org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: basic constraints check failed: this is not a CA certificate
Are you trying to use your webapp as a client to a service based on https? If so you´re webapp should be able to trust that service. If the service is created with a self-signed certificate you need to add that cert´s CA root certificate to your cacerts as trusted. That can be done with a keytool which comes with the jre/jdk.
keytool.exe -import -alias AliasForYourTrustedCert -file File.cer -trustcacerts -keystore %JAVA_HOME%\lib\security\cacerts
Related
I am trying to setup 2 way ssl authentication. My requirement is broker should authenticate only specific clients.
My organization has a CA which issue all certificates in pkcs12 format. steps i followed are as follows.
get a certificate for the broker and configured it in the broker keystore
ssl.keystore.location=/home/kafka/certificate.p12
ssl.keystore.password=xxxxx
ssl.client.auth=required
get a certificate for the client and configured it in the client keystore
ssl.keystore.location=/home/kafka/certificate.p12
ssl.keystore.password=xxxxx
extracted the public certificate from the client certificate using keytool command
keytool -export -file cert -keystore certificate.p12 -alias "12345" -storetype pkcs12 -storepass xxxxx
imported the certificate into broker truststore. broker truststore contains only the client 12345 certificate.
keytool -keystore truststore.p12 -import -file cert -alias 12345 -storetype pkcs12 -storepass xxxxx -noprompt
configured the truststore in the broker.
ssl.truststore.location=/home/kafka/truststore.p12
ssl.truststore.password=xxxxx
configured the truststore in client. client truststore contains CA certificates.
ssl.truststore.location=/etc/pki/java/cacerts
ssl.truststore.password=xxxxx
When i run the broker and client i expect the broker to authenticate the client and establish ssl connection. but instead following error is thrown.
[2021-06-03 23:32:06,864] ERROR [AdminClient clientId=adminclient-1] Connection to node -1 (abc.com/10.129.140.212:9093) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2021-06-03 23:32:06,866] WARN [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error (org.apache.kafka.clients.admin.internals.AdminMetadataManager)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLProtocolException: Unexpected handshake message: server_hello
I tried various things but nothing seems to work. when i replace the broker truststore with /etc/pki/java/cacerts truststore file which contains only the CA certificate
then it works fine. but it will authenticate any client which has certificate issued by the CA.
what could be the issue ?
The default format is jks,
use keytool to create a Java KeyStore (JKS) with the certificate and key for use by Kafka. You'll be prompted to create a new password for the resulting file as well as enter the password for the PKCS12 file from the previous step. Hang onto the new JKS password for use in configuration below.
$ keytool -importkeystore -srckeystore server.p12 -destkeystore kafka.server.keystore.jks -srcstoretype pkcs12 -alias myserver.internal.net
Note: It's safe to ignore the following warning from keytool.
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server.p12 -destkeystore kafka.server.keystore.jks -srcstoretype pkcs12"
We had a requirement to Integration with external partner from SOA over HTTPS. For this partner had provided us their Key Pair (in form of pfx file).
When we imported the pfx file in SOAP UI and tried to connect with partner URL, it works absolutely fine.
But when we are importing the partner's key and certificate in weblogic (we are using identity and trust jks), we get below error:
Error:
summary=oracle.fabric.common.FabricInvocationException: Unable to invoke endpoint URI "https://www7.aeat.es/wlpl/SSII-FACT/ws/fe/SiiFactFEV1SOAP" successfully due to: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
,detail=Unable to invoke endpoint URI "https://www7.aeat.es/wlpl/SSII-FACT/ws/fe/SiiFactFEV1SOAP" successfully due to: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
,code=null}
We've followed below steps to import partner's key and certificate in weblogic:
Steps followed to import partner key and certificate:
Partner has provided us pfx file which contains private key and
certificate.
Export key from PFX provided by Partner:
openssl pkcs12 -in LuisEmail.pfx -nocerts -out LuisEmail.key –nodes
Export certificate from PFX provided by LUIS: openssl pkcs12 -in LuisEmail.pfx -nokeys -out LuisEmail.cer –nodes
Copy LuisEmail.cer to windows and create root.cer and inter.cer by manually exporting.
Create chain by combining all 3 certs in order: intermediate-root-server and save it as .pem file.
Bring the pem file to linux machine.
