Submit My Question - Recent Questions - Recent Answer
Msdn Tech >> Windows Live Developer Forums >> Microsoft adCenter: Development

It finally worked

We are getting this error since saturday night:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path validation failed:
java.security.cert.CertPathValidatorException:
signature check failedOur client is linux/axis.

Anybody else seeing that?

[307 byte] By [henri805] at [2008-2-4]
«« Screen Saver notifications
»» Password?
# 1
yes - we are seeing it as well. Has MSN acknowleged that there is a problem?
newdpon at 2007-9-3 > top of Msdn Tech,Windows Live Developer Forums,Microsoft adCenter: Development...
# 2
Hello,

Yes we have a problem when trying to download reports.

We get the following exception:

Exception in thread "main" AxisFault

faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException

faultSubcode:

faultString: javax.net.ssl.SSLHandshakeException:

sun.security.validator.ValidatorException: PKIX path validation failed:

java.security.cert.CertPathValidatorException: signature check failed

faultActor:

faultNode:

faultDetail:


{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException:

sun.security.validator.ValidatorException: PKIX path validation failed:

java.security.cert.CertPathValidatorException: signature check failed

at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)

at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)

at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)

at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)

at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)

at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)

at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)

at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)

at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)

at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)

at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)

at org.apache.axis.client.Call.invokeEngine(Call.java:2784)

at org.apache.axis.client.Call.invoke(Call.java:2767)

at org.apache.axis.client.Call.invoke(Call.java:2443)

at org.apache.axis.client.Call.invoke(Call.java:2366)

at org.apache.axis.client.Call.invoke(Call.java:1812)

at com.msn.sm.ws.client.CampaignManagementSoapStub.getCampaigns(CampaignManagementSoapStub.java:1004)

at com.msn.sm.ws.client.MSN.getCampaigns(MSN.java:164)

at com.msn.sm.ws.testing.GetReport.main(GetReport.java:31)

Caused by: sun.security.validator.ValidatorException: PKIX path

validation failed: java.security.cert.CertPathValidatorException:

signature check failed

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:187)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:139)

at sun.security.validator.Validator.validate(Validator.java:203)

at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)

at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)

... 22 more

Caused by: java.security.cert.CertPathValidatorException: signature check failed

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)

at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:206)

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:182)

... 27 more

Caused by: java.security.SignatureException: Signature does not match.

at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:446)

at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:133)

at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:112)

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)

... 31 more

{http://xml.apache.org/axis/}hostname:orest

javax.net.ssl.SSLHandshakeException:

sun.security.validator.ValidatorException: PKIX path validation failed:

java.security.cert.CertPathValidatorException: signature check failed

at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)

at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154)

at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)

at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)

at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)

at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)

at org.apache.axis.client.Call.invokeEngine(Call.java:2784)

at org.apache.axis.client.Call.invoke(Call.java:2767)

at org.apache.axis.client.Call.invoke(Call.java:2443)

at org.apache.axis.client.Call.invoke(Call.java:2366)

at org.apache.axis.client.Call.invoke(Call.java:1812)

at com.msn.sm.ws.client.CampaignManagementSoapStub.getCampaigns(CampaignManagementSoapStub.java:1004)

at com.msn.sm.ws.client.MSN.getCampaigns(MSN.java:164)

at com.msn.sm.ws.testing.GetReport.main(GetReport.java:31)

Caused by: javax.net.ssl.SSLHandshakeException:

sun.security.validator.ValidatorException: PKIX path validation failed:

java.security.cert.CertPathValidatorException: signature check failed

at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)

at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)

at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)

at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)

at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)

at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)

at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)

... 12 more

Caused by: sun.security.validator.ValidatorException: PKIX path

validation failed: java.security.cert.CertPathValidatorException:

signature check failed

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:187)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:139)

at sun.security.validator.Validator.validate(Validator.java:203)

at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)

at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)

... 22 more

Caused by: java.security.cert.CertPathValidatorException: signature check failed

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)

at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:206)

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:182)

... 27 more

Caused by: java.security.SignatureException: Signature does not match.

at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:446)

at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:133)

at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:112)

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)

... 31 more

We just refreshed the .wsdl files, but it didn't help.

Any comments from Microsoft?

Thank you,

Orest

OrestBolohan at 2007-9-3 > top of Msdn Tech,Windows Live Developer Forums,Microsoft adCenter: Development...
# 3
I am having the same issue and have sent mutiple emails to MSN api help. They have not explicitly confirmed any issues but did say they are looking into it. I upgraded my WSDL and readded certificates to the java keystore to no avail. If this is working for anyone (using Apache Axis), can you please tell me what you have specified as the ApiUserAuthHeader parameter as well as the URL used in the Locator to get the Soap service?

