Hi Innes,
Is the webservice cert a test-cert (generated by keytool) rather than a trusted CA ? If so, you will find this info written up by this kind man helpful:
http://blogs.sun.com/andreas/entry/no_more_unable_to_find
Let us know how it goes.
raj. chief masher @ jackbe
Hi Raj,
thanks for the reply. The website is using a CA (Verisign Class 3) issued certificate rather than just a test one.
I have solved the problem and got the secure connection working for a <directinvoke> to an HTTPS endpoint without a nasty runtime exception being thrown.
Here's what I needed to do:
1) Add the website certificate to the truststore used by Java Secure Socket Extension (JSSE) when it attempts to established the connection. Finding the right place for that file turned out to be a bit tricky. When using Debug in the Mashup Studio it didn't actually use the \lib files specified in my JAVA_HOME path (which was JAVA_HOME=C:\Program Files\Java\jdk1.6.0). It turns out that the call in Debug used the \lib in this path (C:\Program Files\Java\jre6). So step one was to figure out where it was that the truststore needed to go.
2) By default JSSE expects either a truststore of "jssecacerts" or "cacerts". There's a good reference here if you need to dig any deeper. The jdk's come with a cacert keystore so you can just drop one in the \lib\security directory to get you started if it's not there already.
3) Next you need to add the website certificate to the truststore so that it can be used during the SSL handshake process. I like cmdline stuff from way back, but I couldn't be bothered with using the keytool command but if you want to, you can. Here's a good reference to using it when you are setting up Tomcat to use SSL and also see John Crupi's post on changing the server.xml to enable HTTPS as well.
If you don't feel energetic enough for the cmdline way, try using Portecle which is an opensource and very cool tool for managing your java keystores. I used this to import the website cert into my "cacert" keystore that I had dropped in the \lib\security directory.
The truststore/keystore is password protected, but when called through JSSE it is expected to be "changeit", so don't forget to set it correctly when saving your keystore. It's the default password for the jdk shipped cacert file anyway.
And if you are lucky enough ... as I was .. hey presto :) ... you can now connect to an website using TLS/SSL to execute your <directinvoke>.
Hope this helps anyone coming along later. If you get stuck I would recommend checking out some of the sites referenced above as I've got limited technical knowledge in this area and probably can't help further.
Cheers, Innes (NZ)
Hi Innes,
If you are adding website certificate to trust store. You need to add in JRE (Run time environment) only. And the default JRE location depends on the JRE path you set in the system variable. You can override this by selecting different JRE option in eclipse preference. So the right place for the certificate depends on the JRE which you are using in your runtime enviroment.
Rajesh. Studio Dev
Hi mashers,
I am experimenting with access to a webservice that uses a secure connection. I get the following error when debugging my emml code:
<Error invoking external service : https://......../devl/connect/herd_request : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target>
I believe the issue is that the target site certificate is not available in a keystore ... an assumption that may be wrong. I've created a personal java keystore file and imported the website certificate, however I'm not certain where to place or nominate the keystore in order to make the cert available when executing the emml.
Can anyone point me in the right direction to make this cert available.
Cheers, Innes (NZ)