Thursday, December 18, 2008

Running Axis WSDL2Java on HTTPS WSDL

If you are getting SSL related exception while using WSDL2Java on a HTTPS WSDL (URL with HTTPS protocol) like “javax.net.ssl.SSLHandshakeException: … unable to find valid certification path to requested target”, you have to add the certificate of the host in your URL to the java’s keystore.

The above exception might occur only when you use the WSDL url (eg. https://myhost.com:443/TestWS/Test.wsdl) to generate the java files using Axis WSDL2Java ant tasks. Easiest option would be to download the WSDL on to your local file system and using it to generate java files using WSDL2Java. However, to run the client in standalone mode, you still need to add the certificate to the JRE’s keystore.

Follow the steps given above to import the certificate onto the JRE's keystore. First, we need to export the certificate from the browser to a file.

If you are using IE, here is how you can do so:
  1. Access URL with https protocol (example: service WSDL location (Ex. https://foo.com/bar?wsdl) on the browser.
  2. Internet explorer will prompt a security alert. Select the "View Certificate" button.
  3. Navigate to the tab "Details". Select the "Copy to File.." button.
  4. Certificate Export Wizard will be displayed. Select "NEXT" button.
  5. The option "DER encoded binary X.509 (.CER) will be by default selected. Select "Next".
  6. Place the file where it suits you better.
  7. Select "Next". The "Completing Certificate Export Wizard" will be displayed. Select "Finish". The will be a pop-up saying "The export was successful".
If you are using Mozilla Firefox,
  1. Open the URL in the browser. Click on the lock icon on the bottom right hand side corner of statusbar of browser window.
  2. Click on view certificate. Go to ‘Details’ tab in opened dialog.
  3. Click on Export button to save the file.
  4. Place the file where it suits you better.

Following are the steps to import the certificate signature to JRE keystore:
  1. Move the certificate file to your %JAVA_HOME%/jre/lib/security folder.
  2. In ant you can use command ant –diagnostics to find out java installation folder by using java.home system property.
  3. Make a backup copy of file named “cacerts” (the keystore) which is under %JAVA_HOME%/jre/lib/security.
  4. Open a command prompt and change directory (cd) to %JAVA_HOME%/jre/lib/security.
  5. Run following command:
  6. keytool -importcert -trustcacerts -keystore cacerts -storepass changeit -alias "<aliasname>" –file <cert file>
  7. Type in ‘yes’. (prompt appears for untrusted certificates)
  8. Run following command to verify:
  9. keytool -keystore cacerts -storepass changeit -list -alias "<aliasname>"

After importing certificate to keystore, if you are getting the exception with message “CertificateException: No name matching
<host name> found” when you are running Axis WSDL2Java ant task, make sure that you give the same alias name as the common name (CN) of the certificate while adding the cert to keystore. Also make sure that you have the WSLD URLs host name maches certificate’s CN. In this case, Certificate CN, Alias and the hostname in WSDL should all match.
To know the CN of certificate, see details of certificate in browser or use keytool –list command given int step 9 above. The text in the first line before the first comma in the output of keytool –list command is the CN.

You can delete certificates added to keystore using keytool –deletecert command and add them back with alias as CN of certificate.
Sample command to delete certificate from keystore:
JAVA_HOME\jre\lib\security> keytool -delete -keystore cacerts -storepass changeit -alias "<aliasname>"