Thanks,
Luke

fulish1 at 2007-9-3 > top of Msdn Tech,Windows Live Developer Forums,Microsoft adCenter: Development...
# 4

Is this a sandbox or production issue?

Can you try re-adding the certificate again, by following the information in this thread: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=679136&SiteID=1

Thanks,

Shai

ShaiKariv-MSFT at 2007-9-3 > top of Msdn Tech,Windows Live Developer Forums,Microsoft adCenter: Development...
# 5
I had this issue in the sandbox for 2 weeks but I now have it in production following the upgrade this weekend. I tried the steps in that thread yesterday and it did not work for production. However, it did fix the problem I was having in the sandbox. Go figure.
fulish1 at 2007-9-3 > top of Msdn Tech,Windows Live Developer Forums,Microsoft adCenter: Development...
# 6
Hello fellows,

I finally made it work.

Here is what I did:

I went to

https://adcenterapi.microsoft.com/v2/Reporting/Reporting.asmx?wsdl

(using IE) and clicked on the lock in the right lower corner. From

there I exported the certificate to let's say abc.cer file.

Having this file, I issued:

keytool -import -alias MSFT_ADC -file abc.cer -keystore ${JAVA_HOME}/jre/lib/security/cacerts

It asked me for a password. "changeit" made it.

... and it started working again.

I hope this will help you.

All the best,

Orest

P.S. Send me an e-mail if you want me to send you the abc.cer file I downloaded: orest at become dot com

OrestBolohan at 2007-9-3 > top of Msdn Tech,Windows Live Developer Forums,Microsoft adCenter: Development...
# 7
Thank you Orest. I have verified that this works (like a charm I might add). I wish MSN could have just told me how to get that certificate. I didn't think of clicking that lock icon.
fulish1 at 2007-9-3 > top of Msdn Tech,Windows Live Developer Forums,Microsoft adCenter: Development...
# 8

Hello.

A more optimal solution is to upload only certification authority (CA) certificates into the Java cacerts store. That is, you should not need to import the end certificate for Microsoft adCenter into your cacerts store. If the cacerts store contains the trusted root certificate and the trusted intermediate CA certs for the adCenter end certificate, the adCenter end certificate should also be trusted.

The current certificate chain for the adCenter web service has the GTE CyberTrust Global Root certificate (with thumbprint 97817950d81c9670cc34d809cf794431367ef474) as the root certificate. This applies to both the production and sandbox environments. According to http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html#cacerts, the GTE CyberTrust Global Root certificate is already in the cacerts store for a default JVM. Importing the intermediate CA certificates for the adCenter service should then make the end certificate trusted.

So please try importing only the adCenter intermediate CA certificates if your JVM is not yet set up to trust the adCenter service.

To import the intermediate CA certificates for the adCenter service

Important security note: When you import the intermediate CA certificates for adCenter, ensure that you get the certificates directly from a microsoft.com site for the production WSDLs, or msn.com for the sandbox WSDLs.

  1. Point your browser to the adCenter web service URL that you intend to use. For example, the production Administration WSDL: https://adcenterapi.microsoft.com/v2/Administration/Administration.asmx?wsdl. Depending on which browser you use, the remaining steps may differ. The steps here are shown for Internet Explorer 6.

  2. Double-click the lock icon in the status bar to open the Certificate dialog.

  3. Click the Certification Path tab.

  4. Click the GTE CyberTrust Global Root certificate.

  5. Click View Certificate. A second Certificate dialog is opened.

  6. Click the Details tab.

  7. Ensure that the thumbprint field is 97817950d81c9670cc34d809cf794431367ef474 (spaces may be included - it is the numerical sequence that is critical from a security point of view). Do not proceed if the thumbprint is not valid.

  8. Close the Certificate dialog.

  9. Click the Microsoft Internet Authority certificate in the previously opened (first) Certificate dialog.

  10. Click View Certificate.

  11. Click the Details tab.

  12. Click Copy to File.

  13. Use the Certificate Export Wizard to export a X.509 / .cer certificate. For example purposes, use MSFT_IA_Prod.cer as the name for the .cer file name. The '_Prod' suffix indicates it is for the production environment. Use '_Sbox ' or something similar for the sandbox environment.

  14. Repeat steps 9 through 13 for the Microsoft Secure Server Authority certificate. For example purposes, use MSFT_SSA_Prod.cer for the .cer file name.

