how did you create the keystore?

[simonsaidit]

Hi i have issues when creating my own keystores.

i import certificate to kontaktinfo-client-test.jks and i can use that to send and get an answer.
i put my public key certificate in kontaktinfo-server-test.jks but i get errors.

"The security token could not be authenticated or authorized"

what would be the procedure to set this up for e.g
916366980096671047014958-2016-01-14.p12 that i got from Buypass.

[aslakjo]

Sounds like you are on the right track.

I want to check a few things first; I am assuming you are using the java client. And that you have updated the properties files in https://github.com/difi/kontaktregisteret-klient/tree/master/oppslagstjenesten-java-client/src/main/resources with your key aliases within the keystore and the password for the keystore?

Also you are saying that you are able to both send and receive. When does the error occur? Could you attach a stack trace maybe?
Could you send me more information about the request you are sending to the server? Then it is easier to help you find a solution.

[simonsaidit]

yes. i can update the client keystore and have everything work if i then use the existing server keystore. if i import public key, or entire certificate, intermediate test ca and root test ca, or production root/intermediate in my own keystore. i get below error:

T E S T S

Running no.difi.oppslagstjenesten.client.v5.OppslagstjenestenV5ClientTest
Nov 16, 2017 8:53:55 AM org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromClass
INFO: Creating Service {http://kontaktinfo.difi.no/wsdl/oppslagstjeneste-16-02}Oppslagstjeneste1602Service from class no.difi.kontaktinfo.wsdl.oppslagstjeneste_16_02.Oppslagstjeneste1602
Nov 16, 2017 8:53:56 AM org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromClass
INFO: Creating Service {http://kontaktinfo.difi.no/wsdl/oppslagstjeneste-16-02}Oppslagstjeneste1602Service from class no.difi.kontaktinfo.wsdl.oppslagstjeneste_16_02.Oppslagstjeneste1602
Nov 16, 2017 8:53:56 AM org.apache.cxf.services.Oppslagstjeneste1602Service.oppslagstjeneste-16-02Port.oppslagstjeneste-16-02
INFO: Outbound Message

ID: 1
Address: https://kontaktinfo-ws-ver1.difi.no/kontaktinfo-external/ws-v5
Encoding: UTF-8
Http-Method: POST
Content-Type: application/soap+xml
Headers: {Accept=[/]}
Payload: <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">soap:Header<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="true"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-6BCC3F19AD3DE2B2B415108188363131">MIIE8zCCA9ugAwIBAgILAMIMWoD9lKjE2i4wDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSMwIQYDVQQDDBpCdXlwYXNzIENsYXNzIDMgVGVzdDQgQ0EgMzAeFw0xNjAxMTQwOTI4MjFaFw0xOTAxMTQyMjU5MDBaMFkxCzAJBgNVBAYTAk5PMRowGAYDVQQKDBFMVUZURkFSVFNUSUxTWU5FVDEaMBgGA1UEAwwRTFVGVEZBUlRTVElMU1lORVQxEjAQBgNVBAUTCTk4MTEwNTUxNjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKYIXevX2+MNimecQVGR+Jaa2cLpEa4V1j0+mdFe1k3ThlnE0vA6th3raurPWAzd5sty+2padpD5pv0GYt0swN2qtrXT/5w//mhjCyesyAle5UayuIwuYOkUfiTRjrnQPMr87wGslfRFHfgepHE4ZgUOdoXRMj5cXnq49E/AKxUfl/Yl4OgFr49Z9t276gC4VEYvGE2VrD3LwwFep2Za7z5P5+37yCdHbyk2NCkXA6wPmMFcDM9Qh4sTQDP4v+BF6i1rVnkpBjyV0h7Wd6h52JylDLIu5OHAdsh9F5s10Ccc+ZrSd4h5htNf9GRIgV54+FLdgP0dlp1P/ucu4pjvt+MCAwEAAaOCAcIwggG+MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUP671eAuSo3AgNV9a+vckoFIB8EEwHQYDVR0OBBYEFC3Fx7QHv1HmegCJiEJrNExaAUPBMA4GA1UdDwEB/wQEAwIEsDAWBgNVHSAEDzANMAsGCWCEQgEaAQADAjCBuwYDVR0fBIGzMIGwMDegNaAzhjFodHRwOi8vY3JsLnRlc3Q0LmJ1eXBhc3Mubm8vY3JsL0JQQ2xhc3MzVDRDQTMuY3JsMHWgc6Bxhm9sZGFwOi8vbGRhcC50ZXN0NC5idXlwYXNzLm5vL2RjPUJ1eXBhc3MsZGM9Tk8sQ049QnV5cGFzcyUyMENsYXNzJTIwMyUyMFRlc3Q0JTIwQ0ElMjAzP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3QwgYoGCCsGAQUFBwEBBH4wfDA7BggrBgEFBQcwAYYvaHR0cDovL29jc3AudGVzdDQuYnV5cGFzcy5uby9vY3NwL0JQQ2xhc3MzVDRDQTMwPQYIKwYBBQUHMAKGMWh0dHA6Ly9jcnQudGVzdDQuYnV5cGFzcy5uby9jcnQvQlBDbGFzczNUNENBMy5jZXIwDQYJKoZIhvcNAQELBQADggEBALJWmFt8FFDWfu9hI23kuUogLr6ZYKkOffbW58rkkWzH6c5eFIAefhnWfSCbeIHVujG5ls7MUUaT9S6pvxTyiB9w8Ur3ZthHDQ79OLcU38xRPpB3eTK9fR9HSG94X1bEI8dvf8Nk2iB1VLHCKsP2mvv9p4AwPJIoWEHZpYF2tPUqy7d2Hg/T0AduD5sPhSB8Qsy1Jtlbxd8OkYnTLZkxhZFyuKtW7R/jfkTcZxJGwoBcXPVeqghTJ2WrOqJCq1r03n1MfaIlQ/a5CYFL0Zfp9si0fnwz6JB8Lup8L1N3DAWC7vbP4PhZruP9zHE2vyHz4onSTW2e6ew8mmO1AB6QzsI=</wsse:BinarySecurityToken><wsu:Timestamp wsu:Id="TS-1">wsu:Created2017-11-16T07:53:56.305Z</wsu:Created>wsu:Expires2017-11-16T07:58:56.305Z</wsu:Expires></wsu:Timestamp><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-3">ds:SignedInfo<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#id-2">ds:Transforms<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>ds:DigestValueBXhGWXRXhFGzZFiQYzTeREgOjq4=</ds:DigestValue></ds:Reference><ds:Reference URI="#TS-1">ds:Transforms<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>ds:DigestValueBS/3ti3NVt/nTkDUoYx0mtODALs=</ds:DigestValue></ds:Reference></ds:SignedInfo>ds:SignatureValuecDSifaTlmxfjNryqbJeAZBXXTgEG43cBg1svszBdLmTCkQsWfH+AxtJhr5u5PSQBl0yk985yk0rHoYVD2+/t+MFDrM5PMCyWuR2ev20Znv2VIe8flbedRINntZEKAA9pLR1AiKwdbx5g88kE1UbZts4OdtdW4rfxir+3TmT+csgZIcZpTGG18A/f8m3oc/Hyh1qdj+EhUTG7BJvl4CCGYs2PhMdsADCYeFNTsZsEAfz8fXwuu8XTeHXEAPpwR2FGbjSR2xic5TeyB9q4Jq4WGh04MqOHGq5CoIUKniyAatcZ6YMOQbk9X+9deClcWkXVQNWIG+z8lbIgJtcYVFLr+g==</ds:SignatureValue><ds:KeyInfo Id="KI-6BCC3F19AD3DE2B2B415108188363152"><wsse:SecurityTokenReference wsu:Id="STR-6BCC3F19AD3DE2B2B415108188363163"><wsse:Reference URI="#X509-6BCC3F19AD3DE2B2B415108188363131" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soap:Header><soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2"></soap:Body></soap:Envelope>

Nov 16, 2017 8:53:56 AM org.apache.cxf.services.Oppslagstjeneste1602Service.oppslagstjeneste-16-02Port.oppslagstjeneste-16-02
INFO: Inbound Message

