This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to create a keystore in java, for Apigee on-premises installation v15.04.15

Posted on 09-22-2015 01:21 PM
Not applicable
Reply posted on --/--/---- --:-- AM

We have an issue with a JavaCallout step, we have a .jar class that calls a service https://, (TLS/SSL) this step throws this exception:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

We installed the certificate in apigee private cloud with the curl command, to build the curl command correctly we use this:

We create a keystore with this:

http://apigee.com/docs/management/apis/post/organi...

When we see the apigee admin web page the certificate is correctly installed.

What we didn't do is to upload .jar in the keystore.

http://apigee.com/docs/management/apis/post/organi...

---------------------------------------------

We have created a keystore with a certificate using keytool command in a local machine.

We have debugged the .jar class inside Eclipse environment that calls https://, (TLS/SSL) service, and It returns us an expected response.

We don't know what to do, What do you recommend us to do?

This configuration is apigee onpremise instalation v15.04.15 (7) nodes.

Regards,

Solved Solved
0 7 914
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

We got the solution to this problem:

We downloaded the certificate for this example we named certificateCompanyAPIExample, you can download from the browser https:// SSL service (accept and download the certificate). the other way is using the openssl command and get the certificate in you screen, then you have to copy and past that code to a file an save it with any of this extensions ".cer" , ".pem", ".der", ".crt".

Command openssl example:

C:\Users\peter>openssl s_client -connect services.organization.com:443

Server certificate

-----BEGIN CERTIFICATE-----

MIIF3jCCBMagAwIBAgIBAjANBgkqhkiG9w0BAQsFADCB6TELMAkGA1UEBhMCQ0wx ETAPBgNVBAgTCFNhbnRpYWdvMREwDwYDVQQHEwhTYW50aWFnbzElMCMGA1UEChQc O2+NF5vQ765pEwXawpVob6QHBiBJIeSk4ZbfjTavHS6oo6B4T1izKUX0A1AY4PN+

-----END CERTIFICATE-----

Then you have to copy this certificate to every node in your cluster.

Then you have to import the certificate with the keytool provided by java.

cd /usr/java/jdk1.7.0_55/jre/bin

./keytool -importcert -file /usr/java/jdk1.7.0_55/jre/lib/security/certificateCompanyAPIExample -keystore /usr/java/jdk1.7.0_55/jre/lib/security/cacerts

It's everythings is ok, the only thing you must do it's restart every MP in you cluster, one by one.

Now try again executing your api with javacallout step calling https service.

Best regards,

View solution in original post

Jump to Solution
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
sgilson
New Member
Reply posted on --/--/---- --:-- AM

Did you create a virtual host that uses your keystore? For more info on configuring SSL for the private cloud, see the docs here:

http://apigee.com/docs/api-services/content/config...

Stephen

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to sgilson
Reply posted on --/--/---- --:-- AM

When I call a https:// service from an apigee step servicecallout, It works ok, but when I call the same https:// service from a .jar class inside a javacallout It throws this error:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

This question looks to be a duplicate of https://community.apigee.com/questions/5457/is-it-possible-to-access-ssl-key-store-and-trust-s.html. Regards!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to
Reply posted on --/--/---- --:-- AM

Diego

The issue in this case isn't the same.

Francisco has an API called provisioning, that calls several diferentes services to provisioning digital services. The java logic is necesary to manage the particular provisioning process for every service. We are calling to our internal services by https://servicios.telefonicachile.cl/ but in the call for java, we have the issue mentioned. If we call by service callout, we don't need create the keystore, the services works fine. that's a sumary of the issue.

Regards!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to
Reply posted on --/--/---- --:-- AM

HTTP/1.1 500 Internal Server Error

Date:
Thu, 24 Sep 2015 17:50:57 GMT
Content-Length:
251
ExceptionClass:
org.apache.axis.AxisFault
Connection:
keep-alive
Content-Type:
application/json
Server:
Apigee Router
; nested exception is: 
	javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to
Reply posted on --/--/---- --:-- AM

There are a few ways to workaround this issue by leveraging the options suggested in the thread above Node.js, Service Callouts, and even Javascript httpclient. When I try to hit your URL, it returns the following error:

Would it be possible to use any of these options?

1248-screenshot-9-24-15-11-35-am.jpg

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

We got the solution to this problem:

We downloaded the certificate for this example we named certificateCompanyAPIExample, you can download from the browser https:// SSL service (accept and download the certificate). the other way is using the openssl command and get the certificate in you screen, then you have to copy and past that code to a file an save it with any of this extensions ".cer" , ".pem", ".der", ".crt".

Command openssl example:

C:\Users\peter>openssl s_client -connect services.organization.com:443

Server certificate

-----BEGIN CERTIFICATE-----

MIIF3jCCBMagAwIBAgIBAjANBgkqhkiG9w0BAQsFADCB6TELMAkGA1UEBhMCQ0wx ETAPBgNVBAgTCFNhbnRpYWdvMREwDwYDVQQHEwhTYW50aWFnbzElMCMGA1UEChQc O2+NF5vQ765pEwXawpVob6QHBiBJIeSk4ZbfjTavHS6oo6B4T1izKUX0A1AY4PN+

-----END CERTIFICATE-----

Then you have to copy this certificate to every node in your cluster.

Then you have to import the certificate with the keytool provided by java.

cd /usr/java/jdk1.7.0_55/jre/bin

./keytool -importcert -file /usr/java/jdk1.7.0_55/jre/lib/security/certificateCompanyAPIExample -keystore /usr/java/jdk1.7.0_55/jre/lib/security/cacerts

It's everythings is ok, the only thing you must do it's restart every MP in you cluster, one by one.

Now try again executing your api with javacallout step calling https service.

Best regards,

Jump to Solution
0 Likes