Topic
  • 14 replies
  • Latest Post - ‏2010-10-06T17:46:20Z by Vjoshi
SystemAdmin
SystemAdmin
659 Posts

Pinned topic javax.net.ssl.SSLHandshakeException: unknown certificate

‏2005-04-07T09:54:19Z |
Hi,

I am trying to call Web Service which deployed over SSL (using https). But I am getting an error.


SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: javax.net.ssl.SSLHandshakeException: unknown certificate; targetException=java.lang.IllegalArgumentException: Error opening socket: javax.net.ssl.SSLHandshakeException: unknown certificate
at org.apache.soap.transport.http.SOAPHTTPConnection.send(Unknown Source)
at org.apache.soap.messaging.Message.send(Unknown Source)
at proxy.soap.message.MessageServiceProxy.send(MessageServiceProxy.java:43)
at TestWebService.main(TestWebService.java:13)


First I tried calling URL using below two lines but it didnt work.

theURL = new URL(url);
HttpsURLConnection urlc = (HttpsURLConnection) theURL.openConnection();


The I wrote below function and tried. But still getting the same error.

protected void createSocketConnection(String url){
SSLSocketFactory factory = null;
try {

Security.addProvider( new com.ibm.jsse.IBMJSSEProvider() );
System.setProperty( "java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol" );

SSLContext ctx;
KeyManagerFactory kmf;
KeyStore ks;
char[] passphrase = "password".toCharArray();
System.out.println("1");
ctx = SSLContext.getInstance("SSL");
System.out.println("1a");
kmf = KeyManagerFactory.getInstance("IbmX509");
System.out.println("1b");
ks = KeyStore.getInstance("JKS");
System.out.println("2");
ks.load(new FileInputStream("D:\\Program Files\\IBM\\WebSphere\\AppServer\\myWASKeys\\WASWebContainer.jks"), passphrase);
System.out.println("3");
kmf.init(ks, passphrase);
ctx.init(kmf.getKeyManagers(), null, null);

factory = ctx.getSocketFactory();

theURL = new URL(url);

HttpsURLConnection urlc = (HttpsURLConnection) theURL.openConnection();
urlc.setSSLSocketFactory(factory);
}
catch (Exception e) {
e.printStackTrace();
}
}


I am using WAS 5.0 on WAS. Please let me know if you have clue where am I wrong.

Warm Regards,
Samir
Updated on 2010-10-06T17:46:20Z at 2010-10-06T17:46:20Z by Vjoshi
  • SystemAdmin
    SystemAdmin
    659 Posts

    Re: javax.net.ssl.SSLHandshakeException: unknown certificate

    ‏2005-04-08T05:27:38Z  
    Hi,

    I could resolve the problem.

    I added client certificates in cacerts file under jre of my WebSphere Studio(WSAD HOME\\Application Developer IE\v5.1.1\eclipse\jre\lib\security).

    Warm Regards,
    Samir
  • SystemAdmin
    SystemAdmin
    659 Posts

    Re: javax.net.ssl.SSLHandshakeException: unknown certificate

    ‏2005-05-23T22:03:20Z  
    Hi,

    I could resolve the problem.

    I added client certificates in cacerts file under jre of my WebSphere Studio(WSAD HOME\\Application Developer IE\v5.1.1\eclipse\jre\lib\security).

    Warm Regards,
    Samir
    Samir, How did u add the client certificate to cacerts file under JRE.
    Is there a default password for the cacerts keystore database.
  • SystemAdmin
    SystemAdmin
    659 Posts

    Re: javax.net.ssl.SSLHandshakeException: unknown certificate

    ‏2005-05-24T03:40:44Z  
    Samir, How did u add the client certificate to cacerts file under JRE.
    Is there a default password for the cacerts keystore database.
    yes. Default password is 'changeit'.

    You can use IBM JKS capable Key Manangement Tool to open cacerts file.
  • SystemAdmin
    SystemAdmin
    659 Posts

    Re: javax.net.ssl.SSLHandshakeException: unknown certificate

    ‏2005-05-28T08:51:23Z  
    yes. Default password is 'changeit'.

