No trusted certificate found

Historically, you would have to have installed the server certificate in your client truststore (Click here)

 

But, thanks to one of our users, we've now got a much easier way.

 

Take a look at the following forum thread for more info : Click here

 

I've tested his class with both Apache Axis and WSSOAP for both v4.x and 9.x of our products. Feel free to post if you have any issues getting it going.

 

BTW, The upcoming v9.2 of the SDK will include this code.

 

-Joe

This triggers two questions.

 

 

1) I did follow the brute force approach and installed the certificate in the keystore file, and it still failed with "No trusted certificate found". Any ideas?

 

 

2) I am also ready to give XTrustProvider.java a try. Please provide detailed instructions on how to implement this class. Where should it be deployed and built. Where and how should it be called in the SOAP code to bypass certificate authorization.

 

 

Thanks,

 

 

David

Not sure why the brute force approach didn't work. More than likely you didn't install the certificate into the file specified in the app.

 

 

System.setProperty("javax.net.ssl.trustStore", 
   System.getProperty("user.home") + "/.keystore");

 

 

For the automagic solution, just include the specified code in the referenced post post in your project, then from within your application, include the following line somewhere in the initialization.

 

 

Provider.install("MYX509ALG")

 

 

or if you use the version from CodeShare, I believe the class was renamed to XProvider (or something like that).

 

 

If you get stuck, you can download the iControl 4.6.3 SDK which includes this code and shows it's usage. We'll include it as well in the upcoming v9.2 version.

 

 

-Joe

 

How would this be done for Axis?

Excellent! Glad to be of some help. Feel free to post again if anything comes up that you need assistance on.

 

 

-Joe

I have two JAVA application.

 

1) Java Batch Application where application intereact with BIGIP to get VS, Pool and Members. Also gets STATUS for all the members.

 

In this program I am using "XTrustProvider.java" and call "XTrustProvider.install()" in my class contructor. It is working just fine.

 

 

2) Java Web application running on another Unix server, This application is designed to ENABLED or DISABLED pool member as per user request. In this program I am using same "XTrustProvider.java" and calling "XTrustProvider.install()", but here I am getting following Error Message:

 

 

 

 

[11/17/05 13:22:04:041 EST] 187f194 SystemOut O AxisFault

 

faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException

 

faultSubcode:

 

faultString: javax.net.ssl.SSLHandshakeException: unknown certificate

 

faultActor:

 

faultNode:

 

faultDetail:

 

{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: unknown certificate

 

at com.ibm.jsse.bs.a(Unknown Source)

 

at com.ibm.jsse.bs.startHandshake(Unknown Source)

 

at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)

 

at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)

 

at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)

 

at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)

 

at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)

 

at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)

 

at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)

 

at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)

 

at org.apache.axis.client.Call.invokeEngine(Call.java:2765)

 

at org.apache.axis.client.Call.invoke(Call.java:2748)

 

at org.apache.axis.client.Call.invoke(Call.java:2424)

 

at org.apache.axis.client.Call.invoke(Call.java:2347)

 

at org.apache.axis.client.Call.invoke(Call.java:1804)

 

at iControl.LocalLBVirtualServerBindingStub.get_list(LocalLBVirtualServerBindingStub.java:1990)

 

at com.vanguard.wsdmon.core.ChangeBigIPData.doUpdate(ChangeBigIPData.java:126)

 

at com.vanguard.wsdmon.core.ChangeBigIPData.UpdateData(ChangeBigIPData.java:232)

 

at com.vanguard.wsdmon.core.WSDAction.doWSDAction(WSDAction.java:424)

 

at com.vanguard.wsdmon.core.WSDMonitor.doPost(WSDMonitor.java:212)

 

at com.vanguard.wsdmon.core.WSDMonitor.doGet(WSDMonitor.java:437)

 

at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)

 

at com.vanguard.services.servlet.http.VgBaseServlet.vgiserviceImpl(Unknown Source)

 

at com.vanguard.services.servlet.http.VgBaseServlet.service(Unknown Source)

 

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

 

at com.ibm.ws.webcontainer.servlet.StrictServletInstance.doService(StrictServletInstance.java:110)

 

at com.ibm.ws.webcontainer.servlet.StrictLifecycleServlet._service(StrictLifecycleServlet.java:174)

 

at com.ibm.ws.webcontainer.servlet.IdleServletState.service(StrictLifecycleServlet.java:313)

 

at com.ibm.ws.webcontainer.servlet.StrictLifecycleServlet.service(StrictLifecycleServlet.java:116)

 

at com.ibm.ws.webcontainer.servlet.ServletInstance.service(ServletInstance.java:283)

