Thursday, August 20, 2015

AXIS client exception SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


While working on one of the integration that uses axis client to call SOAP web-services, I came across few errors/exceptions, to fix them i did not found good help.

This post is my attempt to document the solution



Exception :


javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

    .

    .

    .

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)

  

    ... 18 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)

    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)

    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)

    ... 24 more

Cause:

                                 To resolve SSL certificate client must verify child to its  immediate parent certificate path first and then up-word till root certificate.

          Above exception is thrown because your client unable to resolve the  SSL certificate chain path from server to root certificate

Resolution:


on axis client jvm/jre import SSL certificate in following sequence
            1. Import root certificate
            2. Import child certificate of root
                     this step must be repeated for all intermediate
                    certificate till server certificate
            3. Import server certificate

 example:

  take example of gmail certificate



    for above Gmail certificate correct sequence is
           1. Geo Trust Global CA
           2. Google Internet Authority G2
           3. mail.google.com

command to import certificate in keystore

$keytool -importcert -trustcacerts -keystore ..\lib\security\cacerts -storepass changeit  -alias  mail.google.com   -file  c:\ mail.google.com.cer




 
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)