Wednesday, April 29, 2009

How to encrypt Hibernate Database Password in hibernate_cfg.xml file

Configure Hibernate.cfg.xml with Encrypted password by Java Software Engineer Mar 26, 2008; 07:33pm :: Rate this Message: - Use ratings to moderate (?)

Reply | Reply to Author | Print | View Threaded | Show Only this Message
I am getting Exception when i configured Hibernate.cfg.xml with Encrypted password saying
Initial SessionFactory creation failed.org.jasypt.exceptions.EncryptionInitializationException: No string encryptor registered for hibernate with name "configurationHibernateEncryptor"
Exception in thread "main" java.lang.ExceptionInInitializerError
at com.example.hibernate.util.HibernateUtil.(HibernateUtil.java:17)
at com.example.hibernate.util.EventManager.main(EventManager.java:17)
Caused by: org.jasypt.exceptions.EncryptionInitializationException: No string encryptor registered for hibernate with name "configurationHibernateEncryptor"
at org.jasypt.hibernate.connectionprovider.EncryptedPasswordDriverManagerConnectionProvider.configure(EncryptedPasswordDriverManagerConnectionProvider.java:106)
at org.hibernate.connection.ConnectionProviderFactory.newConnectionProvider(ConnectionProviderFactory.java:124)
at org.hibernate.connection.ConnectionProviderFactory.newConnectionProvider(ConnectionProviderFactory.java:56)
at org.hibernate.cfg.SettingsFactory.createConnectionProvider(SettingsFactory.java:414)
at org.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:62)
at org.hibernate.cfg.Configuration.buildSettings(Configuration.java:2009)
at org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:1292)
at com.example.hibernate.util.HibernateUtil.(HibernateUtil.java:13)
... 1 more


My Hibernate.cfg.xml

"-//Hibernate/Hibernate Configuration DTD 3.0//EN"
"http://hibernate.sourceforge.net/hibernate-configuration-3.0.dtd">





org.jasypt.hibernate.connectionprovider.EncryptedPasswordDriverManagerConnectionProvider


configurationHibernateEncryptor



oracle.jdbc.driver.OracleDriver


jdbc:oracle:thin:@localhost:1521:XE

system

ENC(bZHq6yRq4h2vSb2fRkP8HRQ3iTNQovU17I0AzgWDQ4Vq45SFrS2O3Y8UoAKszcH4)


1

org.hibernate.dialect.OracleDialect

thread


org.hibernate.cache.NoCacheProvider



true


create







To generate Encrypted password i used Command Line tool(encrypt) :

encrypt input="This is my message to be encrypted" password=MYPAS_WORD verbose=false


Re: Configure Hibernate.cfg.xml with Encrypted password by dfernandez Mar 26, 2008; 09:18pm :: Rate this Message: - Use ratings to moderate (?)

Reply | Reply to Author | Print | View Threaded | Show Only this Message
+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+

Hello,

You need to register an encryptor that will take care of the encryption
and decryption of your data. In your XML:


configurationHibernateEncryptor



This means that Jasypt will expect for an encryptor to be registered
with name "configurationHibernateEncryptor". This is explained in
http://www.jasypt.org/hibernate3.html, in "Providing the encryptor to
Hibernate" -> "Without Spring".

Regards,
Daniel.



Java Software Engineer wrote:
> +------------------------+
> Jasypt Users List
> http://www.jasypt.org
> +------------------------+
>
> I am getting Exception when i configured Hibernate.cfg.xml with Encrypted
> password saying
> Initial SessionFactory creation
> failed.org.jasypt.exceptions.EncryptionInitializationException: No string
> encryptor registered for hibernate with name
> "configurationHibernateEncryptor"
> Exception in thread "main" java.lang.ExceptionInInitializerError
> at com.example.hibernate.util.HibernateUtil.(HibernateUtil.java:17)
> at com.example.hibernate.util.EventManager.main(EventManager.java:17)
> Caused by: org.jasypt.exceptions.EncryptionInitializationException: No
> string encryptor registered for hibernate with name
> "configurationHibernateEncryptor"
> at
> org.jasypt.hibernate.connectionprovider.EncryptedPasswordDriverManagerConnectionProvider.configure(EncryptedPasswordDriverManagerConnectionProvider.java:106)
> at
> org.hibernate.connection.ConnectionProviderFactory.newConnectionProvider(ConnectionProviderFactory.java:124)
> at
> org.hibernate.connection.ConnectionProviderFactory.newConnectionProvider(ConnectionProviderFactory.java:56)
> at
> org.hibernate.cfg.SettingsFactory.createConnectionProvider(SettingsFactory.java:414)
> at org.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:62)
> at org.hibernate.cfg.Configuration.buildSettings(Configuration.java:2009)
> at
> org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:1292)
> at com.example.hibernate.util.HibernateUtil.(HibernateUtil.java:13)
> ... 1 more
>
>
> My Hibernate.cfg.xml
>
> > "-//Hibernate/Hibernate Configuration DTD 3.0//EN"
> "http://hibernate.sourceforge.net/hibernate-configuration-3.0.dtd">
>
>
>
>
>
>
> org.jasypt.hibernate.connectionprovider.EncryptedPasswordDriverManagerConnectionProvider
>

>
> configurationHibernateEncryptor
>

>
>
> oracle.jdbc.driver.OracleDriver

>
> jdbc:oracle:thin:@localhost:1521:XE

> system
>
>
> ENC(bZHq6yRq4h2vSb2fRkP8HRQ3iTNQovU17I0AzgWDQ4Vq45SFrS2O3Y8UoAKszcH4)

>
> 1
>
> org.hibernate.dialect.OracleDialect
>
> thread
>
>
> org.hibernate.cache.NoCacheProvider

>
>
> true
>
>
> create
>
>
>
>

>
>

>
> To generate Encrypted password i used Command Line tool(encrypt) :
>
> encrypt input="This is my message to be encrypted" password=MYPAS_WORD
> verbose=false
>
> ...[show rest of quote]

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
jasypt-users mailing list
jasypt-users@...

http://www.nabble.com/Configure-Hibernate.cfg.xml-with-Encrypted-password-td16319026s21332.html

Monday, April 6, 2009

Health IT links

https://www.google.com/health by Google.
http://www.healthvault.com/ by Microsoft
http://dossia.org/ by Dossia

Sunday, February 22, 2009

How to solve WSS1816: Error occurred while resolving Direct Reference

Solution:
sp:X509Token
in the "IncludeToken" for "InitiatorToken" use "AlwaysToRecipient"
for the "RecipientToken" use "Never"
for "wsp:Policy" use "sp:RequireIssuerSerialReference"
"sp:X509Token"

for "sp:Wss10" "wsp:Policy" use "sp:MustSupportRefIssuerSerial"

WSS1816: Error occurred while resolving Direct Reference

Tuesday, February 17, 2009

How to solve the CertPathValidatorException: Path does not chain with any of the trust anchors

Solution:
From the browser
1. Export public key of the cert to base64 .cer
2. Export intermediate root CA's certificate e.g. SDN base64.cer file
3. Export root CA certificate to Base64 .cer

4. Import all of the above .cer files into the trust store (both in the server and client if mutual authentication is used.)




