Spring-WS request fails but soapUI works

Question

I am using spring-ws to call a secure soap web service. I have a client certificate to sign my outgoing requests and also I have a server certificate to validate the server´s response.

Here is the console output

01:12:24.373 [main] INFO org.springframework.ws.soap.saaj.SaajSoapMessageFactory - Creating SAAJ 1.3 MessageFactory with SOAP 1.1 Protocol
01:12:24.418 [main] DEBUG org.springframework.ws.soap.saaj.SaajSoapMessageFactory - Using MessageFactory class [com.sun.xml.internal.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl]
01:12:25.378 [main] INFO com.myapp.WsConfig - Loaded keystore: file:/C:/dev/git/myapp/target/classes/cert/client-keystore.p12
01:12:25.455 [main] INFO com.myapp.WsConfig - Loaded trustStore: file:/C:/dev/git/myapp/target/classes/cert/client-truststore.jks
01:12:26.469 [main] DEBUG org.springframework.ws.transport.http.HttpsUrlConnectionMessageSender - Initialized SSL Context with key managers [sun.security.ssl.SunX509KeyManagerImpl@2133814f] trust managers [sun.security.ssl.X509TrustManagerImpl@4c15e7fd] secure random [null]
01:12:26.475 [main] DEBUG org.springframework.ws.client.core.WebServiceTemplate - Opening [org.springframework.ws.transport.http.HttpUrlConnection@38c5cc4c] to [https://integration-env.com/service-gateway.v1]
01:12:26.544 [main] INFO org.springframework.oxm.jaxb.Jaxb2Marshaller - Creating JAXBContext with context path [com.myapp.generated]
01:12:27.530 [main] DEBUG org.springframework.ws.client.MessageTracing.sent - Sent request [SaajSoapMessage {urn:services-types:v1}Request]
01:12:27.973 [main] DEBUG org.springframework.ws.transport.support.TransportUtils - Could not close WebServiceConnection
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
    at org.springframework.ws.transport.http.HttpUrlConnection.getRequestOutputStream(HttpUrlConnection.java:89)
    at org.springframework.ws.transport.AbstractSenderConnection$RequestTransportOutputStream.createOutputStream(AbstractSenderConnection.java:87)
    at org.springframework.ws.transport.TransportOutputStream.getOutputStream(TransportOutputStream.java:41)
    at org.springframework.ws.transport.TransportOutputStream.close(TransportOutputStream.java:49)
    at org.springframework.ws.transport.AbstractWebServiceConnection.close(AbstractWebServiceConnection.java:141)
    at org.springframework.ws.transport.support.TransportUtils.closeConnection(TransportUtils.java:45)
    at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:564)
    at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:390)
    at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:383)
    at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:373)
    at com.myapp.SprinClient.getScoring(SprinClient.java:31)
    at com.myapp.ClientTest.runService.java:26)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
    at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
    at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
    at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
    at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
    at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
    at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
    at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
    at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
    at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
    at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
    at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
    at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:68)
    at com.intellij.rt.execution.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:47)
    at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:242)
    at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:70)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
    at sun.security.validator.Validator.validate(Validator.java:262)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
    ... 46 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
    ... 52 common frames omitted

And here my config:

@Configuration
public class WsConfig {

    private static final Logger log = LoggerFactory.getLogger(WsConfig.class);

    @Value("${default-uri}")
    private String defaultUri;

    @Value("${ssl.trust-store}")
    private Resource trustStore;

    @Value("${ssl.trust-store-password}")
    private String trustStorePassword;

    @Value("${ssl.key-store}")
    private Resource keyStore;

    @Value("${ssl.key-store-password}")
    private String keyStorePassword;

    @Bean
    public Jaxb2Marshaller jaxb2Marshaller() {
        Jaxb2Marshaller marshaller = new Jaxb2Marshaller();
        marshaller.setContextPath("com.myapp.generated");
        return marshaller;
    }

