Thursday, December 18, 2008

Running Axis WSDL2Java on HTTPS WSDL

If you are getting SSL related exception while using WSDL2Java on a HTTPS WSDL (URL with HTTPS protocol) like “javax.net.ssl.SSLHandshakeException: … unable to find valid certification path to requested target”, you have to add the certificate of the host in your URL to the java’s keystore.

The above exception might occur only when you use the WSDL url (eg. https://myhost.com:443/TestWS/Test.wsdl) to generate the java files using Axis WSDL2Java ant tasks. Easiest option would be to download the WSDL on to your local file system and using it to generate java files using WSDL2Java. However, to run the client in standalone mode, you still need to add the certificate to the JRE’s keystore.

Follow the steps given above to import the certificate onto the JRE's keystore. First, we need to export the certificate from the browser to a file.

If you are using IE, here is how you can do so:
  1. Access URL with https protocol (example: service WSDL location (Ex. https://foo.com/bar?wsdl) on the browser.
  2. Internet explorer will prompt a security alert. Select the "View Certificate" button.
  3. Navigate to the tab "Details". Select the "Copy to File.." button.
  4. Certificate Export Wizard will be displayed. Select "NEXT" button.
  5. The option "DER encoded binary X.509 (.CER) will be by default selected. Select "Next".
  6. Place the file where it suits you better.
  7. Select "Next". The "Completing Certificate Export Wizard" will be displayed. Select "Finish". The will be a pop-up saying "The export was successful".
If you are using Mozilla Firefox,
  1. Open the URL in the browser. Click on the lock icon on the bottom right hand side corner of statusbar of browser window.
  2. Click on view certificate. Go to ‘Details’ tab in opened dialog.
  3. Click on Export button to save the file.
  4. Place the file where it suits you better.

Following are the steps to import the certificate signature to JRE keystore:
  1. Move the certificate file to your %JAVA_HOME%/jre/lib/security folder.
  2. In ant you can use command ant –diagnostics to find out java installation folder by using java.home system property.
  3. Make a backup copy of file named “cacerts” (the keystore) which is under %JAVA_HOME%/jre/lib/security.
  4. Open a command prompt and change directory (cd) to %JAVA_HOME%/jre/lib/security.
  5. Run following command:
  6. keytool -importcert -trustcacerts -keystore cacerts -storepass changeit -alias "<aliasname>" –file <cert file>
  7. Type in ‘yes’. (prompt appears for untrusted certificates)
  8. Run following command to verify:
  9. keytool -keystore cacerts -storepass changeit -list -alias "<aliasname>"

After importing certificate to keystore, if you are getting the exception with message “CertificateException: No name matching
<host name> found” when you are running Axis WSDL2Java ant task, make sure that you give the same alias name as the common name (CN) of the certificate while adding the cert to keystore. Also make sure that you have the WSLD URLs host name maches certificate’s CN. In this case, Certificate CN, Alias and the hostname in WSDL should all match.
To know the CN of certificate, see details of certificate in browser or use keytool –list command given int step 9 above. The text in the first line before the first comma in the output of keytool –list command is the CN.

You can delete certificates added to keystore using keytool –deletecert command and add them back with alias as CN of certificate.
Sample command to delete certificate from keystore:
JAVA_HOME\jre\lib\security> keytool -delete -keystore cacerts -storepass changeit -alias "<aliasname>"

5 comments:

Anonymous said...

the command to import the certificate is :

keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias mycert -file certeduj.cer

praveendk said...

i am working on wsdl2java on https and followed the steps said in the article. getting following exception, doesnt make any sense to me..please let me know know if u have any idea.

Caused by: javax.wsdl.WSDLException: WSDLException (at /wsdl:definitions/wsdl:types/s:schema): faultCode=OTHER_ERROR: An err
or occurred trying to resolve schema referenced at 'https://165.176.38.13:5355/VSB_Public_Services/VSB_Public_Services.asmx?
schema=WebNGSSearchData', relative to 'file:/C:/projects/efile/WebContent/VSB_Public_Services.wsdl'.: java.io.IOException: H
TTPS hostname wrong: should be <165.176.38.13>

Sarah Hall said...

In order to run the client in standalone mode, we still need to add the certificate to the JRE’s keystore. Thanks for sharing this report with us! Best regards and kindest wishes,
online editing service - edit-ing.services

John Alert said...

Java Web Services Training in Chennai Java Web Services Training in Chennai Java Web Services Online Training Java Web Services Training in Chennai

John Alert said...

I have read your blog its very attractive and impressive. I like it your blog.


JavaEE Training in Chennai JavaEE Training in Chennai Core Java 8 Training in Chennai Java 8 Training in Chennai Java Online Training Java Online Training

Java Training in Chennai Java Training in Chennai Core Java Training in Chennai Core Java Training in Chennai