web service security issue

Hi.
I am learning from the book "Java web services: Up and Running".
It is quite good one, but I have a problem in undertanding use of keytool in purpose of kreating kyestore.
Here is problem.
Generated .keystore using :keytool -genkey -alias tomcat -keyalg RSA, is stored, just as a book says inside "account's home directory", in will be in my case : "E:\Documents and Settings\Boban", and the file .keystore, is there. But I have a problem to compile my client class. In book it stays :
java -Djavax.net.ssl.trustStore=/home/mkalin/.keystore \ -Djavax.net.ssl.trustStorePassword=changeit \ -Djavax.net.ssl.keyStore=/home/mkalin/.keystore \ -Djavax.net.ssl.keyStorePassword=changeit ClientTC
I just replace "/home/mkalin/.keystore" with "E:/Documents and Settings/Boban/.keystore", bit I get an error (cannot find a class).
I tried to create such a Properties in my client code, and to store the value above, but it won't work neither.
So how can I accomplish this?
Thanks

Please post the exact and complete error message. Make sure the ClientTC.class file is in the directory from where you execute this command.

Well it is ordinary exception which tells that class not found :
Exception in thread "main" java.lang.NoClassDefFoundError: and Caused by: java.lang.ClassNotFoundException: and at java.net.URLClassLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClassInternal(Unknown Source) Could not find the main class: and. Program will exit.

It is when I run from command prompt, and simply place client class on C partition.
However I have placed my own keystore into TOMECAT_HOME dir (named sler.keystore). When browser lunch secured service https://localhost:8443/slersec/sler, the keystore on I have placed have been activated and the browser is prompt to accept this key (because it perform validation on its own key/trust store repository. right?).
So my keystore on server side has been successfully deployed.
But when I lunch a java application (from Eclipse) I have been not validated against sler.keystore (I placed in the work dir of Eclipse). The following error has been got :
com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(Unknown Source) at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(Unknown Source) at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(Unknown Source) at com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Unknown Source) at com.sun.xml.internal.ws.client.Stub.process(Unknown Source) at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(Unknown Source) at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown Source) at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown Source) at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(Unknown Source) at $Proxy29.secretInfo(Unknown Source) at SecurityClient.main(SecurityClient.java:36) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source) ... 15 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ... 27 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) ... 33 more

So,it's not validated.
Can I however programmatic specified keystore and truststore in my client class, and then certificates received from server, to be validated against it??? That would be solution , and the good one. So, how can I perform such a task?
Thanks

It can't find a class called "and"? Are you sure there isn't a typo or something when you enter the command? Or maybe in some config file?

No. I typed what I said. But I am quite sure, that that is wrong. I don't think I should type :
java -Djavax.net.ssl.trustStore=E:/Documents and Settings/Boban/.keystore -D . . . . .
It really doesn't sound correct.
But why I can perform programmatic something like this :
[code]

import java.util.logging.Logger;
import javax.xml.ws.BindingProvider;
import java.util.*;
import securityC.*;
import javax.xml.ws.handler.MessageContext;

public class SecurityClient {
private static Logger logger =Logger.getLogger("SecurityClient");
private static final String endpoint = "https://localhost:8443/slersec/sler";

public static void main(String[] args) {
try{
SlerSecurityService service = new SlerSecurityService();
SlerSecurity port = service.getSlerSecurityPort();
/*
Properties props = new Properties();
props.put("javax.net.ssl.trustStore", System.getProperty ("user.home"));
props.put("javax.net.ssl.trustStorePassword", "changeot");
props.put("javax.net.ssl.keyStore", System.getProperty ("user.home"));
props.put("javax.net.ssl.keyStorePassword", "changeit");
Map<String, Object> req_ctx = ((BindingProvider) port).getRequestContext();
req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, endpoint);


// Place the username/password in the HTTP request headers,
// which a non-Java client can do as well.
Map<String, List><String>> hdr = new HashMap<String, List><String>>();
hdr.put("username", Collections.singletonList("afrodom"));
hdr.put("password", Collections.singletonList("slobodan"));
req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, hdr);

logger.info("Invoking secret key . . . ");
logger.info("The answer is : \n "+ port.secretInfo("love"));
logger.info("check user validation . . . : ");
}catch (Exception e){
e.printStackTrace();
}
}
}

Should I also pay attention on self-created .keystore file in user home dir. on client side, or sler.keystore on server side? How would you solve this problem?

No. I typed what I said. But I am quite sure, that that is wrong. I don't think I should type :
java -Djavax.net.ssl.trustStore=E:/Documents and Settings/Boban/.keystore -D . . . . .

That's where the "and" is coming from. If the path has spaces, then you need to enclose it in double quotes.

