Greetings all. Here is the problem... When I try to run any sort of secure OGSA-DAI client from within tomcat, it fails with security path issues.
By "Secure OGSA-DAI client", I mean a JSP that invokes a derivative of the GTSecureClient example provided with the OGSA-DAI code, which uses globus libraries to make a secure connection to a given URL that is using globus certificates and the like. By security path issue, the full error is listed below, but the pith of it is this: Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target As best as I can tell, this is the result of Tomcat not loading the globus security credentials... thus resulting in a "I don't trust the location you are trying to connect to, and am failing" error. I have been looking at how to configure tomcat (or what libraries/configuration files to include in the web-app directory) to assume the globus credentials for running secure clients... but I have not been able to find any descriptive examples of what I am trying to do, mainly because a majority of the help content seems to focus on enabling tomcat as a secure globus container/server (not how to facilitate clients). Thus, I was wondering if anyone would know what to try to get this working. Here is some extra information about the client. What would be most helpful are examples of JSPs that call globus services and work in tomcat. I am working with some code that has already been developed independently of any portal so I am reluctant to have GridSphere or P-Grade do all the certification management because they don't seem to allow any sort of simple JSP connection (we may end up using a portal or at least their authentication schemes later... but this is more of a proof of concept). - It can run from the command line... all the jars required to run it outside the "ogsadai directory" are bundled with the client, and all those jar's are also in the WEB-INF/lib directory of the webapp version. So it is finding all the credentials it needs when it is outside tomcat. - The jar that was not bundled with it that looked like it would help (cog-tomcat.jar) was not included with the client... I imported just as an ancillary test and it didn't do anything. - I enabled secure access to tomcat and referenced the cacertdir and proxy attributes in the Connector element created as described in the Globus Admin guide (http://www.globus.org/toolkit/docs/4.0/common/javawscore/admin-index.html) and while that made a globus-enabled secure port, it got the same error with my client. The one thing I am reluctant to try is importing all of the keys and the like into generic java keystores. One of the problems we are looking at are solutions to easily add new nodes to the grid as automatically and securely as possible, and the methods we have found focus on using/updating all of the certificates that globus uses... thus having to copy all the globus keys in the globus keystore into the java keystore seems like it would be a huge hassle and probably a security risk. The ideal solution would be if there was some code snippet or war-file configuration that can be added so that tomcat or the client would be forced to use the appropriate keystore... I just haven't seen any example code to handle such things. Has anyone ever gotten secure clients accessing globus? Any help or ideas on this matter would be greatly appreciated. Cheers, Peter White The error in full: uk.org.ogsadai.client.toolkit.exception.ServerURLInvalidException: A problem occured initialising the server. at uk.org.ogsadai.client.toolkit.ServerFactory.getWSDL(Unknown Source) at uk.org.ogsadai.client.toolkit.ServerFactory.getServer(Unknown Source) at uk.org.ogsadai.client.toolkit.ServerProxy.getServer(Unknown Source) at uk.org.ogsadai.client.toolkit.ServerProxy.getDataRequestExecutionResource(Unknown Source) at gov.cdc.ncphi.rodsadai.RODSQLClient.execute(RODSQLClient.java:86) at gov.cdc.ncphi.rodsadai.RODSAdaiProp.querySpatialOD(RODSAdaiProp.java:65) at org.apache.jsp.spatialTest_jsp.testApp(spatialTest_jsp.java:27) at org.apache.jsp.spatialTest_jsp._jspService(spatialTest_jsp.java:77) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:331) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:595) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1584) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:877) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1089) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1116) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1100) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:934) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234) at java.net.URL.openStream(URL.java:1007) ... 28 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145) at sun.security.validator.Validator.validate(Validator.java:203) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172) at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841) ... 40 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216) ... 45 more