Set environment to execute java util.importPrivateKey utility . /apps/oracle/product/fmw/wlserver_10.3/server/bin/setWLSEnv.sh
Convert private key file into rsa private key file: openssl rsa -in LuisEmail.key -out LuisEmail_RSA.key
Import pem/key in identity store: java utils.ImportPrivateKey -keystore netappidentity_STA.jks -storepass -storetype JKS -keypass
-alias staPrivateKey -certfile
LuisEmailChain.pem -keyfile LuisEmail_RSA.key -keyfilepass
Import Root CER file in trust store: keytool -import -v -noprompt -trustcacerts -alias starootcert -file LuisEmailRoot.cer -keystore netapptrust_STA.jks -storepass
Restarted Servers
Any pointer on what we are missing here would appreciated! Please not that when we examine the pfx file using keytool explorer, we see only private key and server(domain) certificate. There are no intermediate and root certs.
Also anyone know why Partner's would give us Key Pair and if it will be a 1-way ssl or 2-way ssl. We were under impression that only public certificates are exchanged for ssl communication.
Thanks.
We were able to figure out the issue here. Since our partner was a government tax agency (I suppose they did not want to trust our CA), they provided us a key pair (having private key). We were supposed to use it as our own key.
We imported the private key in our identity store and certificate exported from their URL in trust store and connectivity worked fine.
Thanks
I created a custom SSL certificate through Java keytool command, in order to test the connection from my Codename one app and my HTTPS REST web service.
This is the complete command:
keytool -genkey -alias my_alias -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650
When the app (running on the simulator) tries to interact with the web service, it returns the following exception:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I read here
and I understood for a real mobile device is possible to add the custom certificate.
My question is: using the simulator, how can I do? How can I use my "home-made" certificate?
There is really no reason to do this anymore. You can but if you just don't want to pay for a certificate you can just use "lets encrypt" and it will work: http://letsencrypt.org/
Notice that it requires a recent version of JDK 8 (I think 128 or newer).
SSL will only work with proper domains and not with IP addresses etc.
I use spring security to manage login. I've configured spring security to connect to a ldap server which is securized with ssl (ldaps).
This server is a test server and has no valid certificate. When I try to test the login, spring security complains that the certificate cannot be verified (of course!):
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
My question is simple : I don't want to manage any kind of certificate, I would like to deactivate the certificate check and keep using a ssl ldap. How can I do that ?
It sounds like the certificate of the LDAP server is just self-cert rather than invalid.
To me the simplest solution would be to get that certificate and add it to the cacerts trust store in java. Once that's done the code will run without any modifications.
To get the certificate from the server:
$ openssl s_client -showcerts -connect ldapserver:636
The output will contain a number of entries delimited with
-----BEGIN CERTIFICATE-----
aklfhskfadljasdl1340234234ASDSDFSDFSDFSDFSD
....
-----END CERTIFICATE-----
Copy the last certificate entry into a file (ldapca.crt)
Then, add it to the java keystore in $JRE_HOME/lib/security
$ cd $JRE_HOME/lib/security
$ keytool -import -alias ldapca_self_sign -keystore cacerts -storepass changeit -file ldapca.crt
That means, you'll trust the certificate on the LDAP server and are using SSL correctly in your test environment (rather than having some custom code to switch off part of SSL checking).
Once you've done that (once) your code should run without any modifications.
After I got certificate, I tried to import it as specified here: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Edit%20the%20Tomcat%20Configuration%20File
But I got this error:
C:\Program Files (x86)\Java\jre6\bin>keytool -import -alias tomcat -keystore C:\ SSL\.keystore -file C:\SSL\SSL_Internal_Certificate_for_isdc-planning.cer
Enter keystore password:
keytool error: java.lang.Exception: Failed to establish chain from reply
I need to import first chain certificate, by apache document
Import the Chain Certificate into you keystore
keytool -import -alias root -keystore <your_keystore_filename> \
-trustcacerts -file <filename_of_the_chain_certificate>
When I printed the certificate it's issuer is:
Issuer: CN=Intranet Basic Issuing CA 2B
I downloaded the chain certificates:
Intranet Basic Issuing CA 1A(1).crt
Intranet Basic Issuing CA 1A(2).crt
Intranet Basic Issuing CA 1A.crt
Intranet Basic Issuing CA 1B(1).crt
Intranet Basic Issuing CA 1B(2).crt
Intranet Basic Issuing CA 1B.crt
Intranet Basic Issuing CA 2A(1).crt
Intranet Basic Issuing CA 2A.crt
Intranet Basic Issuing CA 2B(1).crt
Intranet Basic Issuing CA 2B.crt
Intranet Basic Policy CA(1).crt
Intranet Basic Policy CA.crt
Root CA.crt
Issuer of Intranet Basic Issuing CA 2B.crt is Intranet Basic Policy CA and its Issuer is:Root CA certificate
But I can't import 3 certificates into root alias.
And imported "Intranet Basic Issuing CA 2B.crt" into root and then rerun import of tomcat alias
But got the same error:
keytool error: java.lang.Exception: Failed to establish chain from reply
What is correct way to import correct chain certificate?