Well, you have a right. But now, the second exception has been raised :
C:\>java -Djavax.net.ssl.trustStore="E:/Documents and Settings/Boban/.keystore" -Djavax.net.ssl.trustStorePassword=changeit -Djava x.net.ssl.keyStore="E:/Documents and Settings/Boban/.keystore" -Djavax.net.ssl.keyStorePassword=changeit SecurityClient Jul 27, 2009 5:50:31 PM SecurityClient main INFO: Invoking secret key . . . com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security. cert.CertificateException: No name matching localhost found at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(Unknown Source) at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(Unknown Source) at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(Unknown Source) at com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Unknown Source) at com.sun.xml.internal.ws.client.Stub.process(Unknown Source) at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(Unknown Source) at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown Source) at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown Source) at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(Unknown Source) at $Proxy29.secretInfo(Unknown Source) at SecurityClient.main(SecurityClient.java:19) Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source) ... 15 more Caused by: java.security.cert.CertificateException: No name matching localhost found at sun.security.util.HostnameChecker.matchDNS(Unknown Source) at sun.security.util.HostnameChecker.match(Unknown Source) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ... 27 more
What would go wrong now???

Hi
I made a plenty of googling, but I couldn't find an answer.
This is my Client class. When I use an ordinary protocol, it works fine but when I change to secured, it says throws prevoous exception. Can I somehow, set system property which will pointing at 'localhost' as my ip?
import java.util.logging.Logger; import javax.xml.ws.BindingProvider; import java.util.*; import securityC.*; import javax.xml.ws.handler.MessageContext; public class SecurityClient { private static Logger logger =Logger.getLogger("SecurityClient"); private static final String endpoint = "https://localhost:8443/slersec/sler"; //private static final String endpoint = "http://localhost:8080/slersec/sler"; public static void main(String[] args) { try{ SlerSecurityService service = new SlerSecurityService(); SlerSecurity port = service.getSlerSecurityPort(); System.setProperty("javax.net.ssl.trustStore", "E:/Documents and Settings/Boban/.keystore"); System.setProperty("javax.net.ssl.trustStorePassword","changeit"); System.setProperty("javax.net.ssl.keyStore", "E:/Documents and Settings/Boban/.keystore"); System.setProperty("javax.net.ssl.keyStorePassword","changeit"); Map<String, Object> req_ctx = ((BindingProvider) port).getRequestContext(); req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, endpoint); req_ctx.put(BindingProvider.USERNAME_PROPERTY, "afrodom"); req_ctx.put(BindingProvider.PASSWORD_PROPERTY, "slobodan"); logger.info("Invoking secret key . . . "); logger.info("The answer is : \n "+ port.secretInfo("someKey")); logger.info("check user validation . . . : "); logger.info(port.checkUser()); }catch (Exception e){ e.printStackTrace(); } } }

I just cannot figure out...

Help, Help, Help
Does anyone know what is the wrong? I just cannot resolve the problem. I configure the clinet but the same exception had raised again, and again. I have just simply follow the example from "java Web Service:Up and Running", but I cannot find out what is problem.
The exception :
Aug 1, 2009 5:57:07 PM SecurityClient main INFO: Invoking secret key . . . com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(Unknown Source) at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(Unknown Source) at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(Unknown Source) at com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Unknown Source) at com.sun.xml.internal.ws.client.Stub.process(Unknown Source) at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(Unknown Source) at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown Source) at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown Source) at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(Unknown Source) at $Proxy29.secretInfo(Unknown Source) at SecurityClient.main(SecurityClient.java:40) Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source) ... 15 more Caused by: java.security.cert.CertificateException: No name matching localhost found at sun.security.util.HostnameChecker.matchDNS(Unknown Source) at sun.security.util.HostnameChecker.match(Unknown Source) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ... 27 more

raise, continuously. I have read Mikalai Zaikin's Study Guide, and add some properties more, as suggested :
import java.util.logging.Logger; import javax.xml.ws.BindingProvider; import java.util.*; import securityC.*; import javax.xml.ws.handler.MessageContext; import java.security.*; public class SecurityClient { private static Logger logger =Logger.getLogger("SecurityClient"); private static final String endpoint = "https://localhost:8443/slersec/sler"; public static void main(String[] args) { try{ SlerSecurityService service = new SlerSecurityService(); SlerSecurity port = service.getSlerSecurityPort(); //AUTHENTICATION/AUTHORISATION, AGAINST DATABASE System.setProperty("javax.net.ssl.keyStore", "E:/Documents and Settings/Boban/.keystore"); System.setProperty("javax.net.ssl.keyStorePassword","changeit"); System.setProperty("javax.net.ssl.keyStoreType", "JKS"); System.setProperty("javax.net.ssl.trustStore", "E:/Documents and Settings/Boban/.keystore"); System.setProperty("javax.net.ssl.trustStorePassword","changeit"); System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol"); Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); Map<String, Object> req_ctx = ((BindingProvider) port).getRequestContext(); req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, endpoint); req_ctx.put(BindingProvider.USERNAME_PROPERTY, "afrodom"); req_ctx.put(BindingProvider.PASSWORD_PROPERTY, "slobodan"); // Place the username/password in the HTTP request headers, // which a non-Java client can do as well. Map<String, List><String>> hdr = new HashMap<String, List><String>>(); hdr.put("username", Collections.singletonList("afrodom")); hdr.put("password", Collections.singletonList("slobodan")); req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, hdr); logger.info("Invoking secret key . . . "); logger.info("The answer is : \n "+ port.secretInfo("love")); logger.info("check user validation . . . : "); logger.info(port.checkUser()); }catch (Exception e){ e.printStackTrace(); } } }
but then, the second (contradictory) exception has been thrown :

