Thursday, June 13, 2013

com.sun.xml.wss.impl.WssSoapFaultException: Certificate validation failed

Lets talk about how to resolve certificate validation failed error while receiving SOAP based web service requests from clients. If you receive an error on the server side as given below, you are not alone. Lets see below how to resolve the error.

Exception stack trace:-

SEVERE: WSS1353: Error occurred while resolving key information
com.sun.xml.wss.impl.WssSoapFaultException: Certificate validation failed
at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:322)
at com.sun.xml.wss.impl.dsig.KeySelectorImpl.resolveToken(KeySelectorImpl.java:1317)
at com.sun.xml.wss.impl.dsig.KeySelectorImpl.resolve(KeySelectorImpl.java:625)
at com.sun.xml.wss.impl.dsig.KeySelectorImpl.select(KeySelectorImpl.java:232)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:500)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:232)
at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:772)
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:514)
at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:79)
at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:252)
at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:849)
at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:801)
at com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipient.java:242)
at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:134)
at org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor.validateMessage(XwsSecurityInterceptor.java:162)
...

Solution:-
If you are exposing a secured web service using Spring WS and encountered the following error while handling client request, it means that your truststore does not have the certificate sent by the client. If you think the client is valid, add the certificate to your truststore.

How to import certificate into truststore?

keytool -import -trustcacerts -alias client1 -file clientcertificate.cer -keystore mytruststore.jks -storepass mypassword





No comments:

Post a Comment

Post a Comment