ID: 1
Response-Code: 200
Encoding: UTF-8
Content-Type: application/soap+xml;charset=utf-8
Headers: {Accept=[application/soap+xml, text/html, image/gif, image/jpeg, *; q=.2, /; q=.2], connection=[Keep-Alive], Content-Length=[9838], content-type=[application/soap+xml;charset=utf-8], Date=[Thu, 16 Nov 2017 07:53:55 GMT], Keep-Alive=[timeout=15, max=456], Server=[Apache-Coyote/1.1], Set-Cookie=[APLBCOOKIE=APACHE.web01; path=/;; Secure; HttpOnly;, BALANCEID=authlevel.web01; path=/;; Secure; HttpOnly;], SOAPAction=[""], Strict-Transport-Security=[max-age=31536000; includeSubdomains; preload]}
Payload: <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">env:Header<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" env:mustUnderstand="true"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-F355AF7E8AE81DBE6F151081883652124723035"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">wsse:SecurityTokenReferenceds:X509Datads:X509IssuerSerialds:X509IssuerNameCN=Buypass Class 3 Test4 CA 3,O=Buypass AS-983163327,C=NO</ds:X509IssuerName>ds:X509SerialNumber916366980096671047014958</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo>xenc:CipherDataxenc:CipherValueLYQ3UEM7hfaAhlV3+xuxImGU5D91S3E5rAV580Y1WbdJmec/X2YkF7hYhc6wLeCfbBNH1mJQ7fVHdFjWLCG0qGt2iKf7PCkUlL3YxPUOtRwRs76V4EIs017UovNLVOEXlV5PYWGWM2vxsynN/SgV/gQi2w6FZJWD5ZNcshXB4gX16GkQE7SqMbyf61dcXZsC5CeY9AFemocBcx+M+UiyUChQ2AiCW67yWma0bouVMKwd/1QY66slKR6FJDbZ8kFEodbmHJZvEnnRrbVSFf0Ro3xlOhzWK4OxfY6km5kpK7QmKFEjCq4a4wB/cuQV7NaKfTKwgIhVlNcvUdn0onTa4w==</xenc:CipherValue></xenc:CipherData>xenc:ReferenceList<xenc:DataReference URI="#ED-F355AF7E8AE81DBE6F151081883652124723036"/></xenc:ReferenceList></xenc:EncryptedKey><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-F355AF7E8AE81DBE6F151081883651224723030">MIIFDzCCA/egAwIBAgILCDNWTvJPbvLPzFQwDQYJKoZIhvcNAQELBQAwSzELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0wGwYDVQQDDBRCdXlwYXNzIENsYXNzIDMgQ0EgMzAeFw0xNTEyMDMxMzE4NDhaFw0xOTAzMjAyMjU5MDBaMIGiMQswCQYDVQQGEwJOTzEsMCoGA1UECgwjRElSRUtUT1JBVEVUIEZPUiBGT1JWQUxUTklORyBPRyBJS1QxIzAhBgNVBAsMGklELXBvcnRlbi9LUlIgdmVyaWZpa2Fzam9uMSwwKgYDVQQDDCNESVJFS1RPUkFURVQgRk9SIEZPUlZBTFROSU5HIE9HIElLVDESMBAGA1UEBRMJOTkxODI1ODI3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7F0B1iVDFS4a7oQeZllmXyP2W65dJYhNqHxcqDDx0Ia6VJ8AR/T0GK25JFe8e5Q2V6L349eliA0HKHxhJwnGXL9+D8+a/rPDkkY+ULHahG0PFQCA3as8MEkJ8s0Ta3XdfZzfltsWEaXs9OrlbafCSbKYT9I1hPtOjrRNSL7pwWE2gz0mUbz4xFgT7JRNr2ZnGWSyScqZ1rk5B2XgpgVykHgOXumf646fRHdl2qYNYVGFeak1sPx/H79R6j4oBhH86tfoV8ecZRwzdL6VXAtebLjo8MbAXrKLyuqD+/la+ynnFKrf2F3lqFeuT8cmVzrk7m3rcEA5GwqE6nI6ZMvpjwIDAQABo4IBmjCCAZYwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTMw/gHt5xtek71pysdBfmzRxyR0TAdBgNVHQ4EFgQUHhjl9zjQxJ/kJKyYjQvN8HKC4lkwDgYDVR0PAQH/BAQDAgSwMBUGA1UdIAQOMAwwCgYIYIRCARoBAwIwgaUGA1UdHwSBnTCBmjAvoC2gK4YpaHR0cDovL2NybC5idXlwYXNzLm5vL2NybC9CUENsYXNzM0NBMy5jcmwwZ6BloGOGYWxkYXA6Ly9sZGFwLmJ1eXBhc3Mubm8vZGM9QnV5cGFzcyxkYz1OTyxDTj1CdXlwYXNzJTIwQ2xhc3MlMjAzJTIwQ0ElMjAzP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3QwegYIKwYBBQUHAQEEbjBsMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5idXlwYXNzLm5vL29jc3AvQlBDbGFzczNDQTMwNQYIKwYBBQUHMAKGKWh0dHA6Ly9jcnQuYnV5cGFzcy5uby9jcnQvQlBDbGFzczNDQTMuY2VyMA0GCSqGSIb3DQEBCwUAA4IBAQBZER6fUqt8fU+cByjNZd9B56xAgULbRF7O0uP4nfDYYVHjjLigbO6Xp5biZIe7N6x3u390STHWF1hjeDUZ8ep4u3cO0bwKHsdkrp/JIWQ6q8PpIJHcCDrz/tIKn2JLpxbQe9AR6KWDDzgfyRxoCyulOcnXoVH+CeSfieQ3WapR5VymxpPDA+jC6fccPfBDpKrOso4WpFFvwJbyEhxDAgJAXzwx1R5JFopBKWta1bd6aS7/kZYeaJjey9MnvCRCNZe72pR+lHT+qB/0N7kz27eQa2gVS3lGQp7N87BPvFvVK6PbjmM0Kcbx+D312ZF2pB6F3CrTFAfku8cck0h3v5E4</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-F355AF7E8AE81DBE6F151081883651624723034">ds:SignedInfo<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#TS-F355AF7E8AE81DBE6F151081883651224723029">ds:Transforms<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>ds:DigestValueQPIWd9puZiGzwXOd4sQkfchbVdADJZWHnNYAfzVYZ1o=</ds:DigestValue></ds:Reference><ds:Reference URI="#id-F355AF7E8AE81DBE6F151081883651224723033">ds:Transforms<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>ds:DigestValueRRflSIbdTVNfwq609yyyx4OiLuvmMP64KB0Ta37pwXY=</ds:DigestValue></ds:Reference><ds:Reference URI="#SC-F355AF7E8AE81DBE6F151081883651224723028">ds:Transforms<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>ds:DigestValuehm++jzMy/sTXzUgrCe8G3PmuWiRZp8lLoCokLu/JPt8=</ds:DigestValue></ds:Reference></ds:SignedInfo>ds:SignatureValueUaOPd2bIzSQNRFbvwxQ+LsBWMt8A6ED+qytFxaqNj/V+xzWTZnbhrA6qGTUpSD4N+nwb1kbgYLPtZpwS4OgRymHbXyC7jOmgnJC8fU3fjMUtahnS2BhyPz4v0jbqnPcVFE46NDwvFB0Z/ky5vtI0a7gw4AE3Tfn6cChTZMmcmnJ1cWCgeDuG58l43Q59dSsTUeiR6B0KpdcEdwmzxL3YXWBNzP2NxiYS/omlwjwnBaFXlTKhm1qrObe0gMFElCFXpJrKgPU50PXpE78QmBFbXTWQETiplmyYtbUA1snZh1kMC2CL2qxHFwqccfoKRGbx1Ivv5z6hmtzhUuK1OChvOA==</ds:SignatureValue><ds:KeyInfo Id="KI-F355AF7E8AE81DBE6F151081883651224723031"><wsse:SecurityTokenReference wsu:Id="STR-F355AF7E8AE81DBE6F151081883651224723032"><wsse:Reference URI="#X509-F355AF7E8AE81DBE6F151081883651224723030" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature><wsu:Timestamp wsu:Id="TS-F355AF7E8AE81DBE6F151081883651224723029">wsu:Created2017-11-16T07:53:56.512Z</wsu:Created>wsu:Expires2017-11-16T07:54:56.512Z</wsu:Expires></wsu:Timestamp><wsse11:SignatureConfirmation xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" Value="cDSifaTlmxfjNryqbJeAZBXXTgEG43cBg1svszBdLmTCkQsWfH+AxtJhr5u5PSQBl0yk985yk0rHoYVD2+/t+MFDrM5PMCyWuR2ev20Znv2VIe8flbedRINntZEKAA9pLR1AiKwdbx5g88kE1UbZts4OdtdW4rfxir+3TmT+csgZIcZpTGG18A/f8m3oc/Hyh1qdj+EhUTG7BJvl4CCGYs2PhMdsADCYeFNTsZsEAfz8fXwuu8XTeHXEAPpwR2FGbjSR2xic5TeyB9q4Jq4WGh04MqOHGq5CoIUKniyAatcZ6YMOQbk9X+9deClcWkXVQNWIG+z8lbIgJtcYVFLr+g==" wsu:Id="SC-F355AF7E8AE81DBE6F151081883651224723028"/></wsse:Security></env:Header><env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-F355AF7E8AE81DBE6F151081883651224723033"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-F355AF7E8AE81DBE6F151081883652124723036" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"><wsse:Reference