    You can use IBM JKS capable Key Manangement Tool to open cacerts file.
    Hi, I had keytool in my folder. and i do also have the cacerts file. But can you please kindly explain how to add cert to the cacerts file? and how to view the cert?

    thanks a lot.
  • SystemAdmin
    SystemAdmin
    659 Posts

    Re: javax.net.ssl.SSLHandshakeException: unknown certificate

    ‏2005-05-30T06:11:57Z  
    Hi, I had keytool in my folder. and i do also have the cacerts file. But can you please kindly explain how to add cert to the cacerts file? and how to view the cert?

    thanks a lot.
    Hi,

    Please refer below IBM Redbook for information
    IBM WebSphere V5.0 Security: WebSphere Handbook Series
    http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg246573.pdf
    Topic 10.11
  • Marreddy
    Marreddy
    1 Post

    Re: javax.net.ssl.SSLHandshakeException: unknown certificate

    ‏2005-07-09T02:29:25Z  
    Hi,

    I could resolve the problem.

    I added client certificates in cacerts file under jre of my WebSphere Studio(WSAD HOME\\Application Developer IE\v5.1.1\eclipse\jre\lib\security).

    Warm Regards,
    Samir
    Hi,

    I am using WSAD5.1.2, when i tried to access the webservices using httpsi am getting the following exception:
    javax.net.ssl.SSLHandshakeException: unknown certificate
    at com.ibm.ws.webservices.engine.WebServicesFault.makeFault(WebServicesFault.java:150)
    at com.ibm.ws.webservices.engine.transport.http.HTTPSender.invoke(HTTPSender.java:200)
    at com.ibm.ws.webservices.engine.PivotHandlerWrapper.invoke(PivotHandlerWrapper.java:212)
    at com.ibm.ws.webservices.engine.WebServicesEngine.invoke(WebServicesEngine.java:255)
    at com.ibm.ws.webservices.engine.client.Connection.invokeEngine(Connection.java:685)
    at com.ibm.ws.webservices.engine.client.Connection.invoke(Connection.java:611)
    at com.ibm.ws.webservices.engine.client.Connection.invoke(Connection.java:441)
    at com.ibm.ws.webservices.engine.client.Stub$Invoke.invoke(Stub.java:662)
    at test.HelloImplSoapBindingStub.sayHello(HelloImplSoapBindingStub.java:88)

    Could any of you please let me know how to generate and add the certificates.

    Thanks
  • SystemAdmin
    SystemAdmin
    659 Posts

    Re: javax.net.ssl.SSLHandshakeException: unknown certificate

    ‏2005-07-11T06:07:16Z  
    • Marreddy
    • ‏2005-07-09T02:29:25Z
    Hi,

    I am using WSAD5.1.2, when i tried to access the webservices using httpsi am getting the following exception:
    javax.net.ssl.SSLHandshakeException: unknown certificate
    at com.ibm.ws.webservices.engine.WebServicesFault.makeFault(WebServicesFault.java:150)
    at com.ibm.ws.webservices.engine.transport.http.HTTPSender.invoke(HTTPSender.java:200)
    at com.ibm.ws.webservices.engine.PivotHandlerWrapper.invoke(PivotHandlerWrapper.java:212)
    at com.ibm.ws.webservices.engine.WebServicesEngine.invoke(WebServicesEngine.java:255)
    at com.ibm.ws.webservices.engine.client.Connection.invokeEngine(Connection.java:685)
    at com.ibm.ws.webservices.engine.client.Connection.invoke(Connection.java:611)
    at com.ibm.ws.webservices.engine.client.Connection.invoke(Connection.java:441)
    at com.ibm.ws.webservices.engine.client.Stub$Invoke.invoke(Stub.java:662)
    at test.HelloImplSoapBindingStub.sayHello(HelloImplSoapBindingStub.java:88)

    Could any of you please let me know how to generate and add the certificates.

    Thanks
    Hi,

    To create certificates, please follow the steps defined in below redbook.

    IBM WebSphere V5.0 Security: WebSphere Handbook Series
    http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg246573.pdf
    Topic 10.11

    Once you are done with the creation of certs and configuration of WAS, add client certificates in cacerts file under the JRE that you are using. Generally in WSAD it is under WSAD HOME\\Application Developer IE\v5.1.1\eclipse\jre\lib\security.

    Basically, at runtuime your JVM looks for the certificates in cacerts file. If it cannot find there, it will give 'unknown certificate' error.

    Regards,
    Samir
  • SystemAdmin
    SystemAdmin
    659 Posts

    Re: javax.net.ssl.SSLHandshakeException: unknown certificate

    ‏2005-07-12T19:01:32Z  
    Hi,

    To create certificates, please follow the steps defined in below redbook.