    @Bean
    public WebServiceTemplate webServiceTemplate() throws Exception {
        WebServiceTemplate webServiceTemplate = new WebServiceTemplate();
        webServiceTemplate.setMarshaller(jaxb2Marshaller());
        webServiceTemplate.setUnmarshaller(jaxb2Marshaller());
        webServiceTemplate.setDefaultUri(defaultUri);
        webServiceTemplate.setMessageSender(httpsUrlConnectionMessageSender());

        return webServiceTemplate;
    }

    @Bean
    public HttpsUrlConnectionMessageSender httpsUrlConnectionMessageSender() throws Exception {
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(this.keyStore.getInputStream(), keyStorePassword.toCharArray());
        log.info("Loaded keystore: {}", this.keyStore.getURI().toString());
        this.keyStore.getInputStream().close();
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, keyStorePassword.toCharArray());

        KeyStore trustStore = KeyStore.getInstance("JKS");
        trustStore.load(this.trustStore.getInputStream(), trustStorePassword.toCharArray());
        log.info("Loaded trustStore: " + this.trustStore.getURI().toString());
        this.trustStore.getInputStream().close();
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(trustStore);

        HttpsUrlConnectionMessageSender messageSender = new HttpsUrlConnectionMessageSender();
        messageSender.setKeyManagers(keyManagerFactory.getKeyManagers());
        messageSender.setTrustManagers(trustManagerFactory.getTrustManagers());
        return messageSender;
    }

And in My Client class I am using that webServiceTemplate like this:

@Component
public class WsClient {

    private static final Logger log = LoggerFactory.getLogger(WsClient.class);
    private WebServiceTemplate webServiceTemplate;

    @Autowired
    public SpringArvatoClient(WebServiceTemplate webServiceTemplate) {
        this.webServiceTemplate = webServiceTemplate;
    }

    public void callService(DataObject data) {

        JAXBElement<RequestType> request = createRequestType(data);

        ResponseType response = (ResponseType) webServiceTemplate
                .marshalSendAndReceive(request);

    }

In soapUI I am able to run request and receive a response correctly. I think it might fail because I have not setup the security for spring-ws correctly. I added keystore and truststore and both *store-passwords. Further in soapUI I was able to setup the concrete signature algorithm, digest algorithm and signature canonicalization, but I don´t know how to set it up with spring-ws.

Here is my soapUI security config:

soapUI security config

UPDATE (ssl logs):

see my other response, because stackoverflow limits this body to 30000chars.

IMHO, it doenst look like you have all the certificates you need to trust installed - it's not that it cant find the file, it cant create a trust path for the certificates in the chain. This might help you out with some troubleshooting [unable to find valid certification path to requested target error even after c](https://stackoverflow.com/questions/9210514/unable-to-find-valid-certification-path-to-requested-target-error-even-after-c) — JGlass, Oct 19 '18 at 13:52
If you add those debug SSL commands and then update your question with the FULL log trace we might be able to see what you're missing. It will also show if the files being found as well as the cert entries it contains — JGlass, Oct 19 '18 at 13:52
@JGlass Thanks so much for your effort! I have added another answer where I put the complete ssl log output. Its strange because it seems that keystore AND truststore could be found, but then it states that there is no truststore... — tonyskulk, Oct 20 '18 at 13:48
Try this simple test [SSLPoke](https://stackoverflow.com/a/52895518/7221628) to reduce the confusion/complexity by adding Spring to the situation. If you get that working after figuring out the issue with the keystores then you should be able to apply it to your current situation. — JGlass, Oct 22 '18 at 20:28

score 0 · Answer 1 · answered Oct 19 '18 at 00:27

0

It is pretty clear from below error line that while checking for keystore file at the mentioned location, it is unable to find it. The path is not properly set.

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The reason it is working on SoapUI as it asks you for a file to load in configuration in SoapUI.

Check the physical locations for below resources also if you have properties file, please check if you have the right path in it.

