• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Maven SSL build issues

 
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Help please ... I've tried a number of things with no success.

The backstory ...

I'm writing a soap-based web service app. It's sole purpose is to take requests from users, reformat the request for an internal system which is also soap-based running on an SSL encrypted server. I get a response back from the SSL server, repackage it as a response to the original user request and send it back.

The problem I'm having is for integration tests. In Eclipse, if I Run or Debug, my integration tests run fine ... but I do have to set up JVM parameters in a run configuration, I've got ...

-Djavax.net.ssl.trustStore=C:\apache\apache-tomcat-6.0.20\conf\tokenserver-keystore.jks
-Djavax.net.ssl.trustStorePassword=Pass1word

The jks file contains all the info needed to talk to the SSL server.

The problem ...

When running Maven from inside Eclipse or externally, I get the following exception

WARNING: Interceptor for {http://xc.protegrity.com/ApplicationProtectorWS}ApplicationProtectorWSPortTypeService#{http://xc.protegrity.com/ApplicationProtectorWS}xcCreateSession has thrown exception, unwinding now

org.apache.cxf.interceptor.Fault: Could not send Message.

with the following ...

Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://tokenserver.protegrity.com/ws/services/ApplicationProtectorWS.2.0: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I've tried defining MAVEN_OPTS with those lines pointing to the trust store in a maven_pre.bat file (Windows 7), to a .mavenrc file (when running Cygwin), I even defined MAVEN_OPTS explicitly in Window's environment variables ... but no luck. I still get the exception.

How do I define the trust store that Eclipse accepts but maven does not?

Thanks
 
author
Posts: 5856
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You are going to have to configure Maven to also use the truststore. What we did is placed a jssecacarts file containing the certificates into java_home/jre/lib/security directory so that Maven will pick it up automatically. Or you could set up a run configuration in Eclipse, or add the -Djavax.net.ssl.trustStore* setting to mvn.bat (or better yet, create a ~/mavenrc-pre.bat file and place the options in there).
 
mort sahl
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks ... but I've pretty much tried it all, I think.

My maven_pre.bat file located in my Windows7 home directory contains ...

set TRUST_STORE=-Djavax.net.ssl.trustStore=C:\apache\apache-tomcat-6.0.20\conf\tokenserver-keystore.jks
set TRUST_STORE_PASSWORD=-Djavax.net.ssl.trustStorePassword=Pass1word
set MAVEN_OPTS=%TRUST_STORE% %TRUST_STORE_PASSWORD%
echo Done: MAVEN_OPTS=%MAVEN_OPTS%

When I tried .mavenrc in my Cygwin home directory it contained ...

TRUST_STORE=-Djavax.net.ssl.trustStore=C:\apache\apache-tomcat-6.0.20\conf\tokenserver-keystore.jks
TRUST_STORE_PASSWORD=-Djavax.net.ssl.trustStorePassword=Pass1word
MAVEN_OPTS="$TRUST_STORE $TRUST_STORE_PASSWORD"
echo Done: MAVEN_OPTS=$MAVEN_OPTS

I tried setting MAVEN_OPTS as a user variable in Environment Variables with the value of -Djavax.net.ssl.trustStore=C:\apache\apache-tomcat-6.0.20\conf\tokenserver-keystore.jks -Djavax.net.ssl.trustStorePassword=Pass1word

I still get the SSLHandshakException.

All works fine when I run the program as the truststore is setup on tomcat/conf and I can run the tests from inside Eclipse since I set up the truststore in the run configuration. It's just maven that's not cooperating.
If it makes any difference, I'm using Maven v 2.2.1

Thanks


 
Peter Johnson
author
Posts: 5856
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
An obvious question: you are seeing the "Done:" line being echoed when you run Maven and it contains the correct values? Also, double-check the java.exe command line in Task Manager to make sure that the options were passed properly.

The version of Maven shouldn't matter, it doesn't even get involved in this - the JVM networking classes do all of the credential handling.

One more thought - make sure that the alias and the DN for the certificate exactly matches the hostname of the remote server (check it with "keytool -list"). That is, both alias and DN must be "tokenserver.protegrity.com". I had an issue recently with someone who provided a certificate which a generic function name for their .Net web service and we had to generate a second certificate with the hostname to get Java to talk to that service.
 
mort sahl
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Here's the result of -list ...


c:\Apache\apache-tomcat-6.0.20\conf>keytool -list -v -keystore tokenserver-keystore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: elavon
Creation date: May 8, 2012
Entry type: trustedCertEntry

Owner: CN=tokenserver.protegrity.com, O=Protegrity, C=US
Issuer: CN=tokenserver.protegrity.com, O=Protegrity, C=US
Serial number: d5e8ecedadcb9bd0
Valid from: Mon Apr 23 16:24:49 MDT 2012 until: Thu Apr 21 16:24:49 MDT 2022
Certificate fingerprints:
MD5: 45:A1:DC:C2:89:30:11:9B:AF:CF:C0:3E:7D:39:E2:80
SHA1: F9:6C:BA:6A:E0:62:5F:DC::03:EF:13:04:17:6D:A2:FF:E4:45:AE
Signature algorithm name: SHA1withRSA
Version: 1


*******************************************
*******************************************

So, are you saying that the alias name elavon should be tokenserver.protegrity.com instead?
 
Peter Johnson
author
Posts: 5856
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes.

Oh, and in my prior post, replace DN with CN...
 
mort sahl
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks ... I'll give that a try when I'm back at work on Monday.
 
mort sahl
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well ... still no go ... my jks now looks like ...


$ keytool -list -v -keystore keystore.jks
Enter keystore password: Pass1word

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tokenserver.protegrity.com
Creation date: Jun 4, 2012
Entry type: trustedCertEntry

Owner: CN=tokenserver.protegrity.com, O=Protegrity, C=US
Issuer: CN=tokenserver.protegrity.com, O=Protegrity, C=US
Serial number: d5e8ecedadcb9bd0
Valid from: Mon Apr 23 16:24:49 MDT 2012 until: Thu Apr 21 16:24:49 MDT 2022
Certificate fingerprints:
MD5: 45:A1:DC:C2:89:30:11:9B:AF:CF:C0:3E:7D:39:E2:80
SHA1: F9:6C:BA:6A:E0:62:5F:DC:03:EF:13:04:17:6D:A2:FF:E4:45:AE
Signature algorithm name: SHA1withRSA
Version: 1


*******************************************
*******************************************



But the same issue ...

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 
mort sahl
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I got it working ... I found the answer at https://blogs.oracle.com/gc/entry/unable_to_find_valid_certification

Downloaded and ran the InstallCert program and put the resulting jssecacerts in my ../jre.lib.security directory, re-enabled the maven-failsafe-plugin and my integration tests now run.

Thanks for your help.
 
She said she got a brazillian. I think owning people is wrong. That is how I learned ... tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic