java - glassfish v3 "unable to find valid certification path to requested target" -


i realize question may appear duplicate, none of threads i've browsed seem address or situation.

i've been trying days create self-signed ssl certificate. certificate needed access glassfish domain must provide wsdl files through https. using glassfish 3.1.1 on solaris 10, not use default ssl port (443). @ moment, using 8181.

ssl certificates particular hostname used access them. certificate needs valid across several network zones; glassfish domain has more 1 different ip associated it. hostname (let's call foobar) not accessible outside server far can see.

after research decided need generate self-signed certificate subject alternative names indicating these ips. below steps took.

  1. the easiest way generate cert san download java 7, includes keytool utility capability. download jdk 1.7.0_04 oracle website , install in foobar.

  2. navigate glassfish domain1 configuration directory, e.g. /opt/glassfish3/glassfish/domains/domain1/config

(the following modified oracle glassfish 3.1 documentation: http://docs.oracle.com/cd/e18930_01/html/821-2435/ablqz.html)

  1. generate certificate in keystore. note: each glassfish domain has own keystore; cert below generated domain1, associated https port 8181.

    keytool -genkey -alias foobar -keyalg rsa -dname "cn=foobar, ou=xxxxxxx xxxx, o=xxxxxxxxxx, l=xxxxx xxx, s=xx, c=xx" -ext "san=ip:12.34.56.78,ip:99.88.77.66" -keypass changeit -storepass changeit -validity 3650 -keystore keystore.jks

  2. export generated certificate file (in case, foobar.cer)

    keytool -export -alias foobar -storepass changeit -file foobar.cer -keystore keystore.jks

  3. import certificate cacerts trusted certificate. twice, once glassfish cacerts file, , once java jre cacerts file on foobar.

    keytool -import -v -trustcacerts -alias foobar -file foobar.cer -keypass changeit -storepass changeit -keystore cacerts.jks

    in /usr/java/jre/lib/security: keytool -import -v -trustcacerts -alias foobar -file foobar.cer -keypass changeit -storepass changeit -keystore cacerts

  4. just in case, downloaded , import certificate java jre cacerts file @ windows workstation accessing https (probably not necessary).

    in c:\program files\java\jre\lib\security: keytool -import -v -trustcacerts -alias foobar -file foobar.cer -keypass changeit -storepass changeit -keystore cacerts

  5. restart glassfish domain1.

    asadmin restart-domain domain1

  6. after restart complete, test connection. in case go windows workstation have java app loaded in netbeans. run test wsdl needed through https, , enter https://12.34.56.78:8181 source.

this gives me following error:

2012-06-05 10:25:32,132  warn utilities.connectionmanager - not connect url https://12.34.56.78:8181/foobar/webservice?wsdl: sun.security.validator.validatorexception: pkix path building failed: sun.security.provider.certpath.suncertpathbuilderexception: unable find valid certification path requested target

if instead use default glassfish ssl certificate domain1, instead error indicating no subject alternative names present. that's why went through trouble of regenerating cert in first place.

as far can tell, importing certificate trusted ca certificate ought solve "unable find valid certification path" error. admit i'm not of network specialist of research far indicates case. i'm not sure if problem here because i'm using non-standard ssl port (having add :8181 may lead mismatch san ip). haven't tried yet. isn't there way generate self-signed cert ip:port combination, either in cn or san?

thanks... appreciated!

p.s. can provide application code if necessary.

it's been quite time since had problem.

i couldn't solve described above, ended ordering ssl certs public ca.

i did run 1 notable quirk concerning glassfish (3.1.1) , ssl. whatever reason, @ least 1 non-ssl enabled network listener needs exist per domain, or you'll certificate errors when accessing ssl enabled web service urls.

so have listener on 8080 , 8181. if both ssl enabled certs won't work. if ssl removed 8080, cert attached listener 8181 work.


Comments

Post a Comment

Popular posts from this blog

jquery - Invalid Assignment Left-Hand Side -

i trying assign class tag via jquery, resulting in error through firebug says "invalid assignment left-hand side" on fourth line below. <cfoutput> $('.pngfix a').each(function(index) { var hreflink = $(this).attr("href"); if (hreflink.tolowercase() = '../audio.cfm') { $(this).addclass('audioimg'); } }); </cfoutput> looking around online, looks syntax problem, don't seem see it... any tips? thanks if (hreflink.tolowercase() = '../audio.cfm') that attempts assign value, rather check equality. change = operator == .
Read more

java - Play! framework 2.0: How to display multiple image? -

i need display gallery of photos. here template: @(photos: list[photo]) @title = { <bold>gallery</bold> } @main(title,"photo"){ <ul class="thumbnails"> @for(photo <- photos) { <li class="span3"> <a href="#" class="thumbnail"> <img src="@photo.path" alt=""> </a> </li> } </ul> } and here controller method: public static result getphotos() { return ok(views.html.photo.gallery.render(photo.get())); } and here photo bean : @entity public class photo extends model { @id public long id; @required public string label; public string path; public photo(string path, string label) { this.path = path; this.label = label; } private static finder<long, photo> find = new finder<long, photo>( long.class, photo.class); public static list<phot...
Read more

gmail - Is there any documentation for read-only access to the Google Contacts API? -

i want read-only access user's google contacts. there stackoverflow member wanted this, , received following answer : yes, there is, use https://www.googleapis.com/auth/contacts.readonly scope , "view contacts". this exchange reference read-only access google contacts can find using google. simply using access token obtained attempt read usual google contacts api (i.e. https://www.google.com/m8/feeds ) fails insufficient permissions. similarly, using google contacts api on new target fails 404 errors (for example https://www.googleapis.com/auth/contacts.readonly/default/full ). is there documentation anywhere on how use api, or permissible way access google contacts api full read-write access?
Read more