    IBM WebSphere V5.0 Security: WebSphere Handbook Series
    http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg246573.pdf
    Topic 10.11

    Once you are done with the creation of certs and configuration of WAS, add client certificates in cacerts file under the JRE that you are using. Generally in WSAD it is under WSAD HOME\\Application Developer IE\v5.1.1\eclipse\jre\lib\security.

    Basically, at runtuime your JVM looks for the certificates in cacerts file. If it cannot find there, it will give 'unknown certificate' error.

    Regards,
    Samir
    In the documentation, there is mention of implementing a SocketFactory for adding certs at runtime. How do you do this? Our team is not able to add the certs we need to the default client certs library and would like to know how to use an alternate one. Thank you.

    steve
  • SystemAdmin
    SystemAdmin
    659 Posts

    Re: javax.net.ssl.SSLHandshakeException: unknown certificate

    ‏2005-07-12T20:15:53Z  
    Here is what needs to be done. It works for WAS 4.0.7 so I know it works for WAD5.X

    -Basically you need to fool WAS to not use IBMJSSE and USE SUNJSSE

    Jakarta Commons HttpClient 3.0-rc3 is needed and can be downloaded from (http://jakarta.apache.org/commons/httpclient/)

    EMail me if you need more help: (vilakshan@gmail.com)

    Here are the three Magic files:
    ********************************
    package com.test;
    import java.io.IOException;
    import java.net.InetAddress;
    import java.net.Socket;
    import java.net.UnknownHostException;
    import java.security.Security;
    import org.apache.commons.httpclient.ConnectTimeoutException;
    import org.apache.commons.httpclient.HttpClientError;
    import org.apache.commons.httpclient.params.HttpConnectionParams;
    import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
    import com.sun.net.ssl.KeyManager;
    import com.sun.net.ssl.SSLContext;
    import com.sun.net.ssl.TrustManager;
    import com.sun.net.ssl.X509TrustManager;
    /**
    * @author vjakhu
    * Created Jun 27, 2005
    */
    public class CustomSSLProtocolSocketFactory implements ProtocolSocketFactory {
    private SSLContext sslcontext = null;
    public CustomSSLProtocolSocketFactory() {
    super();
    }
    private static SSLContext createEasySSLContext() {
    System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
    Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
    X509TrustManager tm = new CustomX509TrustManager();
    KeyManager[] km = null;
    SSLContext sslContext = null;
    TrustManager[] tma = { tm };
    try {
    sslContext = SSLContext.getInstance("SSLv3", "SunJSSE");
    sslContext.init(km, tma, new java.security.SecureRandom());
    } catch (Exception e) {
    System.out.println(e.toString());
    throw new HttpClientError(e.toString());
    }
    return sslContext;
    }
    private SSLContext getSSLContext() {
    if (this.sslcontext == null) {
    this.sslcontext = createEasySSLContext();
    }
    return this.sslcontext;
    }
    public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException, UnknownHostException {
    return getSSLContext().getSocketFactory().createSocket(host, port, clientHost, clientPort);
    }
    public Socket createSocket(
    final String host,
    final int port,
    final InetAddress localAddress,
    final int localPort,
    final HttpConnectionParams params)
    throws IOException, UnknownHostException, ConnectTimeoutException {
    if (params == null) {
    throw new IllegalArgumentException("Parameters may not be null");
    }
    int timeout = params.getConnectionTimeout();
    if (timeout == 0) {
    return createSocket(host, port, localAddress, localPort);
    } else {
    // To be eventually deprecated when migrated to Java 1.4 or above
    return org.apache.commons.httpclient.protocol.ControllerThreadSocketFactory.createSocket(
    this,
    host,
    port,
    localAddress,
    localPort,
    timeout);
    }
    }
    public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
    return getSSLContext().getSocketFactory().createSocket(host, port);
    }
    public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException {
    return getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose);
    }
    public boolean equals(Object obj) {
    return ((obj != null) && obj.getClass().equals(CustomSSLProtocolSocketFactory.class));
    }
    public int hashCode() {
    return CustomSSLProtocolSocketFactory.class.hashCode();
    }
    }
    ***************************
    package com.test;
    import java.security.cert.X509Certificate;
    import com.sun.net.ssl.X509TrustManager;
    /**
    * @author vjakhu
    * Created Jun 27, 2005
    */
    public class CustomX509TrustManager implements X509TrustManager {
    public X509Certificate[] getAcceptedIssuers() {
    return null;
    }
    public boolean isClientTrusted(X509Certificate[] chain) {
    return true;
    }
    public boolean isServerTrusted(X509Certificate[] chain) {
    return true;
    }
    }
    ***************************
    package com.test;
    import java.io.BufferedReader;
    import java.io.IOException;
    import java.io.InputStreamReader;
    import javax.net.ssl.SSLException;
    import javax.xml.bind.JAXBException;
    import org.apache.commons.httpclient.HttpClient;
    import org.apache.commons.httpclient.HttpMethod;
    import org.apache.commons.httpclient.HttpMethodRetryHandler;
    import org.apache.commons.httpclient.NoHttpResponseException;
    import org.apache.commons.httpclient.methods.PostMethod;
    import org.apache.commons.httpclient.methods.StringRequestEntity;
    import org.apache.commons.httpclient.params.HttpMethodParams;
    import org.apache.commons.httpclient.protocol.Protocol;
    public class temp {
    /**
    * @param args
    */
    public static void main(String[] args) {
    }
    public String placeCall() throws SSLException, JAXBException, IOException, Exception {
    Protocol.registerProtocol("https", new Protocol("https", new CustomSSLProtocolSocketFactory(), 443));
    PostMethod post = new PostMethod("****URL GOES HERE****");
    post.setRequestHeader("Content-type", "text/xml; charset=ISO-8859-1");
    post.setRequestHeader("User-Agent", "******User-Agent Goes here**************");
    HttpClient httpclient = new HttpClient();
    StringBuffer sb = new StringBuffer(24576);
    HttpMethodRetryHandler myretryhandler = new HttpMethodRetryHandler() {
    public boolean retryMethod(final HttpMethod method, final IOException exception, int executionCount) {
    if (executionCount >= 5) {
    // Do not retry if over max retry count
    return false;
    }
    if (exception instanceof NoHttpResponseException) {
    // Retry if the server dropped connection on us
    return true;
    }
    if (!method.isRequestSent()) {
    // Retry if the request has not been sent fully or
    // if it's OK to retry methods that have been sent
    return true;
    }
    // otherwise do not retry
    return false;
    }
    };
    post.getParams().setParameter(HttpMethodParams.RETRY_HANDLER, myretryhandler);
    try {
    post.setRequestEntity(new StringRequestEntity("REQUEST MESSAGE"));
    int result = httpclient.executeMethod(post);
    System.out.println("Response=" + result);
    BufferedReader br = new BufferedReader(new InputStreamReader(post.getResponseBodyAsStream()));
    String line = null;
    for (; (line = br.readLine()) != null;) {
    sb.append(line);
    }
    return (sb.toString());
    } finally {
    post.releaseConnection();
    }
    }
    }
    *****************************************
  • SystemAdmin
    SystemAdmin
    659 Posts

