payara / Payara-Examples

Repository for Example Code to demonstrate Payara specific features
144 stars 177 forks source link

Accessing an HTTPS web service from Payara based standalone application #70

Closed marchenar closed 6 years ago

marchenar commented 6 years ago

I'm trying to access an HTTPS based web service URL from a standalone JavaEE application deployed on a Payara application server domain.

We have obtained the certificate from the vendor that exposes the HTTPS URL. What are the steps required for installing SSL certificates in order to access the web service?

I can access perfect from standard java application, but when I try to run the same code from the JavaEE application it throws the following error: http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1916) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1899) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1420) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186) at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191) at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:2443) at org.apache.axis.client.Call.invoke(Call.java:2366) at org.apache.axis.client.Call.invoke(Call.java:1812) at FEV1.dif.afip.gov.ar.ServiceSoapStub.FEDummy(ServiceSoapStub.java:1023) at ar.com.bywind.fe.service.WebServiceTest.testWs(WebServiceTest.java:62) at afip_ws_eecli.Main.main(Main.java:30) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.glassfish.appclient.client.acc.AppClientContainer.launch(AppClientContainer.java:446) at org.glassfish.appclient.client.AppClientFacade.launch(AppClientFacade.java:184) at org.glassfish.appclient.client.AppClientGroupFacade.main(AppClientGroupFacade.java:65) Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:91) at sun.security.validator.Validator.getInstance(Validator.java:179) at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:312) at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:171) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:184) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ... 24 more Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120) at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104) at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:89) ... 36 more

Thanks

OndroMih commented 6 years ago

I'll try to answer here, but these kind of questions are better discussed on the forum here: http://www.payara.org/forum

I think you need to add the public key to the remote certificate to the trust store. According to the stack trace, you're not using Payara (JAX-WS) API to access the remote service but you're using AXIS instead. Therefore you need to at the certificate into the default JVM keystore with the system property javax.net.ssl.trustStore. See here for more information: https://stackoverflow.com/questions/6340918/trust-store-vs-key-store-creating-with-keytool#6341566

If you want to raise more questions, please ask them in the forum, I'll be happy to answer them there.

I'm cloing this issue now.

marchenar commented 6 years ago

Thanks for your response, I write the issue in the forum with the following notes ....

I had set the javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword pointing to my P12 file but it throws the same error.

System.setProperty("javax.net.ssl.keyStore", ....); System.setProperty("javax.net.ssl.keyStorePassword", ...);

any ideas? should I add my p12 key to the cacerts.jks or keystore.jks files in the domain config?

bander-saeed94 commented 5 years ago

Thanks for your response, I write the issue in the forum with the following notes ....

  • I had generated an P12 certificate from the the digital certificate (.CER) that I downloaded from the vendor, and I use it to access from standard Java application successfully
  • This vendor has an authentication webservice to access all they web services, but the error throws previous to autenticate use the P12 key, it throws when I call a simply dummy web service to check if the vendor site works correctly, and that web services that not require any authentication.

I had set the javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword pointing to my P12 file but it throws the same error.

System.setProperty("javax.net.ssl.keyStore", ....); System.setProperty("javax.net.ssl.keyStorePassword", ...);

any ideas? should I add my p12 key to the cacerts.jks or keystore.jks files in the domain config?

Were you able to solve it? if yes please share your solution