SunCertPathBuilderException: unable to find valid certification path to requested target

Subject: SunCertPathBuilderException: unable to find valid certification path to requested target
Author: authen
In response to: StartTLS - Code Example: Explicit Assertion of Client's Authorization Identity
Posted on: 07/03/2007 06:43:43 PM

If you do not have the correct trust store to verify server's certificate,

System.setProperty("javax.net.ssl.trustStore", "myTrustStore");

you would get somethings like this:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1522)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:180)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:861)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:111)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:509)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:447)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:822)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1034)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1061)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1045)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:344)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:208)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161)

>
> On 07/03/2007 06:28:27 PM authen wrote:

/** * A code example to demonstrate how StartTLS works * Note: This example has been tested to work with Active Directory 2003 */ import java.util.*; import javax.naming.*; import javax.naming.directory.*; import javax.naming.ldap.*; public class StartTSLJndiClient { public static void main (String[] args) { // To specify the trustStore, if any other than the default one: // %JAVA_HOME%\lib\security\certs System.setProperty("javax.net.ssl.trustStore", "myTrustStore"); System.setProperty("javax.net.ssl.trustStorePassword", "password"); // optional // To spcify client's keyStore where client's certificate is located // Note: Client's keyStore is optional for StartTLS negotiation and connection. // But it is required for implicit client indendity assertion // by SASL EXTERNAL where client ID is extracted from certificate subject. System.setProperty("javax.net.ssl.keyStore", "myKey.pfx"); System.setProperty("javax.net.ssl.keyStoreType", "pkcs12"); System.setProperty("javax.net.ssl.keyStorePassword", "secret"); Hashtable env = new Hashtable(5, 0.75f); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://myServerInDnsFullName:389"); try{ /* Establish LDAP association */ LdapContext ctx = new InitialLdapContext(env, null); /* Requesting to start TLS on an LDAP association */ ExtendedRequest tlsRequest = new StartTlsRequest(); ExtendedResponse tlsResponse = ctx.extendedOperation(tlsRequest); /* Starting TLS */ StartTlsResponse tls = (StartTlsResponse)tlsResponse; tls.negotiate(); // A TLS/SSL secure channel has been established if you reach here. /* Assertion of client's authorization Identity -- Explicit way */ ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple"); ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, "testUser@myDomain"); ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, "password"); Attributes result = ctx.getAttributes("uid=jdoe,cn=vip,dc=domain,dc=com"); System.out.println(result); tls.close(); // The TLS/SSL secure layer has been closed and all traffic down the road // will be in clear text. /* other LDAP operations may go here */ /* ... */ ctx.close(); }catch(Exception e){ e.printStackTrace(); System.exit(-1); } } }

References:

Next Post: CertificateException: No subject alternative DNS name found authen 07/03/2007 06:50:07 PM
Previous Post: StartTLS - Code Example: Explicit Assertion of Client's Authorization Identity authen 07/03/2007 06:28:27 PM
Next Topic: StartTLS - Code Example: Implicit Assertion of Client's Authorization Identity authen 07/03/2007 07:08:32 PM
Previous Topic: StartTLS -- RFC 2830: Extension for Transport Layer Security authen 07/02/2007 01:21:55 PM
Index: by Date
Index: by Topic