I have tried to use the Web Service interface to integrate EJBCA from my java application.
Attempting to access the ejbca wsdl file I got the following error:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
even if I have used the superadmin certificate, importend in Glassfish keystore.
I could access the wsdl through the browser after installing the superadmin certificate.
Can you please provide more information about what kind of certificate / keystore do I have to use to be able to access the ejbca wsdl from a java application, using https and Glassfish app server ?
Thanks in advance,
Cristina Prohaska
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The default superadmin should work since you can use it for accessing the WSDL through your browser. Did you try the supplied EJBCA WS CLI and got that working? You might find hints for writing your own app in the sourcecode there..
Best Regards,
Johan
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
yes, this is my problem: "missing certificates in the trust store"
This are the steps I have done:
-install superadmin certificate in the web browser >> access wsdl successfully. This is issues by AdminCA .
-export superadmin certificate from the browser and inport it in:
- java's truststore
- than in Glassfish's truststore.
Still stuck with the same error, on both cases.
Did I imported something wrong?
I could extract from the superadmin.p12 file a trusted part for AdminCA and a certificateChain.pem .
Can you give me more advise regarding what part of certificate do I have to import in the trustStore ?
Is there any part that I need to import in Glassfish's keystore also? Are certificateChains supported in Glassfish?
Many thanks,
Cristina
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The truststores should contain the certificate of the issuing CA for superadmin.p12 (AdminCA1 in this case). This certificate is available for download from EJBCA public webpages.
Best Regards,
Johan Eklund
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Since you are using Glassfish I assume that perhaps you have not replaced the default Glassfish SSL server certificate?
In this case the Glassfish server uses a server SSL certificate not issued from EJBCA, but self issued during installation of glassfish. In order for the WS-API client to trust this SSL server you need to add the CA certificate of this "demo" SSL server certificate as trsuted in superadmin.jks.
You can do this using keytool.
This is not described in the installation instructions so it's understandable if you got caught on this. If you get it running (I have so it works ok) we would appreciate a few lines describing the process.
Cheers,
Tomas
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
main, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
main, called closeSocket()
at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
at com.sun.net.ssl.internal.ssl.OutputRecord.writeBuffer(OutputRecord.java:283)
at com.sun.net.ssl.internal.ssl.OutputRecord.write(OutputRecord.java:272)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:663)
at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:584)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:697)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:623)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:160)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:913)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
Can you give me more advice, to go further in the wild fields of SSL ?
Cristina
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The issue here is probably that the glassfish ssl server certificate is not signed by AdminCA1. So you need to find the CA certificate that signed the SSL server certificate, in the $APPSRV_HOME/domains/domain1/config/ config directory. It's for certain in the keystore.jks. This CA certificate was created like a "demo" CA by Sun and is shipped by Glassfish.
Once you have that CA certificate you can import that into superadmin.jks with 'keytool -import ...'.
I agreee that fixing the SSL connections is not always very straight forward :-)
Regards,
Tomas
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Your certificate does not belong to an administrator. Issuer CN=AdminCA1,O=EJBCA Sample,C=SE, serialNo 97ce04cc0950875.
org.ejbca.core.model.authorization.AuthorizationDeniedException: Your certificate does not belong to an administrator. Issuer CN=AdminCA1,O=EJBCA Sample,C=SE, serialNo 97ce04cc0950875.
Regards,
Cristina
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Administrator not authorized to resource : /administrator
org.ejbca.core.model.authorization.AuthorizationDeniedException: Administrator not authorized to resource : /administrator
Every step forward make me reach another problem... :(
Cristina
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
many thanks, I have managed to edit the advanced rules and to edit a user!
The ejbca webservice works fine!
... Now the problem is on my client side:
java.security.NoSuchAlgorithmException: class configured for KeyPairGenerator(provider: BC)cannot be found.
at java.security.Provider$Service.getImplClass(Provider.java:1268)
at java.security.Provider$Service.newInstance(Provider.java:1220)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:190)
at java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:237)
at org.ejbca.util.keystore.KeyTools.genKeys(KeyTools.java:112)
at com.visma.ejbca.ejb.EjbcaIntegrationBean.generateCertificateFormPKCS10Request(EjbcaIntegrationBean.java:128)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
I do have a special 'taste' to find problems :)
Many thanks again,
Cristina
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Have you tried running org.ejbca.util.CertTools.installBCProviderIfNotAvailable() before executing the the code that fails? It should be included in the "ejbca-util.jar".
I hope this helps,
Johan
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I have tried to use the Web Service interface to integrate EJBCA from my java application.
Attempting to access the ejbca wsdl file I got the following error:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
even if I have used the superadmin certificate, importend in Glassfish keystore.
I could access the wsdl through the browser after installing the superadmin certificate.
Can you please provide more information about what kind of certificate / keystore do I have to use to be able to access the ejbca wsdl from a java application, using https and Glassfish app server ?
Thanks in advance,
Cristina Prohaska
Hi Cristina,
The default superadmin should work since you can use it for accessing the WSDL through your browser. Did you try the supplied EJBCA WS CLI and got that working? You might find hints for writing your own app in the sourcecode there..
Best Regards,
Johan
Your error message is due to missing certificates in the trust store.
/Tomas
Hi Tomas,
yes, this is my problem: "missing certificates in the trust store"
This are the steps I have done:
-install superadmin certificate in the web browser >> access wsdl successfully. This is issues by AdminCA .
-export superadmin certificate from the browser and inport it in:
- java's truststore
- than in Glassfish's truststore.
