How do I use self signed certificate in Axis2 Java client?

I have generated code using org.codehaus.mojo axistools-maven-plugin plugin version 1.4. I am trying to connect to web service over https. I have installed server certificate into jssecacerts and copied this key store into /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/ folder. So this means I have server certificate in the client keystore. I have also imported server private key and certificate into kestore.ImportKey key store. I guess I will have to use this as trust store. Now, how to I connect all these together in java client? I am using auto generated stub at client side. I tried using following but does not work.

System.setProperty("javax.net.ssl.trustStore","certs/keystore.ImportKey");
System.setProperty("javax.net.ssl.trustStorePassword", "importkey"); 

I am getting following exception.

faultString: javax.net.ssl.SSLHandshakeException: 
 开发者_如何学JAVA   sun.security.validator.ValidatorException: 
PKIX path building failed: 
    sun.security.provider.certpath.SunCertPathBuilderException:
     unable to find valid certification path to requested target

The certificates are valid as I am using same certs over HTTPS client for the same host. Also, I was able to see successful curl request to using the same certs. Actually, I am not sure how to write Axis2 soap Java client over https using self signed server certificate. Can anyone point me to step by step example.

On the client side, you do not need the certificate private key to trust the server. Since you wrote in your question that you imported the certificate and key in keystore.ImportKey I think that they have been imported as a PrivateKeyEntry (you can verify with keytool the type of entries in the keystore).

However if you want to use the certificate as a trust anchor you should import the certificate as a TrustedCertificateEntry. It can be achieved with keytool:

keytool -importcert -trustcacerts -alias myTrustAnchor -file /path/to/cert.crt -keystore /path/to/keystore

Then you can configure the truststore in your application:

System.setProperty("javax.net.ssl.trustStore","/path/to/keystore");

Thanks @Jcs

This is how I solved the problem. When I tried opening the webservice URL in a browser, it asked for client certificate. This means, because I had already imported server certificate in jssecacert in jvm, my client was missing the client certificate. So, instead of setting javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties I set javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword properties and it is working fine. I missed before the fact that the private key and certificate are imported into the keystore. ImportKey are basically client identity which I received long back from someone saying those are server certificates. That was misleading me. So, let me summarize the solution if someone is looking for it.

1. Download server certificate and import into JVM cacerts or jssecacerts on system path. I used this post.

2. Open webservice URL in a browser and if it asks for client certificate it means server is set to expect certificate from client. In case of self signed certificate you must already have self signed certificate from server. Import these in a keystore and set the system properties for key store and not the trust store before actually making call to web service as shown below. This is because you already have imported server certificate into client trust store (cacerts).

Code:

MySoap12Stub stub = (MySoap12Stub) new MyLocator().getMySoap12(new java.net.URL(WSUrl));

System.setProperty("javax.net.ssl.keyStore", "certs/keystoreQA.Importkey");
System.setProperty("javax.net.ssl.keyStorePassword", "importkey");

In addition in my case, server is expecting user token and password set into SOAP headers. This is how I set this into SOAP headers:

((Stub) stub).setHeader(HeaderHandler.getSecurityHeader(User, password));

public class HeaderHandler {

    public static SOAPHeaderElement getSecurityHeader(String user,String password) throws Exception {
        SOAPHeaderElement wsseSecurity = new SOAPHeaderElement(new PrefixedQName(
            "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd",
            "Security", "wsse"));
        wsseSecurity.setActor(null);
        wsseSecurity.setMustUnderstand(true);

        SOAPElement usernameToken = wsseSecurity.addChildElement("UsernameToken", "wsse");
        usernameToken.setAttribute("xmlns:wsu","http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
        SOAPElement username = usernameToken.addChildElement("Username", "wsse");
        username.addTextNode(user);

        SOAPElement password = usernameToken.addChildElement("Password", "wsse");
        password.setAttribute("Type","http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");
        password.addTextNode(password);
        return wsseSecurity;
    }
} 

I hope this explains in details how to use self signed certificates and WSSE user token and password in axis2 client calling web services over https using usertoken and password.

Cheers! good to go now.