Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3429
Views
0
Helpful
9
Replies

AXL Java Client Demo using JAX-WS ssl handshake exception error

vgrigoriadis
Level 1
Level 1

‎10-22-2014 07:55 AM

Hello I'm trying to test the Cisco AXL Java Client Demo on my CUCM (9.1).

This is the demo package from cisco which displays the value of the "product" field that is returned in the getPhone response.

I copied the code from https://developer.cisco.com/site/collaboration/management/axl/learn/how-to/axl-java-sample-application.gsp

and followed the instructions.

i'm using Eclipse and I'm a newbie!

By the way I have installed java 7, 8 and jdk1.8.0_11 on my PC (default jre7 for this application).

I get the following error when I run the java application through CMD:

╧ΆΪ 22, 2014 4:52:44 ╠╠ com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser pa

rseWSDL

WARNING: Import of file:/C:/Program%20Files/Java/jdk1.8.0_11/bin/schema/current/

AXLSoap.xsd is violation of BP 1.1 R2001. Proceeding with a warning.

R2001 A DESCRIPTION must only use the WSDL "import" statement to import another

WSDL description.

   Exception in thread "main" com.sun.xml.internal.ws.client.ClientTransportExcepti

on: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.vali

dator.ValidatorException: PKIX path building failed: sun.security.provider.certp

ath.SunCertPathBuilderException: unable to find valid certification path to requ

ested target

        at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.get

Output(Unknown Source)

        at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.proce

ss(Unknown Source)

        at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.proce

ssRequest(Unknown Source)

        at com.sun.xml.internal.ws.transport.DeferredTransportPipe.processReques

t(Unknown Source)

        at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Unknown Source)

        at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Unknown Source)

        at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Unknown Source)

        at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Unknown Source)

        at com.sun.xml.internal.ws.client.Stub.process(Unknown Source)

        at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(Unknown Source)

        at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown S

ource)

        at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown S

ource)

        at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(Unknown Source)

        at com.sun.proxy.$Proxy33.getPhone(Unknown Source)

        at com.cisco.axl.demo.Demo.getPhone(Demo.java:170)

        at com.cisco.axl.demo.Demo.getPhoneInfo(Demo.java:138)

        at com.cisco.axl.demo.Demo.main(Demo.java:119)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.Validator

Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPath

BuilderException: unable to find valid certification path to requested target

        at sun.security.ssl.Alerts.getSSLException(Unknown Source)

        at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)

        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)

        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)

        at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)

        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)

        at sun.security.ssl.Handshaker.processLoop(Unknown Source)

        at sun.security.ssl.Handshaker.process_record(Unknown Source)

        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)

        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source

)

        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)

        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect

(Unknown Source)

        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown

Source)

        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown S

ource)

        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unk

nown Source)

        ... 17 more

Caused by: sun.security.validator.ValidatorException: PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali

d certification path to requested target

        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)

        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)

        at sun.security.validator.Validator.validate(Unknown Source)

        at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)

        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)

        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Sour

ce)

        ... 30 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to

find valid certification path to requested target

        at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Sourc

e)

        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown

Source)

        at java.security.cert.CertPathBuilder.build(Unknown Source)

        ... 36 more

I have downloaded the Certificate from my CUCM and stored it to keystore using the java keytool, but I still get that error.

I'm using the fully qualified URL hostname (not the IP address) of my CUCM but still the error exists. I can access my CUCM from web

using its  hostname. The axl interface also works. It asks me for user and password info and then displays:

The AXL Web Service is working and accepting requests. Use HTTP POST to send a request.

Any ideas please?

Thanks!

Labels:
0 Helpful
9 Replies 9

npetrele
Cisco Employee
Cisco Employee

‎10-23-2014 10:31 AM

Here's a complete working sample for 10.5.  I don't know why it shouldn't work on your 9.1 system if you change the import statement to fit.  I've attached the Java file just in case the forum mangles the code.  

package com.yourcompany.yoursystem.sample;

import com.cisco.axl.api._10.*;
import com.cisco.axlapiservice.AXLAPIService;
import com.cisco.axlapiservice.AXLPort;
import com.cisco.axlapiservice.AXLError;

import javax.xml.ws.BindingProvider;

public class AXLTest {

     protected static String ucHost = null;
     protected static String ucAdmin = null;
     protected static String ucPwd = null;
     protected static String ucCrit = null;

     public static void main(String[] args) throws Exception {

          if (args.length < 4) {
               System.out
                         .println("Usage: AXLTest   hostname username password search-criteria ");
               System.exit(1);
          } else {
               ucHost = args[0];
               ucAdmin = args[1];
               ucPwd = args[2];
               // in this case, the search criteria is the phone name, such as SEP101010101010
               ucCrit = args[3];
          }

          AXLAPIService service = new AXLAPIService();
          AXLPort axlPort = service.getAXLPort();

