Tuesday, September 18, 2012

Access Web Services over a SSL Layer

I have a Java application to access web services hosted behind a HTTPS transport protocol. The client side java application gave me the error message like:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I did the following to resolve the issue:
1. Try to access the web services endpoint from a browser and export its certificate using the 'X.509 certificate format' into a sample.cert file.
2. Locate the JVM's keystore. For example, \dev\Java\jdk1.6.0_34\jre\lib\security
3. Back up its original keystore and run the following command under the above directory:
\dev\Java\jdk1.6.0_34\jre\bin\keytool -import -keystore cacerts -file sample.cer -alias sampleXYZ
The default password is 'changeit'. It's fine if the certificate is a self-signed one. If so, be sure to answer 'Yes' for the question to trust the certificate.
4. After restart of the Java application, another error may show up as:
CertificateException: No subject alternative names present
I tried to edit C:\Windows\System32\drivers\etc\hosts as Administrator and put the ip address matching to the CN host name defined in the cert
To review the CN name, run the following command:
keytool -list -v -keystore .\cacerts -alias sampleXYZ
The dns needs to be refreshed from a command line console to pick up the new definition:
ipconfig /flushdns