Thursday, August 20, 2015

AXIS Client Exception:org.apache.axis2.AxisFault: Received fatal alert: handshake_failure

 Exception :



org.apache.axis2.AxisFault: Received fatal alert: handshake_failure

    at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)

    at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:83)

    .

    .

    .

    at java.lang.Thread.run(Thread.java:744)

Caused by: com.ctc.wstx.exc.WstxIOException: Received fatal alert: handshake_failure

    at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)

    at org.apache.axiom.om.impl.MTOMXMLStreamWriter.flush(MTOMXMLStreamWriter.java:168)

    .

    .

    .

    at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:79)

    ... 120 more

Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)

    .

    .

    .

    at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)

    ... 131 more





Cause:


          This exception occurs when their is mismatch between   strength of crystallographic algorithms on Server and client JRE.

resolution:

The stronger cipher is not supported by JAVA by default. On oracle site they provided following reason:

“Due to import regulations in some countries, the Oracle implementation provides a default cryptographic jurisdiction policy file that limits the strength of cryptographic algorithms


If stronger algorithms are needed (for example, AES with 256-bit keys), the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE. ”


Reference :

http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#importlimits



we need to download JCE Unlimited Strength Jurisdiction Policy Files  and install it on client JRE.
Download location:
http://www.oracle.com/technetwork/java/javase/downloads/index.html





 P.S.   Debug SSL communication of JAVA Application you can use following option



 javax.net.debug=all


java http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html


AXIS client exception SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


While working on one of the integration that uses axis client to call SOAP web-services, I came across few errors/exceptions, to fix them i did not found good help.

This post is my attempt to document the solution



Exception :


javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

    .

    .

    .

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)

  

    ... 18 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)

    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)

    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)

    ... 24 more



Cause:

                                 To resolve SSL certificate client must verify child to its  immediate parent certificate path first and then up-word till root certificate.

          Above exception is thrown because your client unable to resolve the  SSL certificate chain path from server to root certificate

Resolution:


on axis client jvm/jre import SSL certificate in following sequence
            1. Import root certificate
            2. Import child certificate of root
                     this step must be repeated for all intermediate
                    certificate till server certificate
            3. Import server certificate

 example:

  take example of gmail certificate



    for above Gmail certificate correct sequence is
           1. Geo Trust Global CA
           2. Google Internet Authority G2
           3. mail.google.com

command to import certificate in keystore

$keytool -importcert -trustcacerts -keystore ..\lib\security\cacerts -storepass changeit  -alias  mail.google.com   -file  c:\ mail.google.com.cer