@Value("${default-uri}")
private String defaultUri;

@Value("${ssl.trust-store}")
private Resource trustStore;

@Value("${ssl.trust-store-password}")
private String trustStorePassword;

@Value("${ssl.key-store}")
private Resource keyStore;

@Value("${ssl.key-store-password}")
private String keyStorePassword;

answered Oct 19 '18 at 00:27

amar19

373
1
3
16

Thanks for your response. Unfortunately it has not solved my problem. The resources can be found and loaded succesfully. If I change the name of the keystore I am getting a *java.io.FileNotFoundException: class path resource [somepaththatdoesnotexist.p12] cannot be opened because it does not exist* – tonyskulk Oct 19 '18 at 11:41
@tonyskulk From your logs and your comments, this looks more like the problem with keystore and truststore, are they self generated files at your system using server detatils, or they were provided by some external client. JKS file as keystore is generally sufficient for the SOAP SSL request, try using only keystore and not the trust-store.. If there is some conflicts between the keystore and truststore it may get resolved, At this point trial and error is your best option. Hope you get it resolved. – amar19 Oct 22 '18 at 00:24

score 0 · Answer 2 · answered Oct 20 '18 at 13:46

UPDATE (ssl logs):

15:06:34.060 [main] INFO org.springframework.ws.soap.saaj.SaajSoapMessageFactory - Creating SAAJ 1.3 MessageFactory with SOAP 1.1 Protocol
15:06:34.097 [main] DEBUG org.springframework.ws.soap.saaj.SaajSoapMessageFactory - Using MessageFactory class [com.sun.xml.internal.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl]
15:06:35.049 [main] INFO com.myapp.base.service.WsConfig - Loaded keystore: file:/C:/dev/git/myapp/base-be/base-service-provider/target/classes/cert/client-keystore.p12
***
found key for : integration
chain [0] = [
[
  Version: V3
  Subject: CN=INTEGRATION, OU=Inte, O=INTEGRATION, L=Baden-Baden, ST=Baden-Wuerttemberg, C=DE
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 4096 bits
  modulus: 785762...
  public exponent: 65537
  Validity: [From: Wed Oct 14 08:59:04 CEST 2015,
               To: Sat Oct 14 08:59:04 CEST 2023]
  Issuer: EMAILADDRESS=certificate@csservice.provider-sys.de, CN=ASY Server CA, OU=Application Hosting, O=provider sys GmbH, L=Neustadt, ST=NRW, C=DE
  SerialNumber: [    c0]

Certificate Extensions: 7
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1E 16 1C 41 53 59 20   43 41 20 47 65 6E 65 72  ....ASY CA Gener
0010: 61 74 65 64 20 43 65 72   74 69 66 69 63 61 74 65  ated Certificate


[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 78 BF C1 12 7C 6A 88 23   CD E2 2D 2B 03 56 DA 80  x....j.#..-+.V..
0010: E0 FA 15 ED                                        ....
]
[EMAILADDRESS=certificate@csservice.provider-sys.de, CN=provider sys - CA0 Primary Certification Authority, OU=Security, O=provider sys GmbH, L=Neustadt, ST=NRW, C=DE]
SerialNumber: [    0b]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
  RFC822Name: certificate@csservice.provider-sys.de
]

[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[6]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL client
   S/MIME
   Object Signing
]

[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 2E A8 60 57 8F 1B 4D DE   F7 A7 6A 0A B3 B0 1D 3D  ..`W..M...j....=
0010: C5 85 62 1C                                        ..b.
]
]

Unparseable certificate extensions: 1
[1]: ObjectId: 2.5.29.17 Criticality=false
Unparseable SubjectAlternativeName extension due to
java.io.IOException: No data available in passed DER encoded value.

0000: 30 00                                              0.

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 54 28 38 06 2F 95 72 40   F9 FB CC 7C AB FA 5F B5  T(8./.r@......_.
0010: 7E CF 70 E4 59 6B 96 4C   ED 94 EA 35 74 E9 4C 6B  ..p.Yk.L...5t.Lk
...
00F0: B2 77 82 13 D4 F1 10 96   1C C8 19 9E 05 D8 9C 1B  .w..............