Feb 17, 2009 4:47:06 PM [com.sun.xml.ws.policy.jaxws.PolicyConfigParser] parse
INFO: WSP1049: Loaded WSIT configuration from file: file:/C:/PHIN-SRM/container/webapps/WSRM_Client/WEB-INF/classes/META-INF/wsit-client.xml
Feb 17, 2009 4:47:16 PM com.sun.xml.wss.impl.misc.DefaultCallbackHandler$X509CertificateValidatorImpl validate
SEVERE: WSS1518: Failed to validate certificate
java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:195)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at com.sun.xml.wss.impl.misc.DefaultCallbackHandler$X509CertificateValidatorImpl.validate(DefaultCallbackHandler.java:1572)
at com.sun.xml.wss.impl.callback.CertificateValidationCallback.getResult(CertificateValidationCallback.java:80)
at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.validateCertificate(DefaultSecurityEnvironmentImpl.java:700)
at com.sun.xml.ws.security.opt.impl.incoming.X509BinarySecurityToken.validate(X509BinarySecurityToken.java:186)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:400)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:280)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:222)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:438)
at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:206)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:243)
at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:444)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:244)
at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:135)
at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelegate.java:129)
at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:160)
at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:75)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Feb 17, 2009 4:47:17 PM [com.sun.xml.ws.rm.runtime.ClientSession] processOutgoingPacket
WARNING: WSRM1106: Attempt to initiate RM session failed with an exception
javax.xml.ws.soap.SOAPFaultException: Path does not chain with any of the trust anchors
at com.sun.xml.ws.security.secconv.WSSCPlugin.sendRequest(WSSCPlugin.java:431)
at com.sun.xml.ws.security.secconv.WSSCPlugin.process(WSSCPlugin.java:260)
at com.sun.xml.ws.security.secconv.impl.client.SCTokenProviderImpl.issue(SCTokenProviderImpl.java:129)
at com.sun.xml.ws.api.security.trust.client.IssuedTokenManager.getIssuedToken(IssuedTokenManager.java:79)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.startSecureConversation(SecurityClientTube.java:460)
at com.sun.xml.ws.rm.runtime.ProtocolCommunicator.tryStartSecureConversation(ProtocolCommunicator.java:103)
at com.sun.xml.ws.rm.runtime.ClientSession.initializeIfNecessary(ClientSession.java:255)
at com.sun.xml.ws.rm.runtime.ClientSession.processOutgoingPacket(ClientSession.java:157)
at com.sun.xml.ws.rm.runtime.RmClientTube.processRequest(RmClientTube.java:123)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
at com.sun.xml.ws.client.Stub.process(Stub.java:222)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at $Proxy74.receiveMessage(Unknown Source)
at gov.cdc.wsigrid.wsrm.WsrmClientServlet.processRequest(WsrmClientServlet.java:215)
at gov.cdc.wsigrid.wsrm.WsrmClientServlet.doPost(WsrmClientServlet.java:277)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Feb 17, 2009 4:47:17 PM com.sun.xml.wss.impl.misc.DefaultCallbackHandler$X509CertificateValidatorImpl validate
SEVERE: WSS1518: Failed to validate certificate
java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:195)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at com.sun.xml.wss.impl

Wednesday, January 7, 2009

How to solve SEVERE: WSS1852: KeyIdentifier value cannot be empty. Possible cause, certificate version being used does not support SubjectKeyIdentifie

Solution:
--------------------------------------------
-------------------------------------------------------------------
The SubjectKeyIdentifier can not be empty problem can be solved by

Change the IncludeToken to "always" has solved the problem in the server's
wsit-*.*.*.WsrmServer.xml file:
sp:IncludeToken=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
Then the SubjectKeyIdentifier problem is solved.
-------------------------------------------
However, a new problem occurred. this is dure to the fact that certificate trust chain is missing.
we need to put the intermediate cert as well as the root cert in the trust store.
-----------------------------------------------
WSP1049: Loaded WSIT configuration from file: file:/C:/PHIN-SRM/container/webapps/WSRM_Client/WEB-INF/classes/META-INF/wsit-client.xml
Feb 17, 2009 4:47:16 PM com.sun.xml.wss.impl.misc.DefaultCallbackHandler$X509CertificateValidatorImpl validate
SEVERE: WSS1518: Failed to validate certificate
java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:195)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
-----------------------------------------------------------



-------------------------------------------------
1. One possible cause, the cert version mismatch,
The solution for this is:
Download the following :
https://xwss.dev.java.net/files/documents/4864/54020/copyv3.zip

Unzip and cd to copyv3

set AS_HOME environment variable to GlassFish Home and run "ant"

restart GF

Now configure the alias as "xws-security-sever" in the Client Truststore.

Then you should see it running.
-------------------------------------
2. The SubjectKeyIdentifier is missing from the cert,
The solutions is:
So from the error it appears you have a cert which does not contain the SubjectKeyIdentifier Extension.

If you do

keytool -printcert you should see something like :

Extensions:
-------------------------------
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 75 51 36 F7 2B 32 15 6F E2 0F 59 5A DD D7 5E 3F uQ6.+2.o..YZ..^?
0010: 33 3A 21 6A 3:!j
]
]
----------------------

do you see such a thing ?. if not then you have two options :

1. Regenerate the Cert using some tool such as openssl so that it create the SKI Extension correctly

OR

2. Otherwise you can change the policy of the STS to be able to use a cert that does not have this extension.

Change any occurence of with

If your cert does not have an SKI extension.

So please make sure the X509Token in your WSDL Policy looks as below :



So it is clear that your cert does not have an SKI extension.

