Axis2 Client: How to indicate a certificate correctly a trust store

It recently happened to me that I had to make SOAP calls through an Axis2-based client and use a particular certificate of trust. The problem came from the way the certificate of trust was indicated and how we were invoking our program.

The first solution was the widely known solution of setting up such a certificate in the system. In the following way:

System.setProperty("javax.net.ssl.trustStore", trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword", trstStorePass);
System.setProperty("javax.net.ssl.trustStoreType", trustStoreType);

This solution works well on its own. The problem in our case was when we launched the execution through Maven. And this is because Maven makes its own calls to certain repositories to check the status of the project’s libraries. And by doing this Axis2 caches the certificate previously used by Maven, i.e. the certificate of the Java virtual machine. Therefore the subsequent setting of our certificate is useless.

How did I come to this conclusion? If you run the program with Maven’s offline command, and it worked correctly. And if you run it without this command, when you try to make the call, it indicates that it cannot find a valid certificate.

unable to find valid certification path to requested target

The solution can be simply to download the certificate of the host we are going to call and add it to the trusted certificate of the virtual machine.

sudo keytool -import -trustcacerts -file /path/to/ca/ca.pem \
-alias mydomain -keystore $JAVA_HOME/jre/lib/security/cacerts

But as we are in a Post about Java we are going to see how to do it with Java. And for them, we are going to make use of the commons-io library and its Protocol class. This will allow us to indicate our own authorization to use in the calls with the indicated protocol, in our case SSL.

In our case, we will do it through the class AuthSSLProtocolSocketFactory which allows us to validate the identity of HTTPS servers within a list of trusted certificates. The server will be the endpoint to which we will call and the trusted certificate will be the server certificate that is stored in the Keystore that we will pass on to it.

And that’s all, now it will work correctly. As you can see, an easy solution to an easy problem.