Tuesday, January 4, 2011

"No trusted certificate found" and "SSLHandshakeException" when referencing an HTTPS composite

Problem:

In our composite, we tried to reference an external wsdl which is listening on HTTPS.

When we try to reference the wsdl, we receive the following error:
Error while reading wsdl file https://server/HelloWorld?wsdl. Exception: WSDLException: faultCode=PARSER_ERROR: Failed to read wsdl file at: "https://server/HelloWorld?wsdl", caused by: javax.net.ssl.SSLHandshakeException.    : javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found

Solution:

The reason behind the error above is because the SSL certificate on the target web server is signed by the customer's own CA (Certificate Authority). The idea is to configure JDeveloper 11g to trust this Certificate Authority.

1. Paste the URL of the external web service in Firefox

2. Click on the lock icon on the bottom of the browser


3. Click on View Certificate

4. Click on the Details tab

5. Under "Certificate Hierarchy", click on the issuing CA (beside the arrow)

6. Click on Export...

7. Save the file to JDeveloper's Java Home location, under ~/lib/security. If the ~/security subfolder doesn't exist, then create it. For example, this is my location:
C:\dev\jdev11g\jdk160_18\lib\security

8. Open a command prompt window and perform the following:
echo ----------------------------------------
echo Set the environment
echo ----------------------------------------
cd C:\dev\jdev11g\jdk160_18\lib\security
set JAVA_HOME=C:\dev\jdev11g\jdk160_18
set PATH=%JAVA_HOME%\bin;%PATH%

echo ----------------------------------------
echo Import the CA cert to a Java keystore (setting password to 'welcome1')
echo ----------------------------------------
keytool -import -trustcacerts -file IPNWeb-Issuing-CA.crt -keystore IPNWeb-Issuing-CA.jks -storepass welcome1

echo ----------------------------------------
echo List the CA certs in the Java keystore
echo ----------------------------------------
keytool -list -v -keystore IPNWeb-Issuing-CA.jks -storepass welcome1
9. Open up JDeveloper 11g

10. Navigate to Tools -> Preferences -> Http Analyzer -> HTTPS Setup

11. Browse to the location of the Client Trusted Certificate Keystore as shown, and enter the password of 'welcome1' (which is what we used in step 8)

12. Click on OK then OK

13. Try again, and it should work now


Follow Up:

One of our developer's ran into the following error when trying to copy the schemas locally (after performing the steps above). The error appears as:
Artifact Localizer encountered exception: WSDLException: faultCode=parsing xml error: javax.net.ssl.SSLKeyException: [Security:090542]Certificate chain received from ipnweb.com - 192.168.20.2 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.
To avoid this error, perform the following:

1. Open a command prompt window and run the following commands:
cd C:\dev\jdev11g\jdk160_18\lib\security
set JAVA_HOME=C:\dev\jdev11g\jdk160_18
set PATH=%JAVA_HOME%\bin;%PATH%
keytool -import -keystore cacerts -file IPNWeb-Issuing-CA.crt -storepass welcome1
2. Open the C:\dev\jdev11g\jdk160_18\lib\security folder and double-click on the "IPNWeb-Issuing-CA.crt" file, and accept all defaults.

3. Try again, and the error above should be resolved.


Applicable Versions:
  • Oracle SOA Suite 11g (11.1.1.3)
  • Oracle JDeveloper 11g (11.1.1.3)

References:
  • http://download.oracle.com/docs/cd/E14571_01/integration.1111/e10226/soacompapp_secure.htm#CHDHIBJF
  • http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

3 comments:

Anonymous said...

The best of freelance writing jobs is here.

Sten Vesterli said...

Thanks, this info was just what I was looking for.

Anonymous said...

this is what has been looking for online by many many people.