Now I am stuck with following error: javax.xml.ws.soap.SOAPFaultException: Problem writing SAAJ model to stream: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:157) at com.sun.proxy.$Proxy53.service(Unknown Source) at com.mycompany.Service.service(Service.java:47) at com.mycompany.TestService.testClient(TestService.java:56) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) at java.lang.reflect.Method.invoke(Method.java:618) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:44) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:41) at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20) at org.springframework.test.context.junit4.statements.RunBeforeTestMethodCallbacks.evaluate(RunBeforeTestMethodCallbacks.java:74) at org.springframework.test.context.junit4.statements.RunAfterTestMethodCallbacks.evaluate(RunAfterTestMethodCallbacks.java:83) at org.springframework.test.context.junit4.statements.SpringRepeat.evaluate(SpringRepeat.java:72) at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:231) at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:88) at org.junit.runners.ParentRunner$3.run(ParentRunner.java:231) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:60) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:229) at org.junit.runners.ParentRunner.access$000(ParentRunner.java:50) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:222) at org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61) at org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:71) at org.junit.runners.ParentRunner.run(ParentRunner.java:292) at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:174) at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50) at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197) Caused by: javax.xml.stream.XMLStreamException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at com.ibm.xml.xlxp2.api.stax.msg.StAXMessageProvider.throwXMLStreamException(StAXMessageProvider.java:67) at com.ibm.xml.xlxp2.api.stax.XMLStreamWriterImpl.flush(XMLStreamWriterImpl.java:766) at com.ibm.xml.xlxp2.api.stax.XMLOutputFactoryImpl$XMLStreamWriterProxy.flush(XMLOutputFactoryImpl.java:155) at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:213) at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:172) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
For client, truststore and keystore are same in my case: <http:conduit name="{ http://com.mycompany/serviceOne}ServiceOnePort.http-conduit"> <http:tlsClientParameters secureSocketProtocol="SSL"> <sec:keyManagers keyPassword="cstorepass"> <sec:keyStore file="src/test/resources/com/mycompany/ClientKeyNew.jks" password="cstorepass" type="JKS" /> </sec:keyManagers> <sec:trustManagers> <sec:keyStore file="src/test/resources/com/mycompany/ClientKeyNew.jks" password="cstorepass" type="JKS" /> </sec:trustManagers> <sec:cipherSuitesFilter> <!-- these filters ensure that a ciphersuite with export-suitable or null encryption is used, but exclude anonymous Diffie-Hellman key change as this is vulnerable to man-in-the-middle attacks --> <sec:include>.*_EXPORT_.*</sec:include> <sec:include>.*_EXPORT1024_.*</sec:include> <sec:include>.*_WITH_DES_.*</sec:include> <sec:include>.*_WITH_AES_.*</sec:include> <sec:include>.*_WITH_NULL_.*</sec:include> <sec:exclude>.*_DH_anon_.*</sec:exclude> </sec:cipherSuitesFilter> </http:tlsClientParameters> </http:conduit> I have also imported tomcat certificate(default alias 'tomcat') into the keystore/truststore identified by ClientKeyNew.jks Here is the tomcat entry from server.xml: <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" keystoreFile="/conf/.keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" algorithm="IbmX509" /> Could anyone please help me out with this? I can't figure out what SSL handshake fails. Thanks, Giriraj. On Thu, Jul 10, 2014 at 9:39 AM, Giriraj Bhojak <girira...@gmail.com> wrote: > Hi Xilai, > > Thank you for the reply. I did check the passwords and they were correct. > It turns out that the keystore and key passwords need to be same. Once I > used a new key store with with identical passwords for key and the store > itself, the error went away. > > Is this a limitation of Merlin or java keystore in general? > > Now I have moved onto different errors. > > Thanks, > Giriraj. > On Jul 9, 2014 10:09 PM, "XiLai Dai" <xl...