URI="#EK-F355AF7E8AE81DBE6F151081883652124723035"/></wsse:SecurityTokenReference></ds:KeyInfo>xenc:CipherDataxenc:CipherValuej6AirSglQz/PYqNY//qcraAiASJNAp4ySoJeHcSwSAvjM4LppV07DnRaMAemmcGgZ67eT3tdMRaObzNII4gegHw44MecurkgxD0Jbb8EihRpsFJOg0W3eFk3+RAGups0IYs1WV64RZ5mkLydPETCNYNVmazphvqjCdHf2mSN+ENgDJu8p+gpf6w0G1foQ4XMIn1e8AtDwXbV81gNWRhnlJsecPybO2RanbFtM2IAjeesoTWMFYVxK7kRBh6bZSC1U8KVhyChUpPn9pBQq/DEcr2V/kP1I7qD2FIoNf5kFZefsVRQPssD6Op4kStn226SeTztuWpTg/Oi84lSwWeEOMeEXH1NJGnmjy+OWPQ060LyhNxlUwDPrEWQD71qYST5ZyyZzjeX609Cut9dEl2DtexBlrhbh7/muua3ascgl6Yfzt0+/SykqxwnSilPNUbgiDqfWP7QcWZ0oDmPxyTNAIFMurSsgGQ2Y7J7WUKWebUY7h2SsERtFz0EWitOgbeVPNG3uwlq+Ef/Ur1kMzob8dZly/lBTlv++cfYUVSX2FMnYG2dAtnEiHHDQuV6O6jhmvrCydAt42mJHVyl+r5hsf72rDf1qx96FPZmwZAnWVRMFumQUiyNRnOSFE60pDL/aMimaWum+mWwVItOM2TwyzWeC1ZJB9G4OZ8dY50s9OYuiyIW/zOPO6BSKDN9eACff8f4LKetUv1b6gra8JNNucM7LUJZ+NUrrQEOvswYBJ23Jz2TVjF2/W+qqu6Dm6gSLLqZ7UQNITM19GoYXEP61yJXWB8oX7KaYE7SdfkTTuPdQqEmqWNi9hn1nQW/x6ca6+NcTErImCI0Hrn7bHM1LhK3nYryk2R1SxUVo6zFiikqsWhZOwR2mBVtQPOyW9pp8M5Jz3zLaha/ehGFMwYTSaS7iKe1uqgNkhb7s7AXoUmcUKMi1dbUgFCAQTuBXAfUpjYtCCt5UHSf+/miVRaMKYLeeVS00TPBQFKXU7fAG5BYEZMB1UBvHWfb834cRlXHLBE+Yt/2Kw0R9eomVsnu+ffa7bf7bKbq5sinr3bx5uIlDqODMhUJQbeN48/rZpGmI6pnMqC0X+fBRFt6zMJuEOdszIVD8ddf7jFMbHyzzXyIFIhT61TjqVPS6Nj77FyjECMTRFs0N4jjYi2UGxU7GnzCX5Sjs4xMtPDjGp3vATlJWSddul6O4rbXekTioqpw7B9B1U7CK45rUPg1f3hTYuyl3tLPQHZh6D7iXVPaGDf5oEXySotKgA0mzcWaEyResswGgERvfb+pggZ2TYPJ7vQk8KpNdUYG+zUj5iZTxAw7pBrxDsbOfhgB2v6obQP2A0wIGLsR5S99I23WOtjicOzRBIC8Atp17Kzyg5ssnFg1GSiz3LT1i1tX3JWzObTt/VQAJ5AuMQysj0tkkIe2UmceaM4fAF8W+5ODWyjUezlYQ/ZfWw9hNklh3O9l9HqjyCcd9J58u5VAhVJ5xwtuy7jugkVsu8mlQ5uwB0hME04mdnzTlI6xctYpO8kilC4YS70+lT/yg4q/ucYeL3kgQTj9OvsUHQHBRcGNTPWil8BkkV6HvYf4rKv6c2lGPOQ0u3fK0i3fqsCNeo9D7jpdKj+Zh/hja4tltlbeSfyhiQUzuRoDN7e1Nnem3rpqfwIc3aFCzQwkaYu9ZJoKj5obF8rwPHwTt4+8x3oqFzf/WlWOFjVbplqnFRu6Sw3R3gr/KxkYY4lQs8b6LIHFZ9UDVT8iXo9pAcU6qeb//NrjVp+lx5+TpBP/6/2HTYCkW5ElcaVxWMd/Gq3EbnPscjXFmjpNMsa7tUHuZLFtq+ZR+t2SkAaWbrc8nYoH1QVbNg5x/FPEJOuqpTc+bU+JHEmNSKMd4MylhQhIah4v+Y5KcFli/XQHFdVXwr1togEOX/6V3Y+aCUyEOHpj5nkFDuqRiS/lmBbj6ZQouWEDmLlx3LhRvyKz44qxLdno4QrbJ5ZgOhqPidSDgCOiGl6+4T5RCZ+mR0kvmP0I7bQFJhV1rECFcTLaFq1T2YsCdtMg+O5jwobB3JYbHht2BiN59XvN2ImSWIjSuH/F+EI68TXeraOKvoQkpAso8ahko272nXjFx6HllA4JYjT9QOciwlA4chwCv7xk0CZeP+6Eq+Qv28T6paXr2HSzx4CPuBrJSMMXTHhdzYFTuIc5uN4oOgN/vUuwpcFGgdXzZ35r06XsWJ/MZhRhxaQRQ74jO2ps1qP2f/NFnoSdexLeihNTupODLT1uy5O2ECXUjOHddWWxsJIyAtDYcZS1osZdgI0azIdAOQB6PG3qoC1clIREnGbyNcnPhahr7FfSkbfl7JRsc+Lh4iV2PqhU8GRduWDBHKGJpyW+qRHchAwtSCB66UZMgSTbXwcjd4P4TwIaK4dfgRm7zBOT1XtfLLqT8FkMz4OxgeCbqyKkzIpXScyqbEWSn8z3RmUnsv9Da4CY5bRKzA8+PzKKlcDw++Y+rHo0L0i5K4OotMVLYZakVl2/fCNmysK8L/oCzvsC1nDeOMedxw37W9wq79yzewK59MgfKc6p8NqAGt6/edUkT71iI1t0tCw2RhpSodv4Vqk5xnZm1/pC3aIa1LpBZdG5U8aDlTlS</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></env:Body></env:Envelope>

