Thank you, Rajesh. I do need some more help since I don't know how to
determine whether I have root certs in my keystore. I'll tell you how I
created my serverstore and clientstore (following the example in "AXIS next
Generation Java SOAP".) Hopefully, that will clue you in to what my problem
is. I'm using j2sdk1.4.0_01, jakarta-tomcat-4.0.4, and the July 8 axis
build on Win2K.
To create the serverstore:
keytool -v -genkey -keyalg RSA -keystore serverkeystore -alias tomcat
I enabled the SSL configuration on Tomcat pointed it to this keystore file.
>From the server.xml:
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="10" debug="0" scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
clientAuth="false" protocol="TLS"
keystoreFile="c:\bis-axis\gov\doc\bis\snap\serverkeystore"
keypass="changeit"/>
</Connector>
To export the cert:
keytool -v -export -rfc -file - ServerCertificate.cer -keystore
serverkeystore -alias tomcat
To import the cert:
keytool -v -import -file ServerCertificate.cer -keystore clienttruststore
-storetype JCEKS -alias tomcat
And added SSL specs to my client code as specified in the second email in
this thread.
I hope that helps pinpoint what I'm missing or doing wrong. Thanks again.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 12, 2002 10:05 AM
To: [EMAIL PROTECTED]
Subject: RE: Can't find Trusted Cert.
Hey Sean,
Do you have root certificates in your key store which makes a specific
certificate trusted.....
whenever you access a secure web server or ssl stuph, you get a complete
chain of certificates.
the lowest certifcate in that chain belongs to the web server or the domain
name such as www.hotmail.com
but the other certs in the chain are the root certificates which makes this
www.hotmail.com cert a trusted one.
if you import all the cert chain hierarchy in your keystore file , then
you should be fine. you will get rid of
famous "untrusted cert chain exception". if you need any help in
understanding it more, let me know...
Rajesh
"Cohan, Sean" <[EMAIL PROTECTED]> on 12 Jul 2002 10:02
Please respond to [EMAIL PROTECTED]
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Subject: RE: Can't find Trusted Cert.
****************************************************************************
This message originated from the Internet. Its originator may or
may not be who they claim to be and the information contained in
the message and any attachments may or may not be accurate.
****************************************************************************
I tried that. I'm really a fish out of water here, but it looks my
clienttruststore is not recognized (based on the 'keyStore is : ' line
below.) Any help sorting this out is greatly appreciated since I'm
stumbling around in the dark (but learning which is good.) Here's the top
portion of the output. Thanks.
C:\bis-axis\gov\doc\bis\snap>java -Djavax.net.debug=ssl
gov.doc.bis.snap.SSLMain
Testing getting SnapworkItem with key parameter.
>> Querying SnapWorkItemApi for '1'
keyStore is :
keyStore type is : jks
init keystore
init keymanager of type SunX509
trustStore is: c:\j2sdk1.4.0_01\jre\lib\security\cacerts
trustStore type is : jks
init truststore
adding as trusted cert: [
[
Version: V3
Subject: [EMAIL PROTECTED], CN=Thawte Personal
Freemail CA, OU=Certification Services Division
, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@6dadf9
Validity: [From: Sun Dec 31 19:00:00 EST 1995,
To: Thu Dec 31 18:59:59 EST 2020]
Issuer: [EMAIL PROTECTED], CN=Thawte Personal
Freemail CA, OU=Certification Services Division,
O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
SerialNumber: [ 0 ]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 12, 2002 3:37 AM
To: [EMAIL PROTECTED]
Subject: RE: Can't find Trusted Cert.
Hi,
Try running your client and server with SSL debug ON.
(java -Djavax.net.debug=ssl ...) This way you can see what's really
happening. You can find out whether the system finds your trusstore file.
Or maybe the problem is exactly what the exception says: there is
no proper certificate in your truststore. In this case you should
import one into your truststore. Or the other side is sending the wrong
certificate ?
Good luck, Geza
> -----Original Message-----
> From: ext Cohan, Sean [mailto:[EMAIL PROTECTED]]
> Sent: 11. July 2002 23:21
> To: '[EMAIL PROTECTED]'
> Subject: RE: Can't find Trusted Cert.
>
>
> Perhaps a little more info should have been provided on my
> part. Here is my
> relevant client code:
>
> // Set the protocol for handling SSL based connecting
> System.setProperty("java.protocol.handler.pkgs",
> "com.sun.net.ssl.internal.www.protocol");
> // Add the provider implementation class for handling SSL
> connections
> java.security.Security.addProvider(new
> com.sun.net.ssl.internal.ssl.Provider());
> // Set the truststore for authentication
> System.setProperty("javax.net.ssl.truststore",
> "gov.doc.bis.snap.clienttruststore");
> System.setProperty("javax.net.ssl.trustStorePassword",
> "changeit");
>
> And here is a little more of the error:
>
> C:\bis-axis\gov\doc\bis\snap>java gov.doc.bis.snap.SSLMain
>
>
> Testing getting SnapworkItem with key parameter.
> >> Querying SnapWorkItemApi for '1'
> - Mapping Exception to AxisFault
> AxisFault
> faultCode: {http://xml.apache.org/axis/}Server.userException
> faultString: javax.net.ssl.SSLHandshakeException: Couldn't
> find trusted
> certificate
> faultActor: null
> faultDetail:
> stackTrace: javax.net.ssl.SSLHandshakeException: Couldn't find
> trusted certificate
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA6275)
> .
> .
> .
>
> What should I do? Thanks.
>
>
> -----Original Message-----
> From: Cohan, Sean [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 11, 2002 4:25 PM
> To: [EMAIL PROTECTED]
> Subject: Can't find Trusted Cert.
>
>
> What's happening if I get this message when running my client and more
> importantly, how do I go about correcting it?
>
> SSLHandshakeException: Couldn't find trusted certificate
>
> I've checked that the clienttrustedstore is in my classpath
> and restarted
> tomcat.
>
> I'm almost there, I can feel it.
>
> Thanks.
>
>
> Sean Cohan
> Software Performance Systems
>
************************************************************************
The information contained in this E-mail is confidential. It may also
be legally privileged. If you are not the addressee you may not copy,
forward, disclose or use any part of it. If you have received this
message in error, please delete it and all copies from your system and
notify the sender immediately by return E-mail.
Internet communications cannot be guaranteed to be timely, secure,
error or virus-free. The sender does not accept liability for any
errors or omissions which arise as a result.
************************************************************************
