Now I am stuck with following error:
javax.xml.ws.soap.SOAPFaultException: Problem writing SAAJ model to stream:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:157)
at com.sun.proxy.$Proxy53.service(Unknown Source)
at com.mycompany.Service.service(Service.java:47)
at com.mycompany.TestService.testClient(TestService.java:56)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:618)
at
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:44)
at
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
at
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:41)
at
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
at
org.springframework.test.context.junit4.statements.RunBeforeTestMethodCallbacks.evaluate(RunBeforeTestMethodCallbacks.java:74)
at
org.springframework.test.context.junit4.statements.RunAfterTestMethodCallbacks.evaluate(RunAfterTestMethodCallbacks.java:83)
at
org.springframework.test.context.junit4.statements.SpringRepeat.evaluate(SpringRepeat.java:72)
at
org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:231)
at
org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:88)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:231)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:60)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:229)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:50)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:222)
at
org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)
at
org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:71)
at org.junit.runners.ParentRunner.run(ParentRunner.java:292)
at
org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:174)
at
org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
at
org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
Caused by: javax.xml.stream.XMLStreamException:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at
com.ibm.xml.xlxp2.api.stax.msg.StAXMessageProvider.throwXMLStreamException(StAXMessageProvider.java:67)
at
com.ibm.xml.xlxp2.api.stax.XMLStreamWriterImpl.flush(XMLStreamWriterImpl.java:766)
at
com.ibm.xml.xlxp2.api.stax.XMLOutputFactoryImpl$XMLStreamWriterProxy.flush(XMLOutputFactoryImpl.java:155)
at
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:213)
at
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:172)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
For client, truststore and keystore are same in my case:
<http:conduit name="{
http://com.mycompany/serviceOne}ServiceOnePort.http-conduit";>
<http:tlsClientParameters secureSocketProtocol="SSL">
<sec:keyManagers keyPassword="cstorepass">
<sec:keyStore
file="src/test/resources/com/mycompany/ClientKeyNew.jks"
password="cstorepass" type="JKS" />
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore
file="src/test/resources/com/mycompany/ClientKeyNew.jks"
password="cstorepass" type="JKS" />
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or
null encryption is used, but exclude anonymous
Diffie-Hellman key change
as this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
I have also imported tomcat certificate(default alias 'tomcat') into the
keystore/truststore identified by ClientKeyNew.jks
Here is the tomcat entry from server.xml:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
keystoreFile="/conf/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" algorithm="IbmX509" />
Could anyone please help me out with this?
I can't figure out what SSL handshake fails.
Thanks,
Giriraj.
On Thu, Jul 10, 2014 at 9:39 AM, Giriraj Bhojak <girira...@gmail.com> wrote:
> Hi Xilai,
>
> Thank you for the reply. I did check the passwords and they were correct.
> It turns out that the keystore and key passwords need to be same. Once I
> used a new key store with with identical passwords for key and the store
> itself, the error went away.
>
> Is this a limitation of Merlin or java keystore in general?
>
> Now I have moved onto different errors.
>
> Thanks,
> Giriraj.
> On Jul 9, 2014 10:09 PM, "XiLai Dai" <xl...@talend.com> wrote:
>
>> Hi,
>>
>> This exception may because that you had provided a wrong key password
>> (password for alias). Please check again.
>>
>> Regards.
>> Xilai Dai
>> -----Original Message-----
>> From: Giriraj Bhojak [mailto:girira...@gmail.com]
>> Sent: Thursday, July 10, 2014 5:36 AM
>> To: users@cxf.apache.org
>> Subject: Using SSL with CXF web service
>>
>> Hello,
>>
>> I have setup a CXF endpoint on Tomcat. I have enabled SSL on tomcat.
>> I am able to access the deployed webservice using
>> http://localhost:8080/webapp/services/one.
