Wednesday, July 24, 2013

OWSM Note - When import certs, remember to bring in the chain if neccessary

OWSM has so many aspects, it's impossible to discuss OWSM in a few posts. So I'm splitting things up and add specific notes as I go.
Context: I am running test with SAML policy with msg protection on two hosts. The client server has a key store contains its private key “foo”, and server contains private key “bar”.
BTW, OWSM key store, by default, is under <domain home>/config/fmwconfig/default-keystore.jks. The actual location can be found in <domain home>/config/fmwconfig/jps-config.xml.
After I exchanged the certs of the two servers, the picture looks like:
·        Client key store: client private key “foo”, imported server cert “bar
·        Server key store: server private key “bar”, “bar CA”, imported client cert “foo”
when I ran the test, the client side log file produces this:
<Error> <> <WSM-00138>
The path to the certificate is invalid due to Path does not chain with any of the trust anchors .
Validation failed for certificate "CN=bar, OU=Application Development & Architecture, O=ACME Inc., L=Phoenix, ST=Arizona, C=US" Issuer of certificate is "C=US, ST=Arizona, L=Phoenix, O="ACMEInc.", OU=Application Development & Architecture, CN=bar CACertificates in cert path used for validation are  CN=foo, OU=Application Development & Architecture, O=ACME Inc., L=Phoenix, ST=Arizona, C=US.
Looking at key store picture above, it appears that I have exchanged keys “foo” and “bar” properly. So we do I get cert errors? After closely examine the errors messages and the key stores, I found out the problem is the cert I imported into the client store was not a root CA cert. I need to import the server cert as well as it's CA. Here is the new picture:
·        Client key store: client private key “foo”, imported server cert “bar”, imported server “bar CA” cert
·        Server key store: server private key “bar”, “bar CA”, imported client cert “foo
The revealing parts of the error message are “path to the certificate” and “chain”. That leads me to examine the key stores. I noticed that server cert “bar” shows “Certificate chain length: 2”, and finally I realized importing “bar” alone to the client store without its CA is causing the problem. The solution is to import “bar CA” into the client store as well. That took care of the problem.
Let me list all the keytool commands I use to diagnose and resolve the issue. Keytool is under Java bin directory.
Generate key pair:
keytool -genkeypair -alias foo  -keyalg RSA -keypass welcome1 -keystore client-keystore.jks  -storepass welcome1 -validity 3650
I am getting into the habit to set validity to 10 years (3650 days). I ran into too many times of using the default of 1 year, then my test server stops running after a year, and took me long time to find out why.
Keep in mind, alias “foo” is only a local alias in this key store, when you export “foo”, then re-import it into another store, you can give it a different alias, say for example, call it “client_foo”.
Examine the key store:
keytool -list -v -storepass welcome1 -keystore client-keystore.jks
When I ran this command on the server key store, I saw the server cert has a key length of 2. I also found the CA for the server cert in the same key store.
Export cert:
keytool -exportcert -alias foo -keystore client-keystore.jks -storepass welcome1 -file client_foo.cer
Import cert:
keytool -importcert -alias client_foo -keystore server_keystore.jks -storepass serverKeyPass -file client_foo.cert
Import CA cert:
keytool -importcert -trustcacerts -alias "bar CA" -keystore client-keystore.jks -storepass welcome1 -file bar-ca.cer
If the cert you import is chained to a CA (or more), you need to import CA certs.


  1. Hi Yuan,
    I'm havin problems with Oracle Sales Cloud integration, and the error I get is the same. Can you please tell me how to obtain this CA certificate?

    Thank you in advance

  2. It has been so long. I'm not so sure. If you examine (-list command) your cert, did you see key length 2 or more?

    If you downloaded your cert using browser, I vaguely remember that you can see CA in the browser. For example, if you use chrome to visit your bank https url, you will see the lock icon next to "https", right click, view details, view certificate, certificate path, you should see the path. Click on the CA, and use details to export the cert. Then import CA to your keystore as instructed in the blog. Good luck!