I am unable to connect to my Compose MongoDB service from my deployed bluemix app. It seems that it cannot find the necessary certificate. I had expected that it would pick that up directly from environment variable VCAP_SERVICES.
I can run this fine from my local test environment because I imported the key into the appropriate keystore in Java.
If I look at their node.js sample on bluemix they are actually passing the certificate during the connect. However, I cannot find this anywhere on the Java API.
I believe that I either need to add this cert to the VM on bluemix (seems unlikely) or I need to pass it via the Java driver when I cannot (can't see how).
Thoughts?
For the record, this is the exception I get:
com.mongodb.MongoTimeoutException: Timed out after 30000 ms while waiting for a server that matches
ReadPreferenceServerSelector{readPreference=primary}. Client view of
cluster state is {type=UNKNOWN, servers=[{address=bluemix-sandbox-dal-9-portal.7.dblayer.com:26123, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}}, {address=bluemix-sandbox-dal-9-portal.6.dblayer.com:26123, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}}]
com.mongodb.connection.BaseCluster.createTimeoutException(BaseCluster.java:377)
com.mongodb.connection.BaseCluster.selectServer(BaseCluster.java:104)
com.mongodb.binding.ClusterBinding$ClusterBindingConnectionSource.<init>(ClusterBinding.java:75)
com.mongodb.binding.ClusterBinding$ClusterBindingConnectionSource.<init>(ClusterBinding.java:71)
com.mongodb.binding.ClusterBinding.getReadConnectionSource(ClusterBinding.java:63)
com.mongodb.operation.OperationHelper.withConnection(OperationHelper.java:402)
com.mongodb.operation.FindOperation.execute(FindOperation.java:510)
com.mongodb.operation.FindOperation.execute(FindOperation.java:81)
com.mongodb.Mongo.execute(Mongo.java:836)
com.mongodb.Mongo$2.execute(Mongo.java:823)
com.mongodb.FindIterableImpl$FindOperationIterable.first(FindIterableImpl.java:216)
com.mongodb.FindIterableImpl.first(FindIterableImpl.java:156)
com.ibm.smarts.experiment.UserMgr.getUserDetails(UserMgr.java:146)
com.ibm.smarts.experiment.UserMgr.authenticateUser(UserMgr.java:123)
com.ibm.smarts.experiment.servlet.LoginServlet.doPost(LoginServlet.java:31)
javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
There are a few options documented here. For example:
Import the cert to Java truststore file, pack the file into Java application and specify its path via JAVA_OPTS environment variable; the truststore file can be placed under resource directory. This can be used for single applications:
By using the 'cf set-env' command:
cf set-env <app> JAVA_OPTS '-Djavax.net.ssl.TrustStore=classpath:resources/config/truststore'
By using manifest.yml:
---
applications:
- name: java-app
...
env:
JAVA_OPTS: '-Djavax.net.ssl.TrustStore=classpath:resources/config/truststore'
Related
While connecting vault(hosted on https) with spring boot I am getting the below error.
org.springframework.vault.authentication.VaultLoginException: Cannot log in using
org.springframework.web.client.ResourceAccessException: I/O error on POST request
for "https://10.166.181.83:31975/v1/auth/cert/login":
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target; nested exception is
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
My pom.xml is
org.springframework.cloud
spring-cloud-starter-vault-config
While connectiong to localhost vault server which is on http , everything works fine.
Could anyone please help me on this?
**bootstrap.properties is :**
spring.cloud.vault.scheme=https
spring.cloud.vault.kv.enabled=true
spring.cloud.vault.generic.enabled=true
spring.cloud.vault.generic.backend=configuration-server
spring.cloud.vault.generic.default-context=credentials
spring.cloud.vault.connection-timeout=5000
spring.cloud.vault.read-timeout=15000
spring.cloud.vault.config.order=-10
spring.cloud.vault.authentication=CERT
spring.cloud.vault.ssl.cert-auth-path=cert
spring.cloud.vault.ssl.trust-store-location=classpath:vault.jks
spring.cloud.vault.ssl.trust-store-password=ril#12345
management.endpoints.web.exposure.include=*
management.endpoint.env.post.enabled=true
spring.cloud.vault.uri=https://../../../
spring.cloud.vault.token=hvs.XXXXXXXX
It looks like you are connecting to https using IP address in the URI. This results in an SSL error (since certificates are based on name and not IPs) so. you can either add the certificate to the trusted list using keytool or add code to ignore certificate validation (depending on how you connect, this will vary https://howtodoinjava.com/java/java-security/bypass-ssl-certificate-checking-java/ has some examples where one probably will fit).
I am developing a Java application that provides a REST API over HTTP.
For security reasons this communication should be switched to HTTPS.
