Websphere不信任的证书

Question

I have a web application that call a SOAP Web service secured via SSL . (https://zzzzzzzzzzzz/xxxxx ).

The server send two certificates (Root and Leaf) so i import the two certificate using the property : com.ibm.websphere.ssl.retrieveLeafCert .

To enable ssl validation on websphere i just add the certificates Into websphere :

SSL certificate and key management -> key stores and certificate -> NodeDefaultTrustStore -> Signer cerificates -> Retrieve from port :

• host : hostname
• port : 443
• alias : alias

The problem is that webshphere not trust the certificate and give me this stacktrace,

used by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking `https://------------------------------` : com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: T`he certificate issued by CN=-------------------------------------------------------------------- is not trusted`; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.6.0]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:56) ~[na:1.6.0]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:39) ~[na:1.6.0]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:527) ~[na:1.6.0]
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1338) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1322) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.endpoint.ClientImpl.invokeWrapped(ClientImpl.java:354) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.jaxws.DispatchImpl.invoke(DispatchImpl.java:385) ~[cxf-rt-frontend-jaxws-2.7.4.jar:2.7.4]
    ... 100 common frames omitted
`Caused by: javax.net.ssl.SSLHandshakeException`: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: `The certificate issued by CN=--------------------------------------------------------- is not trusted`; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error
    at com.ibm.jsse2.o.a(o.java:8) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:549) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.kb.a(kb.java:355) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.kb.a(kb.java:130) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.lb.a(lb.java:135) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.lb.a(lb.java:368) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.kb.s(kb.java:442) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.kb.a(kb.java:136) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:495) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:223) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:724) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:81) ~[na:6.0 build_20130515]
    at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:8) ~[na:6.0 build_20130515]
    at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:20) ~[na:6.0 build_20130515]
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1043) ~[na:1.6.0]
    at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:85) ~[na:6.0 build_20130515]
    at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1282) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1233) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) ~[cxf-api-2.7.4.jar:2.7.4]
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1295) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
    ... 110 common frames omitted
`Caused by: com.ibm.jsse2.util.j: PKIX path building failed:` java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: T`he certificate issued by CN=--------------------------------------------  is not trusted`; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error
    at com.ibm.jsse2.util.h.b(h.java:39) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.util.h.b(h.java:21) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.util.g.a(g.java:1) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.pc.a(pc.java:36) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.pc.checkServerTrusted(pc.java:19) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.pc.b(pc.java:51) ~[na:6.0 build_20130515]
    at com.ibm.jsse2.lb.a(lb.java:65) ~[na:6.0 build_20130515]
    ... 128 common frames omitted
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.
    at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:411) ~[na:na]
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:258) ~[na:na]
    at com.ibm.jsse2.util.h.b(h.java:107) ~[na:6.0 build_20130515]
    ... 134 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=-------------------------------------------------------
    at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111) ~[na:na]
    at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:178) ~[na:na]
    at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737) ~[na:na]
    at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649) ~[na:na]
    at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595) ~[na:na]
    at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:357) ~[na:na]
    ... 136 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
    at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:298) ~[na:na]
    at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108) ~[na:na]
    ... 141 common frames omitted

The same code is tested in my local environement with the simple use of Installcert.java and running my tests with -Djavax.net.ssl.trustStore=jssecacerts (jssecacerts is the file generated by InstallCert.java).

Answer 1

Thanks for all the above response. Able to resolve the issue java.security.cert.CertPathValidatorException: Certificate chaining error with following configuration.

1. Found that the following javax properties returned null value in the WebSphere.
   • javax.net.ssl.trustStore,
   • javax.net.ssl.trustStorePassword
   • javax.net.ssl.trustStoreType

For more details, please see this link,

java - path to trustStore - set property doesn't work?

