I am trying to run the sample code in Control-9.0\sdk\samples\soap\java\apache\axis\LocalLB. 1) Before running the test I created a self-signed certificate on the BIG-IP setting the fully qualified host name of the BIG-IP admin facility as the CN of the certificate. 2) I then copied the .crt file to my local machine and imported it into the keystore file using the keytool utilty. 3) When I ran the code I received the following error: May 4, 2005 1:55:47 PM org.apache.axis.utils.JavaUtils isAttachmentSupported WARNING: Unable to find required classes (javax.activation.DataHandler and javax .mail.internet.MimeMultipart). Attachment support is disabled. AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException faultSubcode: faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.Valida torException: No trusted certificate found faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeExcept ion: sun.security.validator.ValidatorException: No trusted certificate found What do I need to do to resolve this problem? Thanks, David

Historically, you would have to have installed the server certificate in your client truststore (Click here) But, thanks to one of our users, we've now got a much easier way. Take a look at the following forum thread for more info : Click here I've tested his class with both Apache Axis and WSSOAP for both v4.x and 9.x of our products. Feel free to post if you have any issues getting it going. BTW, The upcoming v9.2 of the SDK will include this code. -Joe

This triggers two questions. 1) I did follow the brute force approach and installed the certificate in the keystore file, and it still failed with "No trusted certificate found". Any ideas? 2) I am also ready to give XTrustProvider.java a try. Please provide detailed instructions on how to implement this class. Where should it be deployed and built. Where and how should it be called in the SOAP code to bypass certificate authorization. Thanks, David

Not sure why the brute force approach didn't work. More than likely you didn't install the certificate into the file specified in the app. System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home") + "/.keystore"); For the automagic solution, just include the specified code in the referenced post post in your project, then from within your application, include the following line somewhere in the initialization. Provider.install("MYX509ALG") or if you use the version from CodeShare, I believe the class was renamed to XProvider (or something like that). If you get stuck, you can download the iControl 4.6.3 SDK which includes this code and shows it's usage. We'll include it as well in the upcoming v9.2 version. -Joe

How would this be done for Axis?

Excellent! Glad to be of some help. Feel free to post again if anything comes up that you need assistance on. -Joe

No trusted certificate found

16 Replies

Sunit_Tailor_11
Nimbostratus
Nov 22, 2005
Joe,

Since "XTrustProvider.java" is not working for me on WebSphere running on Solaris Box. I want to try "installCert.java".

Once we mannually install certificate on BigIP and same Certificate on our Solaris box from where we are trying to connect to BigIP, What changes do I need to make in my code.?

Currently my code is using "XTrustProvider.java". I am calling "XTrustProvider.install()" in GetBigIPData.java constructor.

I would appreciate if you let me know what steps do I need to take to use "installCert.java" or Can I use same existing code and it will use mannually installed certificate?

Thanks,
Sunit_Tailor_11
Nimbostratus
Nov 22, 2005
Hi dnewman,

I am using XtrusProvider running with Axis. I am running my application on WebSphere. When I test my application in WebSphere Studio Application Developer (WSAD) running on my Desktop it working fine. But When I deploy my same application to our DEV environment which has WebSphere Application server running on Solaris, Same application complains about "unknown Certificate".

I would appreciate if you let us know your configuration if you also use Websphere on Solaris.

Thanks
Joe_Pruitt
Nov 22, 2005
As I said, XTrustProvider and installCert are two different options. You don't need to use them both. If for some reason you are having problems with XTrustProvider working in real-time, then here's how installCert works.

Run java installCert bigip_address keystore_password keystore_alias

Where

bigip_address is the ip address of the BIG-IP

keystore_password is the password of your local keystore {user.home}/.keystore

keystore_alias is the alias for the new entry in your keystore.

If you need help creating a keystore, take a look a the documentation for sun's keytool command.

Then in your client code you will need to specify the location of the keystore.

System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home") + "/.keystore");

Here is probably where a potential problem could lie. If your "user.home" variable is different in the context of running the installCert command and the context of your web application, then this will not work. You might want to hardcode a location in your app to the real location of the keystore.

System.setProperty("javax.net.ssl.trustStore", "/full/path/to/.keystore");

And make sure that the identity your webserver is running under has access to that file.

-Joe
Sunit_Tailor_11
Nimbostratus
Nov 22, 2005
Hi Joe,

Thanks for the reply. I didn't have any ".keystore" file in my {user.home} directory. I created this file. Now I don't know what password I should provide.

Please let me know what will be the password.

I have tried following as passwords:

"changeit"

""

Both of them doesn't work.

Please help...

Thanks
Joe_Pruitt
Nov 22, 2005
This is a special kind of file similar to a vault. You cannot create an empty file. You must use the keytool command to create the file. The keystore_password is the password you specified for the file when you created it with keytool.

After the empty password protected keystore is created, you can use installCert to install server certificates in there.

Check the keytool man page for it's usage. Reading through that should give you a good overview of keystores. Or, do a google search on keytool and that should point you in the right direction.

-Joe
Prakash_Krishna
Nimbostratus
Jul 17, 2014
Hi Joe,

I tried with XtrustProvider, but I am getting the below exception now. Is there any solution to come across.

Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl) at java.security.Provider$Service.newInstance(Provider.java:1245) at sun.security.jca.GetInstance.getInstance(GetInstance.java:220) at sun.security.jca.GetInstance.getInstance(GetInstance.java:147) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125) at javax.net.ssl.SSLContext.getDefault(SSLContext.java:68) at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:102) at org.apache.axis.components.net.JSSESocketFactory.initFactory(JSSESocketFactory.java:87) at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:105) at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191) at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:2443) at org.apache.axis.client.Call.invoke(Call.java:2366) at org.apache.axis.client.Call.invoke(Call.java:1812) at iControl.SystemSessionBindingStub.set_recursive_query_state(SystemSessionBindingStub.java:778) at com.cloupia.lib.cIaaS.loadBalancers.F5LoadBalancerAPI.(F5LoadBalancerAPI.java:90) at com.cloupia.lib.cIaaS.loadBalancers.F5LoadBalancerAPI.getF5LBAPI(F5LoadBalancerAPI.java:118) at com.cloupia.feature.f5LoadBalancer.F5LBAccountTestConnectivityHandler.testConnection(F5LBAccountTestConnectivityHandler.java:35) ... 17 more Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38) at java.security.KeyStore.load(KeyStore.java:1185) at com.sun.net.ssl.internal.ssl.TrustManagerFactoryImpl.getCacertsKeyStore(TrustManagerFactoryImpl.java:202) at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultTrustManager(DefaultSSLContextImpl.java:70) at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.(DefaultSSLContextImpl.java:40) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at java.lang.Class.newInstance0(Class.java:355) at java.lang.Class.newInstance(Class.java:308) at java.security.Provider$Service.newInstance(Provider.java:1221) ... 40 more Caused by: java.security.UnrecoverableKeyException: Password verification failed

Regards, PRakash.K

Forum Discussion

No trusted certificate found

16 Replies

Recent Discussions

GTM Packet Capture command

Wildcard SSL Certificate Deployment on F5 LTM

Migration from i series 10200 with 1 child VCMP to r series 10900 series

Open Redirection Mitigation

How to Implement 2 Way SSL in F5 LTM

Related Content

Trust your CDN, but not completely

Creating device trust / trust-domain through iControl REST Call(s)

Re: Management Certificate

Overview of Trusted Client IP Headers in F5 Distributed Cloud Platform

Zero Trust building blocks - Machine Identity Management (MIM) and Workload Protection