]
***
15:06:35.118 [main] INFO com.myapp.base.service.WsConfig - Loaded trustStore: file:/C:/dev/git/myapp/base-be/base-service-provider/target/classes/cert/client-truststore.jks
adding as trusted cert:
  Subject: CN=big-response, OU=IT, O=company GmbH, L=Baden-Baden, ST=Baden-Wuerttemberg, C=DE
  Issuer:  EMAILADDRESS=certificate@csservice.provider-sys.de, CN=ASY Server CA, OU=Application Hosting, O=provider sys GmbH, L=Neustadt, ST=NRW, C=DE
  Algorithm: RSA; Serial number: 0x86
  Valid from Mon Apr 20 22:45:43 CEST 2015 until Sat Aug 10 22:45:43 CEST 2024

15:06:35.140 [main] INFO com.myapp.base.service.SpringproviderClient - Requesting person score for: Peter Müller...
Ignoring disabled cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_RC4_128_MD5
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
trustStore is: No File Available, using empty keystore.
trustStore type is : jks
trustStore provider is : 
init truststore
keyStore is : cert/client-keystore.p12
keyStore type is : jks
keyStore provider is : 
trigger seeding of SecureRandom
done seeding SecureRandom
15:06:35.998 [main] DEBUG org.springframework.ws.transport.http.HttpsUrlConnectionMessageSender - Initialized SSL Context with key managers [sun.security.ssl.SunX509KeyManagerImpl@23529fee] trust managers [sun.security.ssl.X509TrustManagerImpl@4fe767f3] secure random [null]
15:06:36.004 [main] DEBUG org.springframework.ws.client.core.WebServiceTemplate - Opening [org.springframework.ws.transport.http.HttpUrlConnection@14d3bc22] to [https://integration-big.finance.provider.com/product/big/business-information-gateway.v1.2]
15:06:36.086 [main] INFO org.springframework.oxm.jaxb.Jaxb2Marshaller - Creating JAXBContext with context path [com.myapp.base.service.provider.generated]
15:06:37.333 [main] DEBUG org.springframework.ws.client.MessageTracing.sent - Sent request [SaajSoapMessage {urn:big-services-types:v1.2}Request]
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
main, the previous server name in SNI (type=host_name (0), value=integration-big.finance.provider.com) was replaced with (type=host_name (0), value=integration-big.finance.provider.com)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1523263581 bytes = { 157, 84, 247, 157, 102, 185, 160, 253, 225, 94, 207, 129, 26, 5, 32, 166, 246, 45, 135, 19, 99, 14, 52, 150, 110, 73, 254, 116 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=integration-big.finance.provider.com]
***
main, WRITE: TLSv1.2 Handshake, length = 236
main, READ: TLSv1.2 Handshake, length = 93
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 640777025 bytes = { 33, 3, 88, 115, 39, 70, 25, 86, 20, 156, 190, 200, 89, 97, 247, 220, 222, 129, 188, 142, 172, 117, 181, 226, 255, 198, 177, 176 }
Session ID:  {102, 101, 195, 164, 70, 236, 103, 43, 201, 13, 226, 55, 40, 70, 151, 80, 232, 28, 4, 240, 43, 202, 54, 126, 231, 1, 13, 24, 236, 240, 176, 177}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension server_name, server_name: 
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
main, READ: TLSv1.2 Handshake, length = 2940
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=big.finance.provider.com, O=provider sys GmbH, L=Neustadt, ST=Nordrhein-Westfalen, C=DE
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 265764493...
  public exponent: 65537
  Validity: [From: Fri Aug 10 02:00:00 CEST 2018,
               To: Sun Oct 25 13:00:00 CET 2020]
  Issuer: CN=GeoTrust TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US
  SerialNumber: [    0fe6a4fc c5d93b55 f85fdaba 1d765c2f]

Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6C 04 82 01 68   01 66 00 76 00 A4 B9 09  ...l...h.f.v....
0010: 90 B4 18 58 14 87 BB 13   A2 CC 67 70 0A 3C 35 98  ...X......gp.<5.
...
0160: 54 EA 7E 31 14 6E EA 21   19 44 0E C0 97 B0 4A 34  T..1.n.!.D....J4


[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://status.geotrust.com
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://cacerts.geotrust.com/GeoTrustTLSRSACAG1.crt
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 94 4F D4 5D 8B E4 A4 E2   A6 80 FE FD D8 F9 00 EF  .O.]............
0010: A3 BE 02 57                                        ...W
]
]

[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl]
]]

[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: big.finance.provider.com
  DNSName: acceptance-big.finance.provider.com
  DNSName: integration-big.finance.provider.com
]

[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B7 CD F4 D3 84 2E D2 B5   0D 6F BE 18 C4 75 BD E3  .........o...u..
0010: A2 51 7A 4A                                        .QzJ
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 5F B7 0D DC 75 3F EE 4F   D3 15 12 6C 56 47 C5 D8  _...u?.O...lVG..
0010: 83 04 01 F9 23 40 E9 72   0E 19 7A 69 A4 F7 1F FD  ....#@.r..zi....
...
00F0: 3F 33 BF 95 7D D8 C9 B2   3F 88 5E 46 FA B1 D8 46  ?3......?.^F...F

]
chain [1] = [
[
  Version: V3
  Subject: CN=GeoTrust TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 2399706833...
  public exponent: 65537
  Validity: [From: Thu Nov 02 13:23:37 CET 2017,
               To: Tue Nov 02 13:23:37 CET 2027]
  Issuer: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
  SerialNumber: [    0d07782a 133fc6f9 a57296e1 31ffd179]

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.digicert.com
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4E 22 54 20 18 95 E6 E3   6E E6 0F FA FA B9 12 ED  N"T ....n.......
0010: 06 17 8F 39                                        ...9
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl3.digicert.com/DigiCertGlobalRootG2.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS

]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

[8]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 94 4F D4 5D 8B E4 A4 E2   A6 80 FE FD D8 F9 00 EF  .O.]............
0010: A3 BE 02 57                                        ...W
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 82 1C 04 3A 82 E9 C5 A9   C8 65 12 5C 08 E3 01 C6  ...:.....e.\....
0010: 30 B0 AE 22 88 61 7B 2B   07 86 F7 B8 B5 44 9C F5  0..".a.+.....D..
...
00F0: 1E 12 78 CE 98 F2 5F FB   30 14 69 3C 2C FA 97 C6  ..x..._.0.i<,...

]
***
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
main, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1.2 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
main, called close()
main, called closeInternal(true)
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
main, the previous server name in SNI (type=host_name (0), value=integration-big.finance.provider.com) was replaced with (type=host_name (0), value=integration-big.finance.provider.com)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
...
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1523263582 bytes = { 233, 137, 188, 176, 188, 141, 243, 246, 241, 46, 216, 176, 148, 127, 13, 141, 61, 15, 229, 181, 114, 136, 25, 152, 186, 210, 74, 84 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, ...TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=integration-big.finance.provider.com]
***
main, WRITE: TLSv1.2 Handshake, length = 236
main, READ: TLSv1.2 Handshake, length = 93
*** ServerHello, TLSv1.2
RandomCookie:  GMT: -1281780602 bytes = { 25, 40, 240, 160, 112, 50, 173, 202, 228, 58, 25, 10, 96, 229, 146, 183, 117, 29, 144, 139, 251, 115, 129, 238, 237, 148, 64, 78 }
Session ID:  {15, 37, 184, 159, 154, 113, 92, 50, 245, 234, 44, 169, 89, 215, 100, 45, 5, 95, 39, 194, 120, 37, 117, 0, 40, 67, 177, 253, 233, 19, 35, 57}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension server_name, server_name: 
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
***
%% Initialized:  [Session-2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
main, READ: TLSv1.2 Handshake, length = 2940
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=big.finance.provider.com, O=provider sys GmbH, L=Neustadt, ST=Nordrhein-Westfalen, C=DE
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 26538155...
  public exponent: 65537
  Validity: [From: Fri Aug 10 02:00:00 CEST 2018,
               To: Sun Oct 25 13:00:00 CET 2020]
  Issuer: CN=GeoTrust TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US
  SerialNumber: [    0fe6a4fc c5d93b55 f85fdaba 1d765c2f]

Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6C 04 82 01 68   01 66 00 76 00 A4 B9 09  ...l...h.f.v....
0010: 90 B4 18 58 14 87 BB 13   A2 CC 67 70 0A 3C 35 98  ...X......gp.<5.
...
0160: 54 EA 7E 31 14 6E EA 21   19 44 0E C0 97 B0 4A 34  T..1.n.!.D....J4


[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://status.geotrust.com
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://cacerts.geotrust.com/GeoTrustTLSRSACAG1.crt
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 94 4F D4 5D 8B E4 A4 E2   A6 80 FE FD D8 F9 00 EF  .O.]............
0010: A3 BE 02 57                                        ...W
]
]

[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl]
]]

[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: big.finance.provider.com
  DNSName: acceptance-big.finance.provider.com
  DNSName: integration-big.finance.provider.com
]

[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B7 CD F4 D3 84 2E D2 B5   0D 6F BE 18 C4 75 BD E3  .........o...u..
0010: A2 51 7A 4A                                        .QzJ
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 5F B7 0D DC 75 3F EE 4F   D3 15 12 6C 56 47 C5 D8  _...u?.O...lVG..
0010: 83 04 01 F9 23 40 E9 72   0E 19 7A 69 A4 F7 1F FD  ....#@.r..zi....
...
00F0: 3F 33 BF 95 7D D8 C9 B2   3F 88 5E 46 FA B1 D8 46  ?3......?.^F...F

]
chain [1] = [
[
  Version: V3
  Subject: CN=GeoTrust TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 239970683...
  public exponent: 65537
  Validity: [From: Thu Nov 02 13:23:37 CET 2017,
               To: Tue Nov 02 13:23:37 CET 2027]
  Issuer: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
  SerialNumber: [    0d07782a 133fc6f9 a57296e1 31ffd179]

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.digicert.com
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4E 22 54 20 18 95 E6 E3   6E E6 0F FA FA B9 12 ED  N"T ....n.......
0010: 06 17 8F 39                                        ...9
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl3.digicert.com/DigiCertGlobalRootG2.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS

]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

[8]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 94 4F D4 5D 8B E4 A4 E2   A6 80 FE FD D8 F9 00 EF  .O.]............
0010: A3 BE 02 57                                        ...W
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 82 1C 04 3A 82 E9 C5 A9   C8 65 12 5C 08 E3 01 C6  ...:.....e.\....
0010: 30 B0 AE 22 88 61 7B 2B   07 86 F7 B8 B5 44 9C F5  0..".a.+.....D..
...
00F0: 1E 12 78 CE 98 F2 5F FB   30 14 69 3C 2C FA 97 C6  ..x..._.0.i<,...

]
***
%% Invalidated:  [Session-2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
main, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1.2 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
main, called close()
main, called closeInternal(true)
15:06:38.804 [main] DEBUG org.springframework.ws.transport.support.TransportUtils - Could not close WebServiceConnection
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    ... (see original post above)

It looks to be saying that the critical TrustStore `file:/C:/dev/git/myapp/base-be/base-service-provider/target/classes/cert/client-truststore.jks` is empty. Have you tried running `keytool -list -v -keystore client-truststore.jks` against it to see if it contains your trusted certificate/cert chain from the server you're trying to connect to? — JGlass, Oct 20 '18 at 19:12

Spring-WS request fails but soapUI works

2 Answers2