    Re: javax.net.ssl.SSLHandshakeException: unknown certificate

    ‏2005-08-18T18:45:58Z  
    Hi,

    To create certificates, please follow the steps defined in below redbook.

    IBM WebSphere V5.0 Security: WebSphere Handbook Series
    http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg246573.pdf
    Topic 10.11

    Once you are done with the creation of certs and configuration of WAS, add client certificates in cacerts file under the JRE that you are using. Generally in WSAD it is under WSAD HOME\\Application Developer IE\v5.1.1\eclipse\jre\lib\security.

    Basically, at runtuime your JVM looks for the certificates in cacerts file. If it cannot find there, it will give 'unknown certificate' error.

    Regards,
    Samir
    Samir, what does the WAS configuration entail? Is there documentation somewhere that shows me how to configure the WAS 5.0. Reason, I am asking is that I have done everything that you recommended and I am still getting the error.
    Thanks.
    Jeff
  • SystemAdmin
    SystemAdmin
    659 Posts

    Re: javax.net.ssl.SSLHandshakeException: unknown certificate

    ‏2006-08-09T06:56:36Z  
    Hi, I had keytool in my folder. and i do also have the cacerts file. But can you please kindly explain how to add cert to the cacerts file? and how to view the cert?

    thanks a lot.
    Hi All ,

    Here is yet another way of solving the problem .
    If u wanna create your own certificate and JKS then u just have to configure the server and client accordingly .

    Explained below is the procedure for the default configuration

    Steps to be done to solve the problem .

