HTTPS web service connection errors

[Mylo]

We have a Java web application that accesses a Web Service using
https. Last week the hosts of the web service installed a new signed
SSL certificate. As soon as they installed the new certificate, our
Java web app stopped working. When we try and access the web service
via the web app we get the following error:

2008-05-16 20:20:07,226 ERROR
[org.codehaus.xfire.transport.http.HttpChannel] -
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
2008-05-16 20:20:07,237 ERROR [grantee.GranteeServlet] - Could not
invoke service.. Nested exception is
org.codehaus.xfire.fault.XFireFault: Couldn't send message.

The Operating System is Solaris, The Web application server is Tomcat
5.5, and the JDK java version is "1.5.0_05".

The confusing part is that we can test the web service using SOAP UI.
We can access the webservice that way. So the web service seems to
be working correctly, but our Web Application can't seem to connect to
it.

Any ideas?

Thanks in advance, and let me know if you have any more questions.

 

[Nigel Wade]

We have a Java web application that accesses a Web Service using
https. Last week the hosts of the web service installed a new signed
SSL certificate. As soon as they installed the new certificate, our
Java web app stopped working. When we try and access the web service
via the web app we get the following error:

2008-05-16 20:20:07,226 ERROR
[org.codehaus.xfire.transport.http.HttpChannel] -
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
2008-05-16 20:20:07,237 ERROR [grantee.GranteeServlet] - Could not
invoke service.. Nested exception is
org.codehaus.xfire.fault.XFireFault: Couldn't send message.

The Operating System is Solaris, The Web application server is Tomcat
5.5, and the JDK java version is "1.5.0_05".

The confusing part is that we can test the web service using SOAP UI.
We can access the webservice that way. So the web service seems to
be working correctly, but our Web Application can't seem to connect to
it.

Any ideas?

Thanks in advance, and let me know if you have any more questions.

What may have happened is that the new certificate is signed by a CA for which
your Java installation does not have the key to validate it. Certificates are
signed by a certificating authority (CA) and require a chain of authentication
back to that CA. Generally what that means is that in order to validate a
certificate you need the public key for the CA in your keychain. If this is
missing the certificate cannot be validated.

You need to look at the cert. and see what the signing authority is. Then look
in your Java keystore and see what signing authority CAs are in there. In the
Java Console look in the Security tab and select Certificates..., you want to
look at Signer CA types in the System tab. If the cert. for the CA is not there
you will to add it. If your browser can browse to the https: port then it must
be accepting the certificate, therefore it should have the root CA in its
keystore. You ought to be able to export if from there and import it into the
Java keystore.