          String validatorUrl = "https://" + ucHost + "/axl/";

          ((BindingProvider) axlPort).getRequestContext().put(
                    BindingProvider.ENDPOINT_ADDRESS_PROPERTY, validatorUrl);
          ((BindingProvider) axlPort).getRequestContext().put(
                    BindingProvider.USERNAME_PROPERTY, AXLTest.ucAdmin);
          ((BindingProvider) axlPort).getRequestContext().put(
                    BindingProvider.PASSWORD_PROPERTY, AXLTest.ucPwd);

          GetPhoneReq axlParams = new GetPhoneReq();

          // In this case, ucCrit is the phone name
          axlParams.setName(ucCrit);

          try {
               GetPhoneRes getPhoneResponse = axlPort.getPhone(axlParams);
               System.out.println("Product="
                         + getPhoneResponse.getReturn().getPhone().getProduct());
          } catch (AXLError e) {
               System.out.println("An AXLError occurred: " + e.getFaultInfo());
          }

     }

}
Preview file
2 KB
0 Helpful

npetrele
Cisco Employee
Cisco Employee

‎10-23-2014 10:40 AM

One more thing -- here's where the keystore is located now:

$JAVA_HOME\jre\lib\security\cacerts


If I recall correctly, the password for the keystore is "changeit". 

But make sure that's the jre you're using for the eclipse build.  If you have multiple jres on your system (I do), then you can accidentally add the key to one keystore but use another jre for the build, and that other jre doesn't have the certificate in the store.

0 Helpful

vgrigoriadis
Level 1
Level 1

‎10-24-2014 02:10 AM

Hello Nicholas.

Thanks very much for your replyt!

I had already imported the certificate to all java keystores (jre 1.8, jre7) that I use, but it didn't solve the problem. The code you send me is different than the one in Cisco Demo. I'm upgrading my CUCM to version 10.5 next week so I will try your code then. By the way I have just downloaded java8, how can I import the WSDL schema? There is no wsimport command in java8 neither in java7...

Thanks again for your reply.

Much appreciated.

Best regards

Vasilis

0 Helpful

npetrele
Cisco Employee
Cisco Employee
In response to vgrigoriadis

‎10-24-2014 08:16 AM

I have jdk1.8.0_11 and wsimport is here on my PC:  C:\Program Files\Java\jdk1.8.0_11\bin\wsimport.exe

Maybe you need to download the sdk, not just the jre?

0 Helpful

vgrigoriadis
Level 1
Level 1
In response to npetrele

‎10-27-2014 04:59 AM

Hi Nicholas.

You are absolutely right, I will download the SDK too. This week I have the CUCM upgrade to 10.5.1. So next week I will resume my work on the API and let you know of the outcome.

Thanks again.Take care.

0 Helpful

yuanzli
Level 1
Level 1

‎03-29-2015 03:47 AM

Hi, I met the same problem.

Could you tell me how did you solve it?

Thank you!

0 Helpful

vgrigoriadis
Level 1
Level 1
In response to yuanzli

‎11-17-2015 01:01 PM

Hello, Yuan,

I haven't solved it. I was busy on other projects. I will restart work on it soon.

Sorry for the late reply.

0 Helpful

Jeff Levensailor
Level 1
Level 1

‎10-20-2015 04:03 PM

I'm having a similar issue - in my case I've imported the ca cert using the following:

sudo keytool -keystore cacerts -importcert -alias pns -file pnslabs-CORE-LDAP-CA.crt

I've also copied the certificate here:

/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/jre/lib/security

I'm using the exact code copy and pasted from here:

https://developer.cisco.com/site/axl/learn/how-to/axl-java-sample-application.gsp

Weird part is, It looks like it successfully finds a matching ca cert, but still throws the error:

certpath: X509CertSelector.match(SN: 7d8459d56cb81d8c4dd6577eb8e53b7b

  Issuer: CN=pnslabs-CORE-LDAP-CA, DC=pnslabs, DC=com

  Subject: CN=pnslabs-CORE-LDAP-CA, DC=pnslabs, DC=com)

certpath: X509CertSelector.match returning: true

certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs

certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0

certpath: SunCertPathBuilder.depthFirstSearchForward(): backtracking

Exception in thread "main" com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

0 Helpful

dstaudt
Cisco Employee
Cisco Employee
In response to Jeff Levensailor

‎10-21-2015 02:04 PM

It looks like the Subject CN of the cert is a domain name - note, if you try to establish the connection by providing just the IP address to the app, the IP string will not match the cert Subject name string, and the handshake will fail.  If this is the case, you will need to provide the host name, and DNS lookups need to be working for the host (by editing the 'hosts' file on your local PC if you don't have the ability to add a real DNS entry to your network)

0 Helpful
Customers Also Viewed These Support Documents