    1) Check the server Configuration -> Security ->SSL Config .
    Default Setting in WSAD v 5.1 is localhost/DefaultSSLSettings
    This uses DummyServerKeyFile.jks and DummyServerTrustFile.jks
    So what we want is DummyClientTrustFile.jks .
    Search u can find it in some WSAD Directories .

    So now you got DummyClientTrustFile.jks , u can open using the iKeyman tool to find what certificates are registered for this file.
    U can find Websphere dummy client and dummy server

    The password for this file is WebAS .

    Now you got all the info .
    Time to do some coding .

    Client for calling Https WebServices

    String strKeyStorePath="D:\\Program Files\\IBM\\WebSphere Studio\\Application Developer\\v5.1.1\\runtimes\\base_v51_stub\\etc\\DummyClientTrustFile.jks";

    System.setProperty("javax.net.ssl.trustStore",strKeyStorePath);//Path where ur
    jks file is

    System.setProperty("javax.net.ssl.trust","WebAS");//Passsword

    java.security.Security.addProvider(new com.ibm.jsse.IBMJSSEProvider());

    System.setProperty"java.protocol.handler.pkgs", "com.ibm.net.ssl.internal.www.protocol");
    //

    Now u can call any https webservice , It Should work .

    Include the ibmjsse.jar file ( This should be present in ur WSAD Directory ).

    Have a nice time .
  • SystemAdmin
    SystemAdmin
    659 Posts

    Re: javax.net.ssl.SSLHandshakeException: unknown certificate

    ‏2007-09-17T23:57:31Z  
    Hi All ,

    Here is yet another way of solving the problem .
    If u wanna create your own certificate and JKS then u just have to configure the server and client accordingly .

    Explained below is the procedure for the default configuration

    Steps to be done to solve the problem .

    1) Check the server Configuration -> Security ->SSL Config .
    Default Setting in WSAD v 5.1 is localhost/DefaultSSLSettings
    This uses DummyServerKeyFile.jks and DummyServerTrustFile.jks
    So what we want is DummyClientTrustFile.jks .
    Search u can find it in some WSAD Directories .

    So now you got DummyClientTrustFile.jks , u can open using the iKeyman tool to find what certificates are registered for this file.
    U can find Websphere dummy client and dummy server

    The password for this file is WebAS .

    Now you got all the info .
    Time to do some coding .

    Client for calling Https WebServices

    String strKeyStorePath="D:\\Program Files\\IBM\\WebSphere Studio\\Application Developer\\v5.1.1\\runtimes\\base_v51_stub\\etc\\DummyClientTrustFile.jks";

    System.setProperty("javax.net.ssl.trustStore",strKeyStorePath);//Path where ur
    jks file is

    System.setProperty("javax.net.ssl.trust","WebAS");//Passsword

    java.security.Security.addProvider(new com.ibm.jsse.IBMJSSEProvider());

    System.setProperty"java.protocol.handler.pkgs", "com.ibm.net.ssl.internal.www.protocol");
    //

    Now u can call any https webservice , It Should work .

    Include the ibmjsse.jar file ( This should be present in ur WSAD Directory ).

    Have a nice time .
    I was able to resolve this with the steps above. It works fine in my local PC.
    But when I moved to a Unix box it still throws the same error javax.net.ssl.SSLHandshakeException: unknown certificate

    I have added the certificate to the jks file by importing the jks from UNIX server to my local and editing using the ikeyman utility.

    Should I update the jks in the server itself or Am I missing something here?
  • SystemAdmin
    SystemAdmin
    659 Posts

    Re: javax.net.ssl.SSLHandshakeException: unknown certificate

    ‏2008-04-22T01:31:14Z  
    I was able to resolve this with the steps above. It works fine in my local PC.
    But when I moved to a Unix box it still throws the same error javax.net.ssl.SSLHandshakeException: unknown certificate

    I have added the certificate to the jks file by importing the jks from UNIX server to my local and editing using the ikeyman utility.

    Should I update the jks in the server itself or Am I missing something here?
    Did u got the issue resolved on your Unix box??
  • Vjoshi
    Vjoshi
    1 Post

    Re: javax.net.ssl.SSLHandshakeException: unknown certificate

    ‏2010-10-06T17:46:20Z  
    Did u got the issue resolved on your Unix box??
    on the unix box the cacerts file would be under the following path:/app/WebSphere/AppServer/java/jre/lib/security

    import the certificate to cacerts under this path and the issue should be resolved.