Still not working

Still not working

• phanikumarkvr

  I am having the same issue and have sent mutiple emails to MSN api help. They have not explicitly confirmed any issues but did say they are looking into it. I upgraded my WSDL and readded certificates to the java keystore to no avail. If this is working for anyone (using Apache Axis), can you please tell me what you have specified as the ApiUserAuthHeader parameter as well as the URL used in the Locator to get the Soap service
  
  Thanks,
  Luke
  
  

• ofer ebert

  Hello,
  
  Yes we have a problem when trying to download reports.
  
  We get the following exception:
  
  Exception in thread "main" AxisFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
  faultSubcode:
  faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
  faultActor:
  faultNode:
  faultDetail:
  {http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
  at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
  at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
  at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
  at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
  at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
  at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
  at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
  at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
  at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
  at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
  at org.apache.axis.client.Call.invoke(Call.java:2767)
  at org.apache.axis.client.Call.invoke(Call.java:2443)
  at org.apache.axis.client.Call.invoke(Call.java:2366)
  at org.apache.axis.client.Call.invoke(Call.java:1812)
  at com.msn.sm.ws.client.CampaignManagementSoapStub.getCampaigns(CampaignManagementSoapStub.java:1004)
  at com.msn.sm.ws.client.MSN.getCampaigns(MSN.java:164)
  at com.msn.sm.ws.testing.GetReport.main(GetReport.java:31)
  Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
  at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:187)
  at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:139)
  at sun.security.validator.Validator.validate(Validator.java:203)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
  at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)
  ... 22 more
  Caused by: java.security.cert.CertPathValidatorException: signature check failed
  at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
  at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)
  at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
  at java.security.cert.CertPathValidator.validate(CertPathValidator.java:206)
  at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:182)
  ... 27 more
  Caused by: java.security.SignatureException: Signature does not match.
  at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:446)
  at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:133)
  at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:112)
  at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
  ... 31 more
  
  {http://xml.apache.org/axis/}hostname:orest
  
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
  at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
  at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154)
  at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
  at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
  at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
  at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
  at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
  at org.apache.axis.client.Call.invoke(Call.java:2767)
  at org.apache.axis.client.Call.invoke(Call.java:2443)
  at org.apache.axis.client.Call.invoke(Call.java:2366)
  at org.apache.axis.client.Call.invoke(Call.java:1812)
  at com.msn.sm.ws.client.CampaignManagementSoapStub.getCampaigns(CampaignManagementSoapStub.java:1004)
  at com.msn.sm.ws.client.MSN.getCampaigns(MSN.java:164)
  at com.msn.sm.ws.testing.GetReport.main(GetReport.java:31)
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
  at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
  at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
  at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
  at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
  at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
  ... 12 more
  Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
  at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:187)
  at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:139)
  at sun.security.validator.Validator.validate(Validator.java:203)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
  at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)
  ... 22 more
  Caused by: java.security.cert.CertPathValidatorException: signature check failed
  at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
  at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)
  at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
  at java.security.cert.CertPathValidator.validate(CertPathValidator.java:206)
  at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:182)
  ... 27 more
  Caused by: java.security.SignatureException: Signature does not match.
  at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:446)
  at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:133)
  at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:112)
  at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
  ... 31 more
  
  We just refreshed the .wsdl files, but it didn't help.
  
  Any comments from Microsoft
  
  Thank you,
  Orest
  
  

• cwchilders

  Thank you Orest. I have verified that this works (like a charm I might add). I wish MSN could have just told me how to get that certificate. I didn't think of clicking that lock icon.
  
  

• Ram v

  Hello.

  A more optimal solution is to upload only certification authority (CA) certificates into the Java cacerts store. That is, you should not need to import the end certificate for Microsoft adCenter into your cacerts store. If the cacerts store contains the trusted root certificate and the trusted intermediate CA certs for the adCenter end certificate,  the adCenter end certificate should also be trusted.

  The current certificate chain for the adCenter web service has the GTE CyberTrust Global Root certificate (with thumbprint 97817950d81c9670cc34d809cf794431367ef474) as the root certificate.  This applies to both the production and sandbox environments. According to http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html#cacerts, the GTE CyberTrust Global Root certificate is already in the cacerts store for a default JVM. Importing the intermediate CA certificates for the adCenter service should then make the end certificate trusted.

  So please try importing only the adCenter intermediate CA certificates if your JVM is not yet set up to trust the adCenter service.

  To import the intermediate CA certificates for the adCenter service

  Important security note: When you import the intermediate CA certificates for adCenter, ensure that you get the certificates directly from a microsoft.com site for the production WSDLs, or msn.com for the sandbox WSDLs.