So please make sure the X509Token in your WSDL Policy looks as below :


<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireIssuerSerialReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>


You can also use <sp:RequireThumbprintReference/> but for that to work the WSS version in the policy should be WSS 2.0




You can also use but for that to work the WSS version in the policy should be WSS 2.0
-----------------------------------------------------------------



see also:
http://forums.java.net/jive/thread.jspa?threadID=35273
--------------------------------------------

---------------------------------
Jan 7, 2009 8:58:11 PM [com.sun.xml.ws.policy.jaxws.PolicyConfigParser] parse
INFO: WSP1049: Loaded WSIT configuration from file: file:/home/srm/wsrm_grid/container/webapps/WSRM_Client/WEB-INF/classes/META-INF/wsit-client.xml
Jan 7, 2009 8:58:12 PM com.sun.xml.ws.security.opt.impl.keyinfo.TokenBuilder buildKeyInfoWithKI
SEVERE: WSS1852: KeyIdentifier value cannot be empty. Possible cause, certificate version being used does not support SubjectKeyIdentifier.
Jan 7, 2009 8:58:12 PM com.sun.xml.wss.jaxws.impl.SecurityTubeBase secureOutboundMessage SEVERE: WSSTUBE0024: Error in Securing Outbound Message.
com.sun.xml.wss.XWSSecurityException: WSS1852: KeyIdentifier value cannot be empty. Possible cause, certificate version being used does not support SubjectKeyIdentifier.
at com.sun.xml.ws.security.opt.impl.keyinfo.TokenBuilder.buildKeyInfoWithKI(TokenBuilder.java:205)
at com.sun.xml.ws.security.opt.impl.keyinfo.X509TokenBuilder.process(X509TokenBuilder.java:93)
at com.sun.xml.ws.security.opt.impl.enc.TokenProcessor.process(TokenProcessor.java:160)
at com.sun.xml.ws.security.opt.impl.enc.EncryptionProcessor.process(EncryptionProcessor.java:143)
at com.sun.xml.wss.impl.filter.EncryptionFilter.encrypt(EncryptionFilter.java:442)
at com.sun.xml.wss.impl.filter.EncryptionFilter.process(EncryptionFilter.java:403)
at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:95)
at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:268)
at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:186)
at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:147)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTubeBase.java:378)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:239)
at com.sun.xml.ws.security.secconv.WSSCPlugin.sendRequest(WSSCPlugin.java:397)
at com.sun.xml.ws.security.secconv.WSSCPlugin.process(WSSCPlugin.java:260)
51,9 0%

at com.sun.xml.ws.security.secconv.impl.client.SCTokenProviderImpl.issue(SCTokenProviderImpl.java:129)
at com.sun.xml.ws.api.security.trust.client.IssuedTokenManager.getIssuedToken(IssuedTokenManager.java:79)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.startSecureConversation(SecurityClientTube.java:460)
at com.sun.xml.ws.rm.runtime.ProtocolCommunicator.tryStartSecureConversation(ProtocolCommunicator.java:103)
at com.sun.xml.ws.rm.runtime.ClientSession.initializeIfNecessary(ClientSession.java:255)
at com.sun.xml.ws.rm.runtime.ClientSession.processOutgoingPacket(ClientSession.java:157)
at com.sun.xml.ws.rm.runtime.RmClientTube.processRequest(RmClientTube.java:123)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
at com.sun.xml.ws.client.Stub.process(Stub.java:222)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at $Proxy73.receiveMessage(Unknown Source)
at gov.cdc.wsigrid.wsrm.WsrmClientServlet.processRequest(WsrmClientServlet.java:219)
at gov.cdc.wsigrid.wsrm.WsrmClientServlet.doPost(WsrmClientServlet.java:281)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Jan 7, 2009 8:58:12 PM com.sun.xml.wss.jaxws.impl.SecurityClientTube processClientRequestPacket
SEVERE: WSSTUBE0024: Error in Securing Outbound Message.