Nov 16, 2017 8:53:56 AM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
WARNING:
org.apache.ws.security.WSSecurityException: General security error (Error during certificate path validation: Path does not chain with any of the trust anchors)
at org.apache.ws.security.components.crypto.Merlin.verifyTrust(Merlin.java:838)
at org.apache.ws.security.validate.SignatureTrustValidator.verifyTrustInCert(SignatureTrustValidator.java:213)
at org.apache.ws.security.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:72)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:187)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:274)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:93)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:800)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1592)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1490)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1309)
at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:229)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:133)
at com.sun.proxy.$Proxy51.hentPrintSertifikat(Unknown Source)
at no.difi.oppslagstjenesten.client.v5.OppslagstjenestenV5ClientTest.testHentKontaktSertifikat(OppslagstjenestenV5ClientTest.java:99)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:45)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:42)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:263)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:68)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:47)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:231)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:60)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:229)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:50)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:222)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28)
at org.junit.runners.ParentRunner.run(ParentRunner.java:300)
at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:264)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:153)
at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:124)
at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:200)
at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:153)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:103)
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:153)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at org.apache.ws.security.components.crypto.Merlin.verifyTrust(Merlin.java:814)
... 49 more

the issue first mentioned i got around, as it seemed to be related to a specific library version of cxf.