  15. You should now have two certificates to import. Use keytool to import them into your cacerts store. The following are example keytool import commands for the intermediate CA certificates that you exported from microsoft.com:
    keytool -import -alias MSFT_IA_Prod -file MSFT_IA_Prod.cer -keystore %JAVA_HOME\jre\lib\security\cacerts
    keytool -import -alias MSFT_SSA_Prod -file MSFT_SSA_Prod.cer -keystore %JAVA_HOME\jre\lib\security\cacerts

    You may need to change the paths and environment varaibles depending on how your Java environment is set up. Note that keytool will import to the location that you specify. If you are running multiple Java versions on your system, you would need to import the intermediate CA certificates for each Java version that you intend to use for adCenter development. Consult Sun's documentation for more information about keytool, including information about the importance of placing only trusted certificates into the cacerts store and information about the cacerts store password. At the time of this post, the following link contains Sun's documentation for keytool: http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.

  16. Try executing Java code that utilizes the WSDL specified in Step 1. Other WSDLs that use the same adCenter API version and environment should also work. For example, if you load the intermediate CA certs for the V2 Administration WSDL in the production environment, the V2 CampaignManagement, CustomerManagement, and Reporting WSDLs in the production environment should work too.

You will need to run a similar process for the sandbox WSDLs.

Thank you,

Walter Poupore - MSFT

WalterPoupore-MSFT at 2007-9-3 > top of Msdn Tech,Windows Live Developer Forums,Microsoft adCenter: Development...
# 9
Unfortunately, this does not seem to work, which is why I resorted to using end certificate. It was working originally, but following changes made on 9/23, it stopped working.
fulish1 at 2007-9-3 > top of Msdn Tech,Windows Live Developer Forums,Microsoft adCenter: Development...
# 10

# We will Automate importing the ssl certificate for the MSN adcenter using standard linux tools

# First Use openssl to grab the certificate chain. Use perl to pick out the second certificate.
echo '' | openssl s_client -showcerts -host adcenterapi.microsoft.com -port 443 | perl -e '$n=0;hile(<>){$line=$_;if($line=~/^--(BEGIN|END) CERTIFICATE--$/){if($n==3){print $line;}$n++;}f($n==3){print $line}}' > /tmp/msnadcenter.cert

# Second Delete any existing certificate (by alias) from the keystore
$JAVA_HOME/bin/keytool -delete -alias msnadcenter -keystore $JAVA_HOME/jre/lib/security/cacerts storepass changeit

# Third Import the new certificate with an alias
$JAVA_HOME/bin/keytool -import -alias msnadcenter -keystore $JAVA_HOME/jre/lib/security/cacerts storepass changeit -file /tmp/msnadcenter.cert -storepass changeit -noprompt

tralatmack at 2007-9-3 > top of Msdn Tech,Windows Live Developer Forums,Microsoft adCenter: Development...
# 11
I'm also having trouble with the suggested steps. It won't work unless I import the final certificate as well. Furthermore, assuming you have already imported msft_ia_prod and msft_ssa_prod into cacerts, then passing -trustcacerts (*) to keytool when importing the final certificate should avoid the trust confirmation question. However, it still asks you for confirmation, as it somehow doesn't recognize the link betwen the final certificate and the intermediates.

* Option trustcacerts tells keytool -import to trust the certificates in cacerts when building the trust chain during an import operation.

I've seen the same problem when using the intermediate certificates with OpenSSL's and GNU TLS's command-line SSL clients, as well as the w3m, Epiphany and Firefox browsers (the last one running on Win32).

Any advice?

jkohen at 2007-9-3 > top of Msdn Tech,Windows Live Developer Forums,Microsoft adCenter: Development...
# 12

Hello,

Based on more testing, we've found that installing the end (final) certificate is needed.

Thank you for your patience regarding this issue.

Walter Poupore - MSFT

WalterPoupore-MSFT at 2007-9-3 > top of Msdn Tech,Windows Live Developer Forums,Microsoft adCenter: Development...
# 13

Anyone using report service for downloading reports with V3 API

URL u = new URL(url);

URLConnection conn = u.openConnection();

conn.connect();

Getting this exception

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

-Shriny

shriny at 2007-9-3 > top of Msdn Tech,Windows Live Developer Forums,Microsoft adCenter: Development...
Windows Live Developer Forums
Microsoft adCenter: Development

Windows Live Developer Forums Hot Topic

Windows Live Developer Forums New Topic

Windows Live Developer Forums

Java / MSDN / Linux Tech / PHP Tech / MSDN DotNet / MSDN TECH / Health Library / Programmers Tech / visual basic Tech / Developer Tech / Ipod faqs / Msdn China Tech

Site Classified