Tuesday, August 29, 2006

SSL setup with MSN Adcenter

I will be posting a series of blogs on my experiences with working on a project utilizing the Microsoft adcenter as I encounter them. Let me share my experience with the security set up I struggled with initially

Platform: Linux
environment: J2EE

I kept getting the error

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


in the initial stage. The first time I encountered this error was during the WSDL to JAVA source creation. The WSDL's are hosted on a secure site (https://beta6.api.idss.msn.com/v2) and thus needed the certs to be stored in the keystore. I circumvented it by downloading the WSDL's from browser and supplying local file URL as parameter to axis's WSDL2Java utility and that created the source files.

The error came back to haunt me as the webservice is also hosted on a secure site. I downloaded the certificate from the adcenter UI on sandbox (https://beta1.idss.msn.com/) using IE browser

(Double click the SSL lock icon in the bottom pane in the IE browser --> Details tab --> Copy to file --> [[format]] DER X.509)

and stored the cert in my local keystore using the command

keytool -import -file [[saved cert file loc]] -alias sandbox_api_cert -keystore MSN_Keystore
VM Arguments:
-Djavax.net.ssl.trustStore = [[keystore location]]
-Djavax.net.ssl.trustStorePassword = [[passwd]]

However this did not solve the problem.

On further research I found that "if you use a certificate not signed by a pre-installed certificate authority (=root cert), you need to import both your cert and the root cert". I checked the browser to see the root cert

(Double click the SSL lock icon in the bottom pane in the IE browser --> Certification Path tab)

and voila!!!! the cert was internally chained 3 times (GTE CyberTrust Global Root --> Microsoft Internet Authority --> Microsoft Secure Server Authority --> Beta1.idss.msn.com). I had already entered the cert for Beta1.idss.msn.com in my local keystore (as explained above) and so I proceeded to check if the certs for the other chain members are available in the jdk1.5.0_04/jre/lib/security/cacerts file using the command

keytool -v -list -keystore cacerts | grep gte
Enter keystore password: changeit
Alias name: gtecybertrustglobalca
Alias name: gtecybertrustca
Alias name: gtecybertrust5ca

keytool -v -list -keystore cacerts -alias gtecybertrustglobalca
Enter keystore password: changeit
Alias name: gtecybertrustglobalca
Creation date: May 10, 2002
Entry type: trustedCertEntry

Owner: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Serial number: 1a5
Valid from: Wed Aug 12 17:29:00 MST 1998 until: Mon Aug 13 16:59:00 MST 2018
Certificate fingerprints:
MD5: CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
SHA1: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74

keytool -v -list -keystore cacerts | grep microsoft
Enter keystore password: changeit

So the middle chain members Microsoft Internet Authority --> Microsoft Secure Server Authority were not available in my cacerts file. I went ahead and downloaded these certs from the browser

(Double click the SSL lock icon in the bottom pane in the IE browser --> Certification Path tab --> click on each certicate --> View Certificate)

and follow the procedure above to save and enter the cert into local keystore. Once I did this the previous problem was resolved however I was getting a new error

"java.security.cert.CertPathValidatorException: signature check failed"

I was pretty sure that one of my certs was wrong so I checked the WSDL to see where the webservice was hosted and it was different from where the UI was hosted. It was hosted on https://beta6.api.idss.msn.com. So I went ahead and downloaded the cert and stored it under local keystore and this resolved all the SSL errors.