2. Configured the properties as below in the WebSphere

   Select Servers > Application Servers > server_name > Process Definition > Java Virtual Machine > Custom Properties > New.

a) javax.net.ssl.trustStore = jre_install_dir\\lib\\security\\cacerts

Example: C:\\Program Files\\WebSphere\\AppServer\\java\\jre\\lib\\security\\cacerts

b) javax.net.ssl.trustStorePassword = changeit (default)

c) javax.net.ssl.trustStoreType = jks

For more details, please see this link,

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.isim.doc_6.0%2Finstalling%2Ftsk%2Ftsk_ic_ins_first_security_truststore.htm

After the configuration was able to see in the logs that certificates being added to the trust store.

Thanks, Uday Nilajkar

Answer 2

I test a million websphere configuration .

The only procedure that work is the procedure described in this link :

http://blog.xebia.com/2012/10/01/mutual-ssl-authentication-using-websphere-application-server-and-cxf/

By defining the cxf intercpter :

<cxf:bus>
 <cxf:outInterceptors>
   <bean class="---------------------.WebsphereSslOutInterceptor" />
</cxf:outInterceptors>
</cxf:bus>

For more details , please see :

https://github.com/vlussenburg/websphere-cxf-extensions#websphere-cxf-extensions

Thanks a lot for your helps guys .

Answer 3

You should add all certificate chain in your configuration. Usually certificate has at least root certificate of Authorization Center or chain similar certificates.

WAS requires signed certificate by default.

Answer 4

The problem here is that the certificate path builder (A part of the Java Cert path API) cannot build the certificate chain during the SSL handshake. During the handshake the SSL peer host send its certificate (identity) to the client, for the client to trust that particular certificate a chain of trust must be built on the client side, that what is happening when you get the fault. The problem here is that the chain of trust cannot be created since you are missing either the signer certificate and/or the root certificate in your truststore (trust anchor).

Note that the PKIX trustmanager performs a "scope of trust" validation which means that you do not need a complete certificate chain on the client side to fulfill the trust relationship with the SSL peer, you will only need the signer/intermediate certificates in your truststore. In fact, if you should put the leaf certificate in the truststore, that should also make things work, since that states that you have explicit trust of that particular certificate and a certificate chain validation is not needed.

Answer 5

Maybe you should look at the following technote .

If you are at a certain fix pack level you can set the value com.ibm.websphere.ssl.retrieveLeafCert to true and get the leaf certificate when Retrieving from Port .

Answer 6

Here are the steps to import a certificate to the JVM for a HTTPS WS call:

A) Obtain the Certificate to be Imported

1. Each browser displays certificates in different ways, but they are usually quite similar. On the browser's URL bar, there is usually a zone that you can click on to display SSL certificate information. For example, you may see a padlock in the status bar, and clicking on the padlock opens the certificate information. Once the certificate information is open, click on the "Certification Path" information. There normally will be a way to export each of the signing certificates (trusted roots). Export the certifiers in the "Base-64 encoded X.509 (.CER)" format. The exported file in this format will be an ASCII text file that has "BEGIN CERTIFICATE" and "END CERTIFICATE" lines at the top and bottom. Once you have exported the certificates that signed the remote server's SSL certificate you can then import them into the JVM.

B) Import the certificate

1. Start the ikeyman utility. The utility (ikeyman.bat or ikeyman.sh) is in the WAS_HOME\\bin.
2. From the Key Database File menu, select Open.
3. In the key database type, select JKS.
4. In the File Name field, type cacerts.
5. In the Location field, type WAS_HOME\\java\\jre\\lib\\security.
6. In the Password Prompt window, type the password for the keystore in the Password and Confirm Password window. The default password is changeit. Click OK.
7. Add the certificate you created for the LDAP server into this certificate store.
8. In the main window, in the Key database content area, select Signer Certificates from the list. Click Add.
9. In the Certificate file name field, browse and locate the server certificate file that was created for the LDAP server, which is in Binary Der data. Verify that the appropriate directory is displayed in the Location field. Click OK.
10. In the prompt, type a label for this certificate. For example, type LDAPCA. Click OK.