the password as changeit

Type Password : changeit

finally it will ask need to add {yes/no} :

type yes.

Note: Don't give blank space in location path

https://stackoverflow.com/questions/684081/importing-ssl-certificate-int...

Notifications