AXL Java Client Demo using JAX-WS ssl handshake exception error

vgrigoriadis · ‎10-22-2014

Hello I'm trying to test the Cisco AXL Java Client Demo on my CUCM (9.1).

This is the demo package from cisco which displays the value of the "product" field that is returned in the getPhone response.

I copied the code from https://developer.cisco.com/site/collaboration/management/axl/learn/how-to/axl-java-sample-application.gsp

and followed the instructions.

i'm using Eclipse and I'm a newbie!

By the way I have installed java 7, 8 and jdk1.8.0_11 on my PC (default jre7 for this application).

I get the following error when I run the java application through CMD:

╧ΆΪ 22, 2014 4:52:44 ╠╠ com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser pa

rseWSDL

WARNING: Import of file:/C:/Program%20Files/Java/jdk1.8.0_11/bin/schema/current/

AXLSoap.xsd is violation of BP 1.1 R2001. Proceeding with a warning.

R2001 A DESCRIPTION must only use the WSDL "import" statement to import another

WSDL description.

Exception in thread "main" com.sun.xml.internal.ws.client.ClientTransportExcepti

on: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.vali

dator.ValidatorException: PKIX path building failed: sun.security.provider.certp

ath.SunCertPathBuilderException: unable to find valid certification path to requ

ested target

at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.get

Output(Unknown Source)

at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.proce

ss(Unknown Source)

at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.proce

ssRequest(Unknown Source)

at com.sun.xml.internal.ws.transport.DeferredTransportPipe.processReques

t(Unknown Source)

at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Unknown Source)

at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Unknown Source)

at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Unknown Source)

at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Unknown Source)

at com.sun.xml.internal.ws.client.Stub.process(Unknown Source)

at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(Unknown Source)

at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown S

ource)

at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown S

ource)

at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(Unknown Source)

at com.sun.proxy.$Proxy33.getPhone(Unknown Source)

at com.cisco.axl.demo.Demo.getPhone(Demo.java:170)

at com.cisco.axl.demo.Demo.getPhoneInfo(Demo.java:138)

at com.cisco.axl.demo.Demo.main(Demo.java:119)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.Validator

Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPath

BuilderException: unable to find valid certification path to requested target

at sun.security.ssl.Alerts.getSSLException(Unknown Source)

at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)

at sun.security.ssl.Handshaker.fatalSE(Unknown Source)

at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)

at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)

at sun.security.ssl.Handshaker.processLoop(Unknown Source)

at sun.security.ssl.Handshaker.process_record(Unknown Source)

at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source

)

at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect

(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown

Source)

at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown S

ource)

at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unk

nown Source)

... 17 more

Caused by: sun.security.validator.ValidatorException: PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali

d certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(Unknown Source)

at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)

at sun.security.validator.Validator.validate(Unknown Source)

at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Sour

ce)

... 30 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to

find valid certification path to requested target

at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Sourc

e)

at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown

Source)

at java.security.cert.CertPathBuilder.build(Unknown Source)

... 36 more

I have downloaded the Certificate from my CUCM and stored it to keystore using the java keytool, but I still get that error.

I'm using the fully qualified URL hostname (not the IP address) of my CUCM but still the error exists. I can access my CUCM from web

using its hostname. The axl interface also works. It asks me for user and password info and then displays:

The AXL Web Service is working and accepting requests. Use HTTP POST to send a request.

Any ideas please?

Thanks!

npetrele · ‎10-23-2014

Here's a complete working sample for 10.5. I don't know why it shouldn't work on your 9.1 system if you change the import statement to fit. I've attached the Java file just in case the forum mangles the code.

package com.yourcompany.yoursystem.sample;

import com.cisco.axl.api._10.*;
import com.cisco.axlapiservice.AXLAPIService;
import com.cisco.axlapiservice.AXLPort;
import com.cisco.axlapiservice.AXLError;

import javax.xml.ws.BindingProvider;

public class AXLTest {

     protected static String ucHost = null;
     protected static String ucAdmin = null;
     protected static String ucPwd = null;
     protected static String ucCrit = null;

     public static void main(String[] args) throws Exception {

          if (args.length < 4) {
               System.out
                         .println("Usage: AXLTest   hostname username password search-criteria ");
               System.exit(1);
          } else {
               ucHost = args[0];
               ucAdmin = args[1];
               ucPwd = args[2];
               // in this case, the search criteria is the phone name, such as SEP101010101010
               ucCrit = args[3];
          }