>> When I use the SSL port(https://localhost:8443/webapp/services/one) and
>> try accessing the same webservice thru my java program, I get following:
>>
>> Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j:
>> PKIX path building failed: java.security.cert.CertPathBuilderException:
>> unable to find valid certification path to requested target
>> at com.ibm.jsse2.j.a(j.java:36)
>> at com.ibm.jsse2.qc.a(qc.java:199)
>> at com.ibm.jsse2.ab.a(ab.java:171)
>> at com.ibm.jsse2.ab.a(ab.java:180)
>> at com.ibm.jsse2.bb.a(bb.java:346)
>> at com.ibm.jsse2.bb.a(bb.java:559)
>> at com.ibm.jsse2.ab.r(ab.java:554)
>> at com.ibm.jsse2.ab.a(ab.java:325)
>> at com.ibm.jsse2.qc.a(qc.java:617)
>> at com.ibm.jsse2.qc.h(qc.java:103)
>> at com.ibm.jsse2.qc.a(qc.java:166)
>> at com.ibm.jsse2.qc.startHandshake(qc.java:649)
>> at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:62)
>> at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:22)
>> at
>>
>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1103)
>> at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:16)
>> at
>>
>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:174)
>> at
>>
>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1290)
>> at
>>
>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1246)
>> at
>>
>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:201)
>>
>>
>> Then I added http-conduit as per this link <
>> http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html
>> >,
>> to spring beans definition as follows:
>>
>> <http:conduit name="{
>> http://com.mycompany/services}ONEPort.http-conduit
>> ">
>> <http:tlsClientParameters>
>> <sec:keyManagers keyPassword="keyPassword">
>> <sec:keyStore file="src/test/resources/keystore.jks"
>> password="keyStorepassword" type="JKS" />
>> </sec:keyManagers>
>> <sec:trustManagers>
>> <sec:keyStore file="src/test/resources/keystore.jks"
>> password="keyStorepassword" type="JKS" />
>> </sec:trustManagers>
>> <sec:cipherSuitesFilter>
>> <!-- these filters ensure that a ciphersuite with
>> export-suitable or
>> null encryption is used, but exclude anonymous
>> Diffie-Hellman key change
>> as this is vulnerable to man-in-the-middle attacks -->
>> <sec:include>.*_EXPORT_.*</sec:include>
>> <sec:include>.*_EXPORT1024_.*</sec:include>
>> <sec:include>.*_WITH_DES_.*</sec:include>
>> <sec:include>.*_WITH_AES_.*</sec:include>
>> <sec:include>.*_WITH_NULL_.*</sec:include>
>> <sec:exclude>.*_DH_anon_.*</sec:exclude>
>> </sec:cipherSuitesFilter>
>> </http:tlsClientParameters>
>> </http:conduit>
>>
>> Now I get:
>>
>> Caused by: java.security.UnrecoverableKeyException: Cannot recover key
>> at com.ibm.crypto.provider.s.recover(s.java:90)
>> at
>> com.ibm.crypto.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:256)
>> at java.security.KeyStore.getKey(KeyStore.java:803)
>> at com.ibm.jsse2.uc.<init>(uc.java:113)
>> at com.ibm.jsse2.cc$a_.engineInit(cc$a_.java:15)
>> at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:16)
>> at
>>
>> org.apache.cxf.configuration.jsse.TLSParameterJaxBUtils.getKeyManagers(TLSParameterJaxBUtils.java:279)
>> at
>>
>> org.apache.cxf.configuration.jsse.TLSClientParametersConfig.createTLSClientParametersFromType(TLSClientParametersConfig.java:110)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>>
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)
>> at
>>
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
>> at java.lang.reflect.Method.invoke(Method.java:618)
>> at
>>
>> org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:160)
>>
>> Could anyone please point me what am I doing wrong here?
>>
>> Is there anything I need to do in web service endpoint spring
>> configuration (apart from setting Tomcat for SSL) to ensure I can access
>> web service using https?
>> I know I need to add http-conduit element on client side. But I seem to
>> be doing something wrong.
>>
>> Thanks,
>> Giriraj.
>>
>
