REG:java.security.cert.CertPathBuilderException: unable to find valid certi   

Hello Reddy,

are you able to fix this issue?
i am also getting the same exception.
can you let me know the solution?

thanks
Vali

You will only get the "java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target" if you are NOT using 'trust any' on the X509 token consumer.

A CertPathBuilderException is an exception that originates from the java security CertPathBuilder.build method. In this instance, the WS-Security runtime is just bubbling up the exception that occurred in CertPathBuilder.build.

What you need to do is verify that your inbound certificate, trust store contents, and configured intermediate certs conform to the standard for certificate paths. I've attached a diagram of a sample keystore that maps the hierarchy. I displayed the keystore and certificate with the following:

keytool -list -v -keystore dsig-receiver.ks -storepass server
keytool -printcert -v -file intca2.cer

Here is some more valuable information on CertPaths and their sources:

http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.csqzas.doc/sy10600_.htm

When you receive the certificate for another entity, you might need to use a certificate chain to obtain the root CA certificate. The certificate chain, also known as the certification path, is a list of certificates used to authenticate an entity. The chain, or path, begins with the certificate of that entity, and each certificate in the chain is signed by the entity identified by the next certificate in the chain. The chain terminates with a root CA certificate. The root CA certificate is always signed by the CA itself. The signatures of all certificates in the chain must be verified until the root CA certificate is reached. Figure 1 illustrates a certification path from the certificate owner to the root CA, where the chain of trust begins.

http://book.javanb.com/j2ee-security-for-Servlets-ejbs-and-web-services-applying-theory-and-standards/ch04lev1sec5.html

Class CertPath encapsulates a collection of certificates. It represents a certification path, the first element of the path being the target certificate followed by the certificate of its issuer and so on, terminating at the certificate of the root CA. Quite like a Certificate object, a CerthPath object can be instantiated by reading a suitably encoded stream of bytes using CertificateFactory engine class. A certification path follows the structure defined by PKCS#7 standard or is an ASN.1 sequence of X.509 certificates. The former is identified by type "PKCS7" and the later by type "PkiPath".

http://www.cs.duke.edu/csed/java/jdk1.6/api/java/security/cert/CertPath.html

By convention, X.509 CertPaths (consisting of X509Certificates), are ordered starting with the target certificate and ending with a certificate issued by the trust anchor. That is, the issuer of one certificate is the subject of the following one. The certificate representing the TrustAnchor should not be included in the certification path. Unvalidated X.509 CertPaths may not follow these conventions. PKIX CertPathValidators will detect any departure from these conventions that cause the certification path to be invalid and throw a CertPathValidatorException.