0

I am calling a web service which has a self-signed certificate.

I have added the certificate to my JAVA_HOME using the following command

"%JAVA_HOME%/bin/keytool" -import -alias emoney -file C:\Users\l.young\certificates\srv03.wpay.co.crt -keystore "C:\Program Files\Java\jdk1.8.0_45\jre\lib\security\cacerts"

Following this I added the following 2 lines to my myeclipse.ini file

-Djavax.net.ssl.trustStore=C:\Program Files\Java\jdk1.8.0_45\jre\lib\security\cacerts
-Djavax.net.ssl.trustStorePassword=changeit

And set the tomcat configuration which I have in MyEclipse to run java found under %JAVA_HOME% and not in AppData

After completing all this I still get the following exception

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

What have I missed in my config? Why is this still failing?

EDIT - QUESTION Does the alias make a difference?

EDIT 2 Testing using SOAPUI and it works - no certificate issues. Any suggestion how to make it work in MyEclipse?

L. Young
  • 163
  • 3
  • 7
  • 24

2 Answers2

1

One of the reasons might be that the Eclipse is using a different JRE, try this:

"%JAVA_HOME%/bin/keytool" -import -alias emoney -file C:\Users\l.young\certificates\srv03.wpay.co.crt -keystore "%JAVA_HOME%\jdk1.8.0_45\jre\lib\security\cacerts"

Edit: based on the discussion in the comments, there is a final resort which is to ignore Certificate validation. Note that this will make you vulnerable to man in the middle attacks. add these two lines to your code to ignore Certificate Validation:

SSLUtilities.trustAllHostnames();
SSLUtilities.trustAllHttpsCertificates();

Source

Zaid Malhis
  • 588
  • 4
  • 18
  • The path of `%JAVA_HOME%` is `C:\Program Files\Java\jdk1.8.0_45` and tomcat on MyEclipse uses `C:\Program Files\Java\jdk1.8.0_45` – L. Young Aug 10 '15 at 13:01
  • Another reason might be that you are using the wrong certificate, if the webservice is a REST webservice and publicly available you can download the certificate via web browser. – Zaid Malhis Aug 10 '15 at 13:06
  • No it is a SOAP service. The certificate was provided directly by the third party from who we are requesting the web services so it is 100% correct. – L. Young Aug 10 '15 at 13:10
  • The parameters that you set in myeclipse.ini are added only when using a custom keystore, while you are using the default one, remove those parameters and try again. – Zaid Malhis Aug 10 '15 at 13:14
  • Still not working- tried withh, without, using trustStore and keyStore. Nothing :( – L. Young Aug 10 '15 at 13:17
  • My last suggestion is to try using [SOAPUI](http://www.soapui.org) for consuming the Webservice to make sure that the error is in your configuration. refer to [this](http://www.soapui.org/soapui-projects/ws-security.html) for applying WS-Security in SOAPUI. – Zaid Malhis Aug 10 '15 at 13:20
  • it works from SOAPUI but nothing in MyEclipse. I cannot test any code without it. – L. Young Aug 10 '15 at 15:14
  • See the update in the answer, it might be your final resort. – Zaid Malhis Aug 11 '15 at 09:24
1

Why do you think the properties set in myeclipse.ini will be used when running Tomcat? Try setting them in the run configuration for Tomcat. Tomcat is run in a separate JVM. You can also specify the JRE to be used for Tomcat in the run configuration.

Tony Weddle
  • 2,081
  • 1
  • 11
  • 15