Aug 1, 2009 6:01:09 PM SecurityClient main INFO: Invoking secret key . . . com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: java.io.IOException: HTTPS hostname wrong: should be <localhost> at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(Unknown Source) at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(Unknown Source) at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(Unknown Source) at com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Unknown Source) at com.sun.xml.internal.ws.client.Stub.process(Unknown Source) at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(Unknown Source) at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown Source) at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown Source) at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(Unknown Source) at $Proxy29.secretInfo(Unknown Source) at SecurityClient.main(SecurityClient.java:39) Caused by: java.io.IOException: HTTPS hostname wrong: should be <localhost> at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source) at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getOutputStream(Unknown Source) ... 15 more

Now, it says the host name SHOULD be localhost (and IT is) ?!
So what should I do??? Thanks... A LoT

Hi!
Include this code snippet on the client side. See the comment in the code below for explanation!
static { /* * Java by default verifies that the certificate CN (Common Name) is * the same as host name in the URL. If the CN in the certificate is * not the same as the host name, your web service client fails. * This piece of code allows for using localhost as host name * with a certificate in which the CN does not match. * This is meant to be a workaround while developing the web * service and clients and SHOULD be removed in the production * version. */ HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { if (hostname.equals("localhost")) { return true; } return false; } }); }
Best wishes!

Hi Ivan.Thanks for your efforts, but the issue isn't resolved .
When i add the static code you have suggested, I get the following exception on client side :
Aug 3, 2009 11:00:02 AM SecurityClient main INFO: Invoking secret key . . . javax.xml.ws.WebServiceException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.readResponseCodeAndMessage(Unknown Source) at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(Unknown Source) at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(Unknown Source) at com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Unknown Source) at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Unknown Source) at com.sun.xml.internal.ws.client.Stub.process(Unknown Source) at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(Unknown Source) at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown Source) at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown Source) at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(Unknown Source) at $Proxy29.secretInfo(Unknown Source) at SecurityClient.main(SecurityClient.java:68) Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source) at java.io.BufferedInputStream.fill(Unknown Source) at java.io.BufferedInputStream.read1(Unknown Source) at java.io.BufferedInputStream.read(Unknown Source) at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source) at sun.net.www.http.HttpClient.parseHTTP(Unknown Source) at sun.net.www.http.HttpClient.parseHTTP(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at java.net.HttpURLConnection.getResponseCode(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source) ... 15 more

AND it is probably caused by exception thrown from Tomcat :
INFO: SSL Error getting client Certs javax.net.ssl.SSLHandshakeException: null cert chain at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177) at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1206) at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:148) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:746) at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75) at java.io.InputStream.read(InputStream.java:85) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:88) at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:67) at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:121) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1132) at org.apache.coyote.Request.action(Request.java:349) at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:138) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:619) Aug 3, 2009 11:00:04 AM org.apache.coyote.http11.Http11Processor action WARNING: Exception getting SSL attributes javax.net.ssl.SSLHandshakeException: null cert chain at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177) at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1206) at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:148) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:746) at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75) at java.io.InputStream.read(InputStream.java:85) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:88) at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:67) at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:121) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1132) at org.apache.coyote.Request.action(Request.java:349) at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:138) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:619) Aug 3, 2009 11:00:04 AM org.apache.tomcat.util.net.jsse.JSSE14Support synchronousHandshake INFO: SSL Error getting client Certs javax.net.ssl.SSLHandshakeException: null cert chain at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177) at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1206) at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:148) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:746) at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75) at java.io.InputStream.read(InputStream.java:85) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:88) at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:67) at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:121) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1132) at org.apache.coyote.Request.action(Request.java:349) at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:138) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:619) Aug 3, 2009 11:00:04 AM org.apache.coyote.http11.Http11Processor action WARNING: Exception getting SSL attributes javax.net.ssl.SSLHandshakeException: null cert chain at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177) at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1206) at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:148) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:746) at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75) at java.io.InputStream.read(InputStream.java:85) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:88) at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:67) at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:121) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1132) at org.apache.coyote.Request.action(Request.java:349) at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:138) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:619)
I am little confused, because I do not directly use HttpsURLConnection object, but Service (proxy) in my client code, and as much as I see, it points to bad certificate, but there is no problem when I try to access the resource using browser. What could be problem?

Hi!
It looks like your truststore and/or keystore is not set up properly.
Check my SCDJWS study notes for a step-by-step guide on how to set up keystores and truststores for SSL and SSL with mututal authentication.
Best wishes!