I generate a trusted certificate from Let's Encrypt using certbot tool, this certificate seems to be working when I call my API from Chrome browser, but I get this exception when I use a Java 1.8.0_191 client based on Spring RestTemplate:
Exception in thread "main"
org.springframework.web.client.ResourceAccessException: I/O error on GET
request for "https://hostname/api/v1/event":
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target; nested exception is
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at
org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:743)
at
org.springframework.web.client.RestTemplate.execute(RestTemplate.java:669)
at
org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:578)
at
com.swingws.wiser.tasks.GetFrimwareVersionTask.main(GetFrimwareVersionTask.
java:80)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:
1639)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:
1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(
AbstractD
elegateHttpsURLConnection.java:185)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect
(HttpsURLConnectionImpl.java:162)
at
org.springframework.http.client.SimpleBufferingClientHttpRequest.
executeInternal(SimpleBufferingClientHttpRequest.java:76)
at
org.springframework.http.client.AbstractBufferingClientHttpRequest
.executeIntern
al(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.
execute(AbstractClient HttpRequest.java:53)
at
org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:734)
... 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:
324)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java
:229)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(
X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(
ClientHandshaker.java:1621)
... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(
SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(
SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 23 more
Is there any way to make this working without adding this certificate to Java clients keystore ?
We had the same issue and in our case the server that we contacted was misconfigured. It did not provide the full certificate chain. You can check that using this tool.
When the server is under your control, you should be able to configure this. When using Apache, you can configure this using SSLCertificateChainFile. See also this answer
I have generated java classes using cxf wsdl2java. But not sure how to authenticate the request with client certificate. I was able to generate client classes from wsdl with out any issue by using the below command:
wsdl2java -ant - client -d D:\cxf-client D:\HelperActions.wsdl
I am getting the blogs or forums with userid and password authentication in google search. But not able to find how to authenticate the request with the jks or .crt certificate.
I tried what it was mentioned in the below link
https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2014-07-java-soap-client-certificate-authentication
and also I tried implementing the certification mentioned in the below link
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/ClientNonSpring.java?revision=1406329&view=markup
But I am getting the following exception
javax.xml.ws.webserviceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service
Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'wsdl path'.: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failes: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: javax.net.ssl.HandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I placed the certificate in the class path, I tried both the ways mentioned in the above links, but all the effort didnt work well. I am not sure where I am going wrong.
Can anyone help me in sending the request with client certificate?
I am getting below error while I am connecting to LDAP server,I have imported the SSL certificate to //jre/lib/security. I am able to connect to server when running the program from JDK/bin file but outside that I am not able to execute it. I ahd set both JAVA_HOME and path variable to the same jdk where I have imported the certificate.
server on which I am trying to this program is windows server, 32 bit , sevice pack 2.
Unknown LDAP Error javax.naming.CommunicationException: simple bind
failed: saata
01.corp.oncor.com:1636 [Root exception is javax.net.ssl.SSLHandshakeException : sun.security.validator.ValidatorException : PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException : unable
to find valid certification path to requested target]
I am connecting to a webservice SSL client auth, I set up the keystore by:
System.getProperties().setProperty("javax.net.ssl.keyStore",
"d:/banking/BankClient/classes/xxcompany/bank/certificate/keystore.jks");
System.getProperties().setProperty("javax.net.ssl.keyStorePassword","password");
When calling the webservice:
GetAccountBalanceResponse resp = services.getAccountBalance(request);
I get a following error
WARNING:Cannot connecti with url: https://[redacted] ; reason: javax.xml.soap.SOAPException: Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Exception in thread "main" java.rmi.RemoteException: ; nested exception is:
HTTP transport error: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at xxcompany.bank.proxy.runtime.ServicesBinding_Stub.getAccountBalance(ServicesBinding_Stub.java:146)
at xxcompany.bank.proxy.ServicesPortClient.getAccountBalance(ServicesPortClient.java:48)
at xx.bank.client.main(client.java:111)
Caused by: HTTP transport error: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at oracle.j2ee.ws.client.http.HttpClientTransport.invokeImpl(HttpClientTransport.java:174)
at oracle.j2ee.ws.client.http.HttpClientTransport.invoke(HttpClientTransport.java:150)
at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:176)
at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:113)
at xxcompany.bank.proxy.runtime.ServicesBinding_Stub.getAccountBalance(ServicesBinding_Stub.java:130)
... 2 more
The keystore containes the private certificate for the client, the certificate is valid and works fine when used in the browser. How should I fix it?
Many thanks.
This error occurs when the CA which signed the server cert is either not one of the well know CAs or the public certificate of the CA is not in the trust store of the client. To get around this you will have to add the public certificate of the CA to the trust store of the client.
See unable to find valid certification path to requested target and No more 'unable to find valid certification path to requested target' for detailed instructions.