  1. Point your browser to the adCenter web service URL that you intend to use. For example, the production Administration WSDL: https://adcenterapi.microsoft.com/v2/Administration/Administration.asmx wsdl. Depending on which browser you use, the remaining steps may differ. The steps here are shown for Internet Explorer 6.
  2. Double-click the lock icon in the status bar to open the Certificate dialog.
  3. Click the Certification Path tab.
  4. Click the GTE CyberTrust Global Root certificate.
  5. Click View Certificate. A second Certificate dialog is opened.
  6. Click the Details tab.
  7. Ensure that the thumbprint field is 97817950d81c9670cc34d809cf794431367ef474 (spaces may be included - it is the numerical sequence that is critical from a security point of view). Do not proceed if the thumbprint is not valid.
  8. Close the Certificate dialog.
  9. Click the Microsoft Internet Authority certificate in the previously opened (first) Certificate dialog.
  10. Click View Certificate.
  11. Click the Details tab.
  12. Click Copy to File.
  13. Use the Certificate Export Wizard to export a X.509 / .cer certificate. For example purposes, use MSFT_IA_Prod.cer as the name for the .cer file name. The '_Prod' suffix indicates it is for the production environment. Use '_Sbox ' or something similar for the sandbox environment.
  14. Repeat steps 9 through 13 for the Microsoft Secure Server Authority certificate. For example purposes, use MSFT_SSA_Prod.cer for the .cer file name.
  15. You should now have two certificates to import. Use keytool to import them into your cacerts store. The following are example keytool import commands for the intermediate CA certificates that you exported from microsoft.com:
      keytool -import -alias MSFT_IA_Prod -file MSFT_IA_Prod.cer -keystore %JAVA_HOME\jre\lib\security\cacerts
      keytool -import -alias MSFT_SSA_Prod -file MSFT_SSA_Prod.cer -keystore %JAVA_HOME\jre\lib\security\cacerts
      
      You may need to change the paths and environment varaibles depending on how your Java environment is set up. Note that keytool will import to the location that you specify. If you are running multiple Java versions on your system, you would need to import the intermediate CA certificates for each Java version that you intend to use for adCenter development. Consult Sun's documentation for more information about keytool, including information about the importance of placing only trusted certificates into the cacerts store and information about the cacerts store password. At the time of this post, the following link contains Sun's documentation for keytool: http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.
  16. Try executing Java code that utilizes the WSDL specified in Step 1. Other WSDLs that use the same adCenter API version and environment should also work. For example, if you load the intermediate CA certs for the V2 Administration WSDL in the production environment, the V2 CampaignManagement, CustomerManagement, and Reporting WSDLs in the production environment should work too.

  You will need to run a similar process for the sandbox WSDLs.

  Thank you,

  Walter Poupore - MSFT

  
  

• Wouterd

  Is this a sandbox or production issue

  Can you try re-adding the certificate again, by following the information in this thread: http://forums.microsoft.com/MSDN/ShowPost.aspx PostID=679136&SiteID=1

  Thanks,

  Shai

  
  

• AliJC

  Hello fellows,
  
  I finally made it work.
  
  Here is what I did:
  
  I went to https://adcenterapi.microsoft.com/v2/Reporting/Reporting.asmx wsdl (using IE) and clicked on the lock in the right lower corner. From there I exported the certificate to let's say abc.cer file.
  
  Having this file, I issued:
  
  keytool -import -alias MSFT_ADC -file abc.cer -keystore ${JAVA_HOME}/jre/lib/security/cacerts
  
  It asked me for a password. "changeit" made it.
  
  ... and it started working again.
  
  I hope this will help you.
  
  All the best,
  Orest
  
  P.S. Send me an e-mail if you want me to send you the abc.cer file I downloaded: orest at become dot com
  
  

• ChristopherC

  # We will Automate importing the ssl certificate for the MSN adcenter using standard linux tools

  # First Use openssl to grab the certificate chain. Use perl to pick out the second certificate.
  echo '' | openssl s_client -showcerts -host adcenterapi.microsoft.com -port 443 | perl -e '$n=0;hile(<>){$line=$_;if($line=~/^-----(BEGIN|END) CERTIFICATE-----$/){if($n==3){print $line;}$n++;}f($n==3){print $line}}' > /tmp/msnadcenter.cert

  # Second Delete any existing certificate (by alias) from the keystore
  $JAVA_HOME/bin/keytool -delete -alias msnadcenter -keystore $JAVA_HOME/jre/lib/security/cacerts storepass changeit

  # Third Import the new certificate with an alias
  $JAVA_HOME/bin/keytool -import -alias msnadcenter -keystore $JAVA_HOME/jre/lib/security/cacerts storepass changeit -file /tmp/msnadcenter.cert -storepass changeit -noprompt

  
  

• Phantisy

  Anyone using report service for downloading reports with V3 API

  URL u = new URL(url);

  URLConnection conn = u.openConnection();

  conn.connect();

  Getting this exception

  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  -Shriny

  
  
  

• virtualTennis

  Hello,

  Based on more testing, we've found that installing the end (final) certificate is needed.

  Thank you for your patience regarding this issue.

  Walter Poupore - MSFT

  
  

• Vladimir Nikitin

  I had this issue in the sandbox for 2 weeks but I now have it in production following the upgrade this weekend. I tried the steps in that thread yesterday and it did not work for production. However, it did fix the problem I was having in the sandbox. Go figure.
  
  

• Shady9399

  Unfortunately, this does not seem to work, which is why I resorted to using end certificate. It was working originally, but following changes made on 9/23, it stopped working.
  
  

• vicarious

  yes - we are seeing it as well. Has MSN acknowleged that there is a problem
  
  

• Alain de la Kethulle

  I'm also having trouble with the suggested steps. It won't work unless I import the final certificate as well. Furthermore, assuming you have already imported msft_ia_prod and msft_ssa_prod into cacerts, then passing -trustcacerts (*) to keytool when importing the final certificate should avoid the trust confirmation question. However, it still asks you for confirmation, as it somehow doesn't recognize the link betwen the final certificate and the intermediates.
  
  * Option trustcacerts tells keytool -import to trust the certificates in cacerts when building the trust chain during an import operation.
  
  I've seen the same problem when using the intermediate certificates with OpenSSL's and GNU TLS's command-line SSL clients, as well as the w3m, Epiphany and Firefox browsers (the last one running on Win32).
  
  Any advice
  
  
• Still not working