7

Trying to connect to external soap service from aws lambda, but getting below exception.

com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I was getting the same exception when tried to call the service from local environment. It gets resolved after importing the security cert in jre/lib/security folder by using keytool command.

How to import the external security cert in AWS to resolve the exception.

I've gone through the below link.

Note::I have the certificate from browser but I don't have the private key.

Vaibs
  • 1,546
  • 9
  • 31
  • You are definitely on the wrong track looking at Amazon Certificate Manager. This service is for importing certificates you want to use on *your* services that others are accessing. This is not what you need. Your problem, by contrast, appears to be related to your trust store not being able to validate a certificate of a site you are connecting to. – Michael - sqlbot Nov 08 '17 at 19:38
  • I am withholding my closure vote for the moment, as this is not my area of expertise, but this seems like a possible duplicate of [Using a custom truststore in java as well as the default one](https://stackoverflow.com/q/24555890/1695906). – Michael - sqlbot Nov 08 '17 at 19:40

1 Answers1

9

This is how I solved this:

        //locate the default truststore
        String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);

        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());

        try (FileInputStream fis = new FileInputStream(filename)) {

            keystore.load(fis, "changeit".toCharArray());
        }

        CertificateFactory cf = CertificateFactory.getInstance("X.509");

        //Input stream to cert file
        Certificate caCert = cf.generateCertificate(IOUtils.toInputStream(CA_CERT));
        keystore.setCertificateEntry("ca-cert", caCert);

        //can only save to /tmp from a lambda
        String certPath = "/tmp/CustomTruststore";

        try (FileOutputStream out = new FileOutputStream(certPath)) {

            keystore.store(out, "MyPass".toCharArray());
        }

        System.setProperty("javax.net.ssl.trustStore", certPath);
        System.setProperty("javax.net.ssl.trustStorePassword","MyPass");
Kevin Sadler
  • 2,306
  • 25
  • 33
Brad Keck
  • 106
  • 1
  • 2