Topic
3 replies Latest Post - ‏2009-10-12T20:52:12Z by Barbara_Jensen
SystemAdmin
SystemAdmin
351 Posts
ACCEPTED ANSWER

Pinned topic REG:java.security.cert.CertPathBuilderException: unable to find valid certi

‏2008-02-29T13:27:37Z |
Hi ,
I am Configuring my websrvices security with Confidentiality and Confidentiality part is username token.I am configuring all Confidentiality part by using trustanchor,Certificate store ,keyLocators,KeyInfomation and TokenConsumer as X509TokenConsumer.but i am getting following error
exception: com.ibm.wsspi.wssecurity.SoapSecurityException: WSEC6521E: Login failed. The exception is : javax.security.auth.login.LoginException: WSEC6662E: Failed to check the cert path of a X509 certificate: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target

can please you help on this
Updated on 2009-10-12T20:52:12Z at 2009-10-12T20:52:12Z by Barbara_Jensen
  • SystemAdmin
    SystemAdmin
    351 Posts
    ACCEPTED ANSWER

    Re: REG:java.security.cert.CertPathBuilderException: unable to find valid certi

    ‏2008-04-30T14:56:55Z  in response to SystemAdmin
    Hello Reddy,

    are you able to fix this issue?
    i am also getting the same exception.
    can you let me know the solution?

    thanks
    Vali
    • SystemAdmin
      SystemAdmin
      351 Posts
      ACCEPTED ANSWER

      Re: REG:java.security.cert.CertPathBuilderException: unable to find valid certi

      ‏2008-06-12T11:55:14Z  in response to SystemAdmin
      hi reddy,

      i too having the same issue

      have u find the solution
      can u help me on this
  • Barbara_Jensen
    Barbara_Jensen
    4 Posts
    ACCEPTED ANSWER

    Re: REG:java.security.cert.CertPathBuilderException: unable to find valid certi

    ‏2009-10-12T20:52:12Z  in response to SystemAdmin
    You will only get the "java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target" if you are NOT using 'trust any' on the X509 token consumer.

    A CertPathBuilderException is an exception that originates from the java security CertPathBuilder.build method. In this instance, the WS-Security runtime is just bubbling up the exception that occurred in CertPathBuilder.build.

    What you need to do is verify that your inbound certificate, trust store contents, and configured intermediate certs conform to the standard for certificate paths. I've attached a diagram of a sample keystore that maps the hierarchy. I displayed the keystore and certificate with the following:

    keytool -list -v -keystore dsig-receiver.ks -storepass server
    keytool -printcert -v -file intca2.cer

    Here is some more valuable information on CertPaths and their sources:

    http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.csqzas.doc/sy10600_.htm

    When you receive the certificate for another entity, you might need to use a certificate chain to obtain the root CA certificate. The certificate chain, also known as the certification path, is a list of certificates used to authenticate an entity. The chain, or path, begins with the certificate of that entity, and each certificate in the chain is signed by the entity identified by the next certificate in the chain. The chain terminates with a root CA certificate. The root CA certificate is always signed by the CA itself. The signatures of all certificates in the chain must be verified until the root CA certificate is reached. Figure 1 illustrates a certification path from the certificate owner to the root CA, where the chain of trust begins.

    http://book.javanb.com/j2ee-security-for-Servlets-ejbs-and-web-services-applying-theory-and-standards/ch04lev1sec5.html

    Class CertPath encapsulates a collection of certificates. It represents a certification path, the first element of the path being the target certificate followed by the certificate of its issuer and so on, terminating at the certificate of the root CA. Quite like a Certificate object, a CerthPath object can be instantiated by reading a suitably encoded stream of bytes using CertificateFactory engine class. A certification path follows the structure defined by PKCS#7 standard or is an ASN.1 sequence of X.509 certificates. The former is identified by type "PKCS7" and the later by type "PkiPath".

    http://www.cs.duke.edu/csed/java/jdk1.6/api/java/security/cert/CertPath.html

    By convention, X.509 CertPaths (consisting of X509Certificates), are ordered starting with the target certificate and ending with a certificate issued by the trust anchor. That is, the issuer of one certificate is the subject of the following one. The certificate representing the TrustAnchor should not be included in the certification path. Unvalidated X.509 CertPaths may not follow these conventions. PKIX CertPathValidators will detect any departure from these conventions that cause the certification path to be invalid and throw a CertPathValidatorException.