I am Configuring my websrvices security with Confidentiality and Confidentiality part is username token.I am configuring all Confidentiality part by using trustanchor,Certificate store ,keyLocators,KeyInfomation and TokenConsumer as X509TokenConsumer.but i am getting following error
exception: com.ibm.wsspi.wssecurity.SoapSecurityException: WSEC6521E: Login failed. The exception is : javax.security.auth.login.LoginException: WSEC6662E: Failed to check the cert path of a X509 certificate: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
can please you help on this
This topic has been locked.
3 replies Latest Post - 2009-10-12T20:52:12Z by Barbara_Jensen
Pinned topic REG:java.security.cert.CertPathBuilderException: unable to find valid certi
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2009-10-12T20:52:12Z at 2009-10-12T20:52:12Z by Barbara_Jensen
Barbara_Jensen 110000MH114 PostsACCEPTED ANSWER
Re: REG:java.security.cert.CertPathBuilderException: unable to find valid certi2009-10-12T20:52:12Z in response to SystemAdminYou will only get the "java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target" if you are NOT using 'trust any' on the X509 token consumer.
A CertPathBuilderException is an exception that originates from the java security CertPathBuilder.build method. In this instance, the WS-Security runtime is just bubbling up the exception that occurred in CertPathBuilder.build.
What you need to do is verify that your inbound certificate, trust store contents, and configured intermediate certs conform to the standard for certificate paths. I've attached a diagram of a sample keystore that maps the hierarchy. I displayed the keystore and certificate with the following:
keytool -list -v -keystore dsig-receiver.ks -storepass server
keytool -printcert -v -file intca2.cer
Here is some more valuable information on CertPaths and their sources:
When you receive the certificate for another entity, you might need to use a certificate chain to obtain the root CA certificate. The certificate chain, also known as the certification path, is a list of certificates used to authenticate an entity. The chain, or path, begins with the certificate of that entity, and each certificate in the chain is signed by the entity identified by the next certificate in the chain. The chain terminates with a root CA certificate. The root CA certificate is always signed by the CA itself. The signatures of all certificates in the chain must be verified until the root CA certificate is reached. Figure 1 illustrates a certification path from the certificate owner to the root CA, where the chain of trust begins.
Class CertPath encapsulates a collection of certificates. It represents a certification path, the first element of the path being the target certificate followed by the certificate of its issuer and so on, terminating at the certificate of the root CA. Quite like a Certificate object, a CerthPath object can be instantiated by reading a suitably encoded stream of bytes using CertificateFactory engine class. A certification path follows the structure defined by PKCS#7 standard or is an ASN.1 sequence of X.509 certificates. The former is identified by type "PKCS7" and the later by type "PkiPath".
By convention, X.509 CertPaths (consisting of X509Certificates), are ordered starting with the target certificate and ending with a certificate issued by the trust anchor. That is, the issuer of one certificate is the subject of the following one. The certificate representing the TrustAnchor should not be included in the certification path. Unvalidated X.509 CertPaths may not follow these conventions. PKIX CertPathValidators will detect any departure from these conventions that cause the certification path to be invalid and throw a CertPathValidatorException.