Skip to main content

Calling an Oracle Cloud Service from Java

Posted by bleonard on May 2, 2013 at 5:25 PM PDT

By default, all connections to the Oracle Cloud are encrypted:

The Problem

Browsers automatically import the necessary certificates, however, trying to access these services from a Java client, you will not be so successful. Take this Java Client:

import com.sun.jersey.api.client.Client;
import com.sun.jersey.api.client.WebResource;
import com.sun.jersey.api.client.config.ClientConfig;
import com.sun.jersey.api.client.config.DefaultClientConfig;
import java.net.URI;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.UriBuilder;

public class OracleCloudClientMain {
  
   public OracleCloudClientMain() {
      super();
   }
   public static void main(String[] args) {
 
     getJSON();
  
  }
   private static void getJSON() {
      ClientConfig config = new DefaultClientConfig();
      Client client = Client.create(config);
      WebResource service = client.resource(getBaseURI());
      System.out.println(service.path("hellojersey").path("JSON").
                         accept(MediaType.APPLICATION_JSON).get(String.class));
   }
   private static URI getBaseURI() {
      return UriBuilder.fromUri(
         "https://java-trialaxc2c.java.us1.oraclecloudapps.com/HelloJersey/jersey/"
         ).build();
   }
}

 

Attempting to run this, you'll get:

"C:\Program Files\Java\jdk1.7.0_17\bin\javaw.exe" -server -classpath C:\tmp\OracleCloudClientApp\.adf;C:\tmp\OracleCloudClientApp\OracleCloudClientApp\classes;C:\Users\bbleonar_us\Software\jersey-1.17\jersey-bundle-1.17.jar;C:\Users\bbleonar_us\Software\jersey-1.17\asm-3.3.1.jar -Djavax.net.ssl.trustStore=C:\u01\wls1036\wlserver_10.3\server\lib\DemoTrust.jks -Dhttp.proxyHost=www-proxy.us.oracle.com -Dhttp.proxyPort=80 -Dhttp.nonProxyHosts=localhost|localhost.localdomain|127.0.0.1|::1|10.159.132.41|leonard-pc|leonard-pc.us.oracle.com -Dhttps.proxyHost=www-proxy.us.oracle.com -Dhttps.proxyPort=80 -Dhttps.nonProxyHosts=localhost|localhost.localdomain|127.0.0.1|::1|10.159.132.41|leonard-pc|leonard-pc.us.oracle.com OracleCloudClientMain
Exception in thread "main" com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:151)

The Solution

One way to solve this problem is to import the certificate chain into the Java Key Store used by the application. Looking at the command line above, you'll notice that key store is:

-Djavax.net.ssl.trustStore=C:\u01\wls1036\wlserver_10.3\server\lib\DemoTrust.jks

So, begin by saving the certificates. For Firefox, this can be done by clicking the More Information button on the pop-up shown above:

And then click View Certificate, which will open the Certificate Viewer. Switch to the Details tab, select the VeriSign Class 3 Secure Server CA - GS, click Export and save the VeriSignClass3SecureServerCA-G3.crt to your hard drive.

Now, open a command prompt and navigate to the location of the keystore, in my case C:\u01\wls1036\wlserver_10.3\server\lib\. You're going to use the java keytool command to import the certificate:

C:\u01\wls1036\wlserver_10.3\server\lib>keytool -importcert -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhra
se -file c:\tmp\VeriSignClass3SecureServerCA-G3.crt -alias "OracleCloudAppsVeriSignG3"

Owner: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Tru
st Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized us
e only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Serial number: 6ecc7aa5a7032009b8cebcf4e952d491
Valid from: Sun Feb 07 19:00:00 EST 2010 until: Fri Feb 07 18:59:59 EST 2020
Certificate fingerprints:
MD5: 3C:48:42:0D:FF:58:1A:38:86:BC:FD:41:D4:8A:41:DE
SHA1: 5D:EB:8F:33:9E:26:4C:19:F6:68:6F:5F:8F:32:B5:4A:4C:46:B4:76
SHA256: 64:90:35:46:A5:80:58:D1:E6:F1:BE:AD:11:34:ED:E6:6A:68:31:D2:31:F0:DF:8D:4E:28:53:5D:7A:30:04:96
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
0000: 30 5F A1 5D A0 5B 30 59 30 57 30 55 16 09 69 6D 0_.].[0Y0W0U..im
0010: 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06 05 2B age/gif0!0.0...+
0020: 0E 03 02 1A 04 14 8F E5 D3 1A 86 AC 8D 8E 6B C3 ..............k.
0030: CF 80 6A D4 48 18 2C 7B 19 2E 30 25 16 23 68 74 ..j.H.,...0%.#ht
0040: 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 73 69 tp://logo.verisi
0050: 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 2E 67 69 gn.com/vslogo.gi
0060: 66 f

#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.verisign.com
]
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 7F D3 65 A7 C2 DD EC BB F0 30 09 F3 43 39 FA 02 ..e......0..C9..
0010: AF 33 31 33 .313
]
]
#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/pca3-g5.crl]
]]

#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 63 70 73 risign.com/cps
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 1E 1A 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 0...https://www.
0010: 76 65 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 verisign.com/rpa
]] ]
]
#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=VeriSignMPKI-2-6
]
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0D 44 5C 16 53 44 C1 82 7E 1D 20 AB 25 F4 01 63 .D\.SD.... .%..c
0010: D8 BE 79 A5 ..y.
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore

After which, your call to the Java service in the Oracle Cloud will successfully run:

"C:\Program Files\Java\jdk1.7.0_17\bin\javaw.exe" -server -classpath C:\tmp\OracleCloudClientApp\.adf;C:\tmp\OracleCloudClientApp\OracleCloudClientApp\classes;C:\Users\bbleonar_us\Software\jersey-1.17\jersey-bundle-1.17.jar;C:\Users\bbleonar_us\Software\jersey-1.17\asm-3.3.1.jar -Djavax.net.ssl.trustStore=C:\u01\wls1036\wlserver_10.3\server\lib\DemoTrust.jks -Dhttp.proxyHost=www-proxy.us.oracle.com -Dhttp.proxyPort=80 -Dhttp.nonProxyHosts=localhost|localhost.localdomain|127.0.0.1|::1|10.159.132.41|leonard-pc|leonard-pc.us.oracle.com -Dhttps.proxyHost=www-proxy.us.oracle.com -Dhttps.proxyPort=80 -Dhttps.nonProxyHosts=localhost|localhost.localdomain|127.0.0.1|::1|10.159.132.41|leonard-pc|leonard-pc.us.oracle.com OracleCloudClientMain
["Hello","World"]
Process exited with exit code 0.

Calling from an Application Server

If you're trying to use the service from an application server, simply locate the key store in use by the server and add the certificate to it. In the case of WebLogic, you can find the location of the keystore in the AdminServer.log. For example:

javax.net.ssl.trustStore = C:\u01\fmw11117\WLSERV~1.3\server\lib\DemoTrust.jks

See Cofiguring Idenity and Trust for all the details.