 

at com.ibm.ws.webcontainer.servlet.ValidServletReferenceState.dispatch(ValidServletReferenceState.java:42)

 

at com.ibm.ws.webcontainer.servlet.ServletInstanceReference.dispatch(ServletInstanceReference.java:40)

 

at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.handleWebAppDispatch(WebAppRequestDispatcher.java:1019)

 

at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java:592)

 

at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java:204)

 

at com.ibm.ws.webcontainer.srt.WebAppInvoker.doForward(WebAppInvoker.java:125)

 

at com.ibm.ws.webcontainer.srt.WebAppInvoker.handleInvocationHook(WebAppInvoker.java:286)

 

at com.ibm.ws.webcontainer.cache.invocation.CachedInvocation.handleInvocation(CachedInvocation.java:71)

 

at com.ibm.ws.webcontainer.cache.invocation.CacheableInvocationContext.invoke(CacheableInvocationContext.java:116)

 

at com.ibm.ws.webcontainer.srp.ServletRequestProcessor.dispatchByURI(ServletRequestProcessor.java:186)

 

at com.ibm.ws.webcontainer.oselistener.OSEListenerDispatcher.service(OSEListener.java:334)

 

at com.ibm.ws.webcontainer.http.HttpConnection.handleRequest(HttpConnection.java:56)

 

at com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnection.java:615)

 

at com.ibm.ws.http.HttpConnection.run(HttpConnection.java:439)

 

at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:912)

 

 

{http://xml.apache.org/axis/}hostname:dssva003

 

 

[11/17/05 13:22:04:043 EST] 187f194 SystemOut O javax.net.ssl.SSLHandshakeException: unknown certificate

 

 

3

 

 

Please help to resolve this.

It looks like you are using WebSphere for your deployment of your web app. Are you using the same framework for your standalone application that is currently working?

 

 

I have almost no working knowledge of websphere so I wouldn't really know where to start in trying to help you out here. I do know that IBM has their own JSSE provider that overrides suns. I'm not sure if this is causing an issue with the XTrustProvider class or not. Is there any chance you are not calling the install() method within the context of the applications request?

 

 

Anyone out there deployed a web based application with WebSphere that uses iControl on the backend?

 

 

-Joe

Hi Joe,

 

The standalone application is also configured in WebSphere. It is running on my Desktop. I run this application via web browser "http://:9080". This application connects to BIGIP without any issue using XTrustProvider.java.

 

 

If I run another standalone application also configured in different instance of a WebSphere on my desktop running on diffrent port. This application is also using same XTrustProvider and tries to connect to the same BIGIP. I run this application via web browser "http://:9084". This application gives me the error I have posted earlier.

 

 

is same for both application.

 

 

Do I need to make any changes to XTrustProvider utility in order for it to work for my other application.

 

 

Please help.

Hi Joe,

 

I am planning to use "installCert.java" program to install certificate on the client in order for it to connect to BigIP server.

 

 

I would appreciate if you provide reply to following questions:

 

 

 

1) In order to run installCert program what should I provide as arguments:

 

 

server ( I assume this will be BigIP Name, correct??)

 

keystore_password

 

keystore_alias

 

 

2) Once I install the ceritficate, I need to make some modification to my GetBigIPData.java, Please verify following is correct:

 

 

I will remove following line from my GetBigIPData.java constructor:

 

 

XTrustProvider.install();

 

 

I will add following lines in my GetBigIPData.java constructor:

 

 

System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home") + "/.keystore");

 

 

Please let me know if I need to make any additional modifications.

 

 

Hoping for an early reply.

 

 

Thanks,

 

-Sunit

 

 

You don't need to use both the XTrustProvider and installCert utility. The XTrustProvider provides a real-time injection into the certificate validation process while installCert will take the server certificate and physically install it into your local trust store.

 

 

So, here's the flow (simplistic version):

 

 

1) client requests connection with BIG-IP

 

2) BIG-IP sends back it's server certificate

 

3) Client library checks the issuer, date, etc from the certificate to make sure it's valid and allowed.

 

3.a) For signing authorities that are not trusted, the client library will look into the local truststore to see if that certificate is present. If so, a connection is allowed. This is what installCert.java will do for you.

 

3.b) If the certificate isn't found in the local truststore, call the lower JSSE libraries validation routines. It is here that XTrustProvider injects itself into the processing and tells the JSSE layer to trust the certificate.

 

 

As you can see, you only need one of the tho options. Using the XTrustProvider is the preferred method as it requires no clientside configuration or setup. If, for some reason, you aren't able to get that working, the client side trust store option is always there.

 

 

-Joe