http://www.jroller.com/gmazza/date/20080805

Monday, December 22, 2008

How to solve the certification path error

Exception trace:

javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://localhost:7443/WSRM/WsrmServerService?wsdl. It failed with:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:162)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:144)
at com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:264)
at com.sun.xml.ws.client.WSServiceDelegate.(WSServiceDelegate.java:227)
at com.sun.xml.ws.client.WSServiceDelegate.(WSServiceDelegate.java:175)
at com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:104)
at javax.xml.ws.Service.(Service.java:56)
at gov.cdc.wsigrid.wsrm.WsrmServerService.(WsrmServerService.java:46)
at gov.cdc.wsigrid.wsrm.WsrmClientServlet.processRequest(WsrmClientServlet.java:205)
at gov.cdc.wsigrid.wsrm.WsrmClientServlet.doPost(WsrmClientServlet.java:279)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)

Solution:
This is caused by the ssl communication. The client need to import the public key of the server.
To solve the problem, refer to the post "How to establish client SSL connection".
e.g.
openssl s_client -connect localhost:7443
$JAVA_HOME/bin/keytool -import -alias tomcat_client -keystore $JAVA_HOME/jre/lib/security/cacerts -file pubcert.pem

Friday, December 12, 2008

How to setup tomcat SSL client

1. Retrieve public key from the server certificate

openssl s_client -connect server_host_name:8443

ouput look like this
--------------------------------------------------------------
CONNECTED(00000003)
depth=0 /C=US/ST=GA/L=Atlanta/O=cdc/OU=cdc/CN=Charlie
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=GA/L=Atlanta/O=cdc/OU=cdc/CN=Charlie
verify return:1
---
Certificate chain
0 s:/C=US/ST=GA/L=Atlanta/O=cdc/OU=cdc/CN=Charlie
i:/C=US/ST=GA/L=Atlanta/O=cdc/OU=cdc/CN=Charlie
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICKzCCAZSgAwIBAgIESUKsLDANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCR0ExEDAOBgNVBAcTB0F0bGFudGExDDAKBgNVBAoTA2NkYzEM
MAoGA1UECxMDY2RjMRAwDgYDVQQDEwdDaGFybGllMB4XDTA4MTIxMjE4MjM0MFoX
DTA5MDMxMjE4MjM0MFowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkdBMRAwDgYD
VQQHEwdBdGxhbnRhMQwwCgYDVQQKEwNjZGMxDDAKBgNVBAsTA2NkYzEQMA4GA1UE
AxMHQ2hhcmxpZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnee+j8Fj5TTC
BQMVRLRWnv9zTPhJYaMYFDkZqu3PmqIdv3Nc6aNsSKwqcJG5TaM9dFhiZdhF5Glk
XaEx9ERU4fNh7NLxBHBl0g7CsjssDnLJBB/CzrDkqYUKy3+yE+cSyiOznpkYsOmH
SZYRaDNVJ7MsLQM7Tyyvks911E8ULwUCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBb
7txpYmEzQxYUX9RrckDcbcznMjao2ND89P+Ifs/3g4mWxvQz6bTBFngjihfaayzK
Zr6kYQDzgHWYa4TaRLGWL17FTrgk8obZuY84+TMCsQPOi4bim26sGDk6Kzkj1pmG
F7NBC/FSKiJDsH7M5uJLYeFNYDulP5GvfHBS//OpAg==
-----END CERTIFICATE-----
subject=/C=US/ST=GA/L=Atlanta/O=cdc/OU=cdc/CN=Charlie
issuer=/C=US/ST=GA/L=Atlanta/O=cdc/OU=cdc/CN=Charlie
---
----------------------------------------------------
save the text including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into a file, e.g. named pubkey.pem

2. import the sever ssl pubkey into JDK default cacerts file
in JDK1.6 the cacerts file is in $JAVA_HOME/jre/lib/security/cacerts
----------------------------------------------------------------------------------
$JAVA_HOME/bin/keytool -import -alias tomcat -keystore $JAVA_HOME/jre/lib/security/cacerts -file pubcert.pem
--------------------------------------------------------------
3. In development only, add the following code in your main java client program to overcome the
javax.xml.ws.WebServiceException: java.io.IOException: HTTPS
hostname wrong: should be
static {
//WORKAROUND. TO BE REMOVED.


javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(
new javax.net.ssl.HostnameVerifier(){

public boolean verify(String |hostname|,
javax.net.ssl.SSLSession sslSession) {
if (hostname.equals("mytargethostname")) {
return true;
}
return false;
}
});


}

4. Restart the app server