@talend.com> wrote: > >> Hi, >> >> This exception may because that you had provided a wrong key password >> (password for alias). Please check again. >> >> Regards. >> Xilai Dai >> -----Original Message----- >> From: Giriraj Bhojak [mailto:girira...@gmail.com] >> Sent: Thursday, July 10, 2014 5:36 AM >> To: users@cxf.apache.org >> Subject: Using SSL with CXF web service >> >> Hello, >> >> I have setup a CXF endpoint on Tomcat. I have enabled SSL on tomcat. >> I am able to access the deployed webservice using >> http://localhost:8080/webapp/services/one. >> When I use the SSL port(https://localhost:8443/webapp/services/one) and >> try accessing the same webservice thru my java program, I get following: >> >> Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: >> PKIX path building failed: java.security.cert.CertPathBuilderException: >> unable to find valid certification path to requested target >> at com.ibm.jsse2.j.a(j.java:36) >> at com.ibm.jsse2.qc.a(qc.java:199) >> at com.ibm.jsse2.ab.a(ab.java:171) >> at com.ibm.jsse2.ab.a(ab.java:180) >> at com.ibm.jsse2.bb.a(bb.java:346) >> at com.ibm.jsse2.bb.a(bb.java:559) >> at com.ibm.jsse2.ab.r(ab.java:554) >> at com.ibm.jsse2.ab.a(ab.java:325) >> at com.ibm.jsse2.qc.a(qc.java:617) >> at com.ibm.jsse2.qc.h(qc.java:103) >> at com.ibm.jsse2.qc.a(qc.java:166) >> at com.ibm.jsse2.qc.startHandshake(qc.java:649) >> at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:62) >> at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:22) >> at >> >> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1103) >> at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:16) >> at >> >> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:174) >> at >> >> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1290) >> at >> >> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1246) >> at >> >> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:201) >> >> >> Then I added http-conduit as per this link < >> http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html >> >, >> to spring beans definition as follows: >> >> <http:conduit name="{ >> http://com.mycompany/services}ONEPort.http-conduit >> "> >> <http:tlsClientParameters> >> <sec:keyManagers keyPassword="keyPassword"> >> <sec:keyStore file="src/test/resources/keystore.jks" >> password="keyStorepassword" type="JKS" /> >> </sec:keyManagers> >> <sec:trustManagers> >> <sec:keyStore file="src/test/resources/keystore.jks" >> password="keyStorepassword" type="JKS" /> >> </sec:trustManagers> >> <sec:cipherSuitesFilter> >> <!-- these filters ensure that a ciphersuite with >> export-suitable or >> null encryption is used, but exclude anonymous >> Diffie-Hellman key change >> as this is vulnerable to man-in-the-middle attacks --> >> <sec:include>.*_EXPORT_.*</sec:include> >> <sec:include>.*_EXPORT1024_.*</sec:include> >> <sec:include>.*_WITH_DES_.*</sec:include> >> <sec:include>.*_WITH_AES_.*</sec:include> >> <sec:include>.*_WITH_NULL_.*</sec:include> >> <sec:exclude>.*_DH_anon_.*</sec:exclude> >> </sec:cipherSuitesFilter> >> </http:tlsClientParameters> >> </http:conduit> >> >> Now I get: >> >> Caused by: java.security.UnrecoverableKeyException: Cannot recover key >> at com.ibm.crypto.provider.s.recover(s.java:90) >> at >> com.ibm.crypto.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:256) >> at java.security.KeyStore.getKey(KeyStore.java:803) >> at com.ibm.jsse2.uc.<init>(uc.java:113) >> at com.ibm.jsse2.cc$a_.engineInit(cc$a_.java:15) >> at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:16) >> at >> >> org.apache.cxf.configuration.jsse.TLSParameterJaxBUtils.getKeyManagers(TLSParameterJaxBUtils.java:279) >> at >> >> org.apache.cxf.configuration.jsse.TLSClientParametersConfig.createTLSClientParametersFromType(TLSClientParametersConfig.java:110) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88) >> at >> >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) >> at java.lang.reflect.Method.invoke(Method.java:618) >> at >> >> org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:160) >> >> Could anyone please point me what am I doing wrong here? >> >> Is there anything I need to do in web service endpoint spring >> configuration (apart from setting Tomcat for SSL) to ensure I can access >> web service using https? >> I know I need to add http-conduit element on client side. But I seem to >> be doing something wrong. >> >> Thanks, >> Giriraj. >> >