Still stuck with the same error, on both cases.
Did I imported something wrong?
I could extract from the superadmin.p12 file a trusted part for AdminCA and a certificateChain.pem .
Can you give me more advise regarding what part of certificate do I have to import in the trustStore ?
Is there any part that I need to import in Glassfish's keystore also? Are certificateChains supported in Glassfish?
Many thanks,
Cristina
Hi Cristina,
The truststores should contain the certificate of the issuing CA for superadmin.p12 (AdminCA1 in this case). This certificate is available for download from EJBCA public webpages.
Best Regards,
Johan Eklund
Since you are using Glassfish I assume that perhaps you have not replaced the default Glassfish SSL server certificate?
In this case the Glassfish server uses a server SSL certificate not issued from EJBCA, but self issued during installation of glassfish. In order for the WS-API client to trust this SSL server you need to add the CA certificate of this "demo" SSL server certificate as trsuted in superadmin.jks.
You can do this using keytool.
This is not described in the installation instructions so it's understandable if you got caught on this. If you get it running (I have so it works ok) we would appreciate a few lines describing the process.
Cheers,
Tomas
Hi,
thanks for help I could go further... without success yet.
I have imported the AdminCA1 certif in the trustore
... and tried a simple connection to the wsdl to see if it's accessible.
I have runned the test with ssl debug and got the following error message:
... no IV for cipher
main, WRITE: SSLv3 Change Cipher Spec, length = 1
main, handling exception: java.net.SocketException: Software caused connection abort: socket write error
java.net.SocketException: Software caused connection abort: socket write error
main, SEND SSLv3 ALERT: fatal, description = unexpected_message
main, WRITE: SSLv3 Alert, length = 2
at java.net.SocketOutputStream.socketWrite0(Native Method)
main, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
main, called closeSocket()
at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
at com.sun.net.ssl.internal.ssl.OutputRecord.writeBuffer(OutputRecord.java:283)
at com.sun.net.ssl.internal.ssl.OutputRecord.write(OutputRecord.java:272)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:663)
at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:584)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:697)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:623)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:160)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:913)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
Can you give me more advice, to go further in the wild fields of SSL ?
Cristina
The issue here is probably that the glassfish ssl server certificate is not signed by AdminCA1. So you need to find the CA certificate that signed the SSL server certificate, in the $APPSRV_HOME/domains/domain1/config/ config directory. It's for certain in the keystore.jks. This CA certificate was created like a "demo" CA by Sun and is shipped by Glassfish.
Once you have that CA certificate you can import that into superadmin.jks with 'keytool -import ...'.
I agreee that fixing the SSL connections is not always very straight forward :-)
Regards,
Tomas
Hi,
many thanks for your help so far.
I got a different keystore from the server and manage to connect to wsdl url!
I have called the web service method getCertificate() for the existing: wstest end entity:
X509Certificate cert = null;
try{
KeyPair keys = KeyTools.genKeys("1024", CATokenConstants.KEYALGORITHM_RSA);
PKCS10CertificationRequest pkcs10 = new PKCS10CertificationRequest("SHA1WithRSA",
CertTools.stringToBcX509Name("CN=NOUSED"), keys.getPublic(), null, keys.getPrivate());
CertificateResponse certenv = ejbcaraws.pkcs10Request("wstest","",new String(Base64.encode(pkcs10.getEncoded())),null,CertificateHelper.RESPONSETYPE_CERTIFICATE);
cert = (X509Certificate) CertificateHelper.getCertificate(certenv.getData());
}catch(...)
and got the following error:
Your certificate does not belong to an administrator. Issuer CN=AdminCA1,O=EJBCA Sample,C=SE, serialNo 97ce04cc0950875.
org.ejbca.core.model.authorization.AuthorizationDeniedException: Your certificate does not belong to an administrator. Issuer CN=AdminCA1,O=EJBCA Sample,C=SE, serialNo 97ce04cc0950875.
Regards,
Cristina
Did you check the "Administrator" checkbox for your admin-certificate's user?
Best Regards,
Johan
Yes, the "Administrator" checkbox is checked.
The last error message obtained is:
Administrator not authorized to resource : /administrator
org.ejbca.core.model.authorization.AuthorizationDeniedException: Administrator not authorized to resource : /administrator
Every step forward make me reach another problem... :(
Cristina
If you edit the Admingroup for this user, the group should have an Administrator role or "/administrator" if you edit the advanced rules.
If "/administrator" is present, I would doublecheck if the user is present in any other admingroup.
At least you are going forward, right..? or maybe at least not straight backwards.. =)
Best Regards,
Johan
Hi,
many thanks, I have managed to edit the advanced rules and to edit a user!
The ejbca webservice works fine!
... Now the problem is on my client side:
java.security.NoSuchAlgorithmException: class configured for KeyPairGenerator(provider: BC)cannot be found.
at java.security.Provider$Service.getImplClass(Provider.java:1268)
at java.security.Provider$Service.newInstance(Provider.java:1220)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:190)
at java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:237)
at org.ejbca.util.keystore.KeyTools.genKeys(KeyTools.java:112)
at com.visma.ejbca.ejb.EjbcaIntegrationBean.generateCertificateFormPKCS10Request(EjbcaIntegrationBean.java:128)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
I do have a special 'taste' to find problems :)
Many thanks again,
Cristina
Have you tried running org.ejbca.util.CertTools.installBCProviderIfNotAvailable() before executing the the code that fails? It should be included in the "ejbca-util.jar".
I hope this helps,
Johan