Dennis,
Thanks for the code and suggestions.
"The app server should have some way of configuring SSL support, and
even though that configuration is going to be intended more for
inbound connections it might also have settings for outbound connections."
yes, I have configures the application server and I could see the
certificates loaded from my custom key/trust store but still it
complains no trust certificate found.
I am not sure why it is working first time when i deploy the war, and
it doesn't work after I restart the application server.
but my concern is that I am using web service client
stub/proxy(Axis2), and I am providing the endpoint to the stub, my
code does't handle connections
thanks again
On Wed, Jun 24, 2009 at 10:12 AM, Dennis Sosnoski <[email protected]
<mailto:[email protected]>> wrote:
I'm surprised this works at all in an app server environment. The
app server should have some way of configuring SSL support, and
even though that configuration is going to be intended more for
inbound connections it might also have settings for outbound
connections.
Aside from that, you can take direct control over the
authentication of the presented server certificate by implementing
your own TrustManager. Here's a method which illustrates this
approach, from an open source project I developed which needed to
work with custom certificate authorities for server SSL/TLS
certificates:
/**
* Open a connection to a server. If the connection type is
'https' and a
* certificate authority keystore is supplied, that certificate
authority
* will be used when establishing the connection to the server.
*
* @param target destination URL (must use 'http' or 'https'
protocol)
* @param castore keystore containing certificate authority
certificate
* @return connection
* @throws IOException
* @throws NoSuchAlgorithmException
* @throws KeyManagementException
* @throws KeyStoreException
*/
private HttpURLConnection openConnection(String target, KeyStore
castore)
throws IOException, NoSuchAlgorithmException,
KeyManagementException, KeyStoreException {
URL url = new URL(target);
HttpURLConnection conn =
(HttpURLConnection)url.openConnection();
if (castore != null &&
target.toLowerCase().startsWith("https:")) {
String alg = TrustManagerFactory.getDefaultAlgorithm();
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmfact0 =
TrustManagerFactory.getInstance(alg);
tmfact0.init((KeyStore)null);
final TrustManager[] managers0 = tmfact0.getTrustManagers();
TrustManagerFactory tmfact1 =
TrustManagerFactory.getInstance(alg);
tmfact1.init(castore);
final TrustManager[] managers1 = tmfact1.getTrustManagers();
TrustManager manager = new X509TrustManager() {
private X509TrustManager
getTM(TrustManager[] tms) {
for (int i = 0; i < tms.length; i++) {
TrustManager tm = tms[i];
if (tm instanceof X509TrustManager) {
return (X509TrustManager)tm;
}
}
return null;
}
public void