my server keystore contains this atm. but i tried all sorts of combinations.

sinv@sinv-XPS-15-9560   ~/projects/luftfartstilsynet/kontaktregisteret-klient/oppslagstjenesten-java-client/src/main/resources/certs   master    keytool -v -list -keystore server-test.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 4 entries

Alias name: ver
Creation date: Nov 7, 2017
Entry type: trustedCertEntry

Owner: CN=Buypass Class 3 Test4 CA 3, O=Buypass AS-983163327, C=NO
Issuer: CN=Buypass Class 3 Test4 Root CA, O=Buypass AS-983163327, C=NO
Serial number: 21
Valid from: Thu Feb 16 08:00:00 CET 2012 until: Mon Feb 16 08:00:00 CET 2032
Certificate fingerprints:
MD5: 45:7B:35:73:57:7B:63:CF:12:3D:D0:25:9E:09:76:4F
SHA1: B7:C7:08:E6:7D:84:8F:53:00:23:39:5F:EA:FC:21:89:9C:B6:1A:E7
SHA256: B7:61:AB:D7:A4:C4:78:B3:3B:E3:82:BE:51:19:43:C2:0E:50:95:0B:3B:28:99:87:5A:69:2E:1B:EF:2B:DC:1B
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: ED B4 CF 3F 7B 23 18 76 3A C6 AD B2 6B 00 5D 7A ...?.#.v:...k.]z
0010: C6 88 D6 EB ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.test4.buypass.no/crl/BPClass3T4RootCA.crl]
]]

#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[] ]
]

#5: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]

#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3F AE F5 78 0B 92 A3 70 20 35 5F 5A FA F7 24 A0 ?..x...p 5_Z..$.
0010: 52 01 F0 41 R..A
]
]

---

---

Alias name: client_pub
Creation date: Nov 8, 2017
Entry type: trustedCertEntry

Owner: SERIALNUMBER=981105516, CN=LUFTFARTSTILSYNET, O=LUFTFARTSTILSYNET, C=NO
Issuer: CN=Buypass Class 3 Test4 CA 3, O=Buypass AS-983163327, C=NO
Serial number: c20c5a80fd94a8c4da2e
Valid from: Thu Jan 14 10:28:21 CET 2016 until: Mon Jan 14 23:59:00 CET 2019
Certificate fingerprints:
MD5: 94:04:62:FB:27:34:81:C9:48:6E:EF:70:F1:D3:91:05
SHA1: 23:1A:3E:A8:6B:26:68:D8:0B:0F:A3:14:7B:A5:F4:4C:3D:D7:7A:73
SHA256: 15:FF:DC:18:66:48:E6:C7:2E:CB:43:43:E6:64:AA:50:B6:ED:4A:65:C5:BB:03:CD:0C:19:BE:83:D9:82:9F:8B
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.test4.buypass.no/ocsp/BPClass3T4CA3
,
accessMethod: caIssuers
accessLocation: URIName: http://crt.test4.buypass.no/crt/BPClass3T4CA3.cer
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3F AE F5 78 0B 92 A3 70 20 35 5F 5A FA F7 24 A0 ?..x...p 5_Z..$.
0010: 52 01 F0 41 R..A
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.test4.buypass.no/crl/BPClass3T4CA3.crl]
, DistributionPoint:
[URIName: ldap://ldap.test4.buypass.no/dc=Buypass,dc=NO,CN=Buypass%20Class%203%20Test4%20CA%203?certificateRevocationList]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.578.1.26.1.0.3.2]
[] ]
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
Data_Encipherment
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 2D C5 C7 B4 07 BF 51 E6 7A 00 89 88 42 6B 34 4C -.....Q.z...Bk4L
0010: 5A 01 43 C1 Z.C.
]
]