          AXLAPIService service = new AXLAPIService();
          AXLPort axlPort = service.getAXLPort();

          String validatorUrl = "https://" + ucHost + "/axl/";

          ((BindingProvider) axlPort).getRequestContext().put(
                    BindingProvider.ENDPOINT_ADDRESS_PROPERTY, validatorUrl);
          ((BindingProvider) axlPort).getRequestContext().put(
                    BindingProvider.USERNAME_PROPERTY, AXLTest.ucAdmin);
          ((BindingProvider) axlPort).getRequestContext().put(
                    BindingProvider.PASSWORD_PROPERTY, AXLTest.ucPwd);

          GetPhoneReq axlParams = new GetPhoneReq();

          // In this case, ucCrit is the phone name
          axlParams.setName(ucCrit);

          try {
               GetPhoneRes getPhoneResponse = axlPort.getPhone(axlParams);
               System.out.println("Product="
                         + getPhoneResponse.getReturn().getPhone().getProduct());
          } catch (AXLError e) {
               System.out.println("An AXLError occurred: " + e.getFaultInfo());
          }

     }

}

npetrele · ‎10-23-2014

One more thing -- here's where the keystore is located now:

$JAVA_HOME\jre\lib\security\cacerts

If I recall correctly, the password for the keystore is "changeit".

But make sure that's the jre you're using for the eclipse build. If you have multiple jres on your system (I do), then you can accidentally add the key to one keystore but use another jre for the build, and that other jre doesn't have the certificate in the store.

vgrigoriadis · ‎10-24-2014

Hello Nicholas.

Thanks very much for your replyt!

I had already imported the certificate to all java keystores (jre 1.8, jre7) that I use, but it didn't solve the problem. The code you send me is different than the one in Cisco Demo. I'm upgrading my CUCM to version 10.5 next week so I will try your code then. By the way I have just downloaded java8, how can I import the WSDL schema? There is no wsimport command in java8 neither in java7...

Thanks again for your reply.

Much appreciated.

Best regards

Vasilis

npetrele · ‎10-24-2014

I have jdk1.8.0_11 and wsimport is here on my PC: C:\Program Files\Java\jdk1.8.0_11\bin\wsimport.exe

Maybe you need to download the sdk, not just the jre?

vgrigoriadis · ‎10-27-2014

Hi Nicholas.

You are absolutely right, I will download the SDK too. This week I have the CUCM upgrade to 10.5.1. So next week I will resume my work on the API and let you know of the outcome.

Thanks again.Take care.

yuanzli · ‎03-29-2015

Hi, I met the same problem.

Could you tell me how did you solve it?

Thank you!

vgrigoriadis · ‎11-17-2015

Hello, Yuan,

I haven't solved it. I was busy on other projects. I will restart work on it soon.

Sorry for the late reply.

Jeff Levensailor · ‎10-20-2015

I'm having a similar issue - in my case I've imported the ca cert using the following:

sudo keytool -keystore cacerts -importcert -alias pns -file pnslabs-CORE-LDAP-CA.crt

I've also copied the certificate here:

/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/jre/lib/security

I'm using the exact code copy and pasted from here:

https://developer.cisco.com/site/axl/learn/how-to/axl-java-sample-application.gsp

Weird part is, It looks like it successfully finds a matching ca cert, but still throws the error:

certpath: X509CertSelector.match(SN: 7d8459d56cb81d8c4dd6577eb8e53b7b

Issuer: CN=pnslabs-CORE-LDAP-CA, DC=pnslabs, DC=com

Subject: CN=pnslabs-CORE-LDAP-CA, DC=pnslabs, DC=com)

certpath: X509CertSelector.match returning: true

certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs

certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0

certpath: SunCertPathBuilder.depthFirstSearchForward(): backtracking

Exception in thread "main" com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

dstaudt · ‎10-21-2015

It looks like the Subject CN of the cert is a domain name - note, if you try to establish the connection by providing just the IP address to the app, the IP string will not match the cert Subject name string, and the handshake will fail. If this is the case, you will need to provide the host name, and DNS lookups need to be working for the host (by editing the 'hosts' file on your local PC if you don't have the ability to add a real DNS entry to your network)