TLS certification. TLSParameters with CXF conduit

Question

I am trying to establish TLS connection. I read that in order to implement it I should initTLS params and set it to the conduit.

This is a generic method that called from consumer side in order to get JaxWs proxy. Could you please advise me What I am doing wrong?

 public static <T> T getSvc(String urlWsdl, Class<? extends Service> svcClass,
        Class<T> endpointCl) {

    Service service = null;
    try {
        final URL wsdl = new URL(urlWsdl);
        service = svcClass.getConstructor(URL.class).newInstance(wsdl);
    } catch (Exception ex) {}

    final T endPointInterface = service.getPort(endpointCl);

    initTls(ClientProxy.getClient(port));
    return endPointInterface;
}

private static void initTls(final Client client) {

    final HTTPConduit httpConduit = (HTTPConduit) client.getConduit();
    final TLSClientParameters tlsClientParameters = new TLSClientParameters();

    try {

        final KeyStore trustStore = KeyStore.getInstance("JKS");
        trustStore.load(new FileInputStream("path", "password");
        final TrustManager[] myTrustStoreKeyManagers = getTrustManagers(trustStore);

        tlsClientParameters.setTrustManagers(myTrustStoreKeyManagers);
        httpConduit.setTlsClientParameters(tlsClientParameters);
    } catch (Exception e) {}
}

Now I am failing with a exception occuring at line (service = svcClass.getConstructor(URL.class).newInstance(wsdl);)

Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
    at java.lang.reflect.Constructor.newInstance(Unknown Source)
    at .....
Caused by: javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
    at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:151)
    at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:101)
    at javax.xml.ws.Service.<init>(Unknown Source)
    at com.selity.service.v1.SelityService.<init>(SelityService.java:40)
    ... 31 more
    Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://somehost/SelitySvc?wsdl'.:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2198)
    at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2390)
    at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2422)
    at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:263)
    at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:206)
    at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)

Answer 1

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

It means that the client is not trusting on the certificate presented by the server when it is trying to download the WSDL file. This operation is prior to the configuration of TLS in the CXF client

Alternatives:

1) Point to a local wsdl file.

File wsdlFile = new File(wsdlPath);
URL wsdl = wsdlFile.toURI().toURL();

2) configure the truststore at JVM level

System.setProperty("javax.net.ssl.trustStore",pathToYourTruststore);
System.setProperty("javax.net.ssl.trustStorePassword","password");