---

---

Alias name: ver2
Creation date: Nov 7, 2017
Entry type: trustedCertEntry

Owner: CN=Buypass Class 3 CA 3, O=Buypass AS-983163327, C=NO
Issuer: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
Serial number: 1e
Valid from: Tue Sep 25 10:05:19 CEST 2012 until: Sat Sep 25 10:05:19 CEST 2032
Certificate fingerprints:
MD5: 59:E3:3E:A8:F4:08:72:37:C2:1E:1E:85:0B:19:46:C5
SHA1: D0:81:06:63:49:77:CA:EA:F2:16:45:BD:09:5D:CD:0D:E6:4C:F8:08
SHA256: C4:9C:35:0E:5A:82:05:E0:63:E7:4C:55:4A:99:43:35:B8:43:5C:99:65:27:D4:EF:1A:2B:0C:7B:51:58:4B:2D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 47 B8 CD FF E5 6F EE F8 B2 EC 2F 4E 0E F9 25 B0 G....o..../N..%.
0010: 8E 3C 6B C3 .<k.
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.buypass.no/crl/BPClass3RootCA.crl]
]]

#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[] ]
]

#5: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]

#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CC C3 F8 07 B7 9C 6D 7A 4E F5 A7 2B 1D 05 F9 B3 ......mzN..+....
0010: 47 1C 91 D1 G...
]
]

---

---

Alias name: test1
Creation date: Nov 7, 2017
Entry type: trustedCertEntry

Owner: SERIALNUMBER=981105516, CN=LUFTFARTSTILSYNET, O=LUFTFARTSTILSYNET, C=NO
Issuer: CN=Buypass Class 3 Test4 CA 3, O=Buypass AS-983163327, C=NO
Serial number: c20c5a80fd94a8c4da2e
Valid from: Thu Jan 14 10:28:21 CET 2016 until: Mon Jan 14 23:59:00 CET 2019
Certificate fingerprints:
MD5: 94:04:62:FB:27:34:81:C9:48:6E:EF:70:F1:D3:91:05
SHA1: 23:1A:3E:A8:6B:26:68:D8:0B:0F:A3:14:7B:A5:F4:4C:3D:D7:7A:73
SHA256: 15:FF:DC:18:66:48:E6:C7:2E:CB:43:43:E6:64:AA:50:B6:ED:4A:65:C5:BB:03:CD:0C:19:BE:83:D9:82:9F:8B
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.test4.buypass.no/ocsp/BPClass3T4CA3
,
accessMethod: caIssuers
accessLocation: URIName: http://crt.test4.buypass.no/crt/BPClass3T4CA3.cer
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3F AE F5 78 0B 92 A3 70 20 35 5F 5A FA F7 24 A0 ?..x...p 5_Z..$.
0010: 52 01 F0 41 R..A
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.test4.buypass.no/crl/BPClass3T4CA3.crl]
, DistributionPoint:
[URIName: ldap://ldap.test4.buypass.no/dc=Buypass,dc=NO,CN=Buypass%20Class%203%20Test4%20CA%203?certificateRevocationList]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.578.1.26.1.0.3.2]
[] ]
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
Data_Encipherment
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 2D C5 C7 B4 07 BF 51 E6 7A 00 89 88 42 6B 34 4C -.....Q.z...Bk4L
0010: 5A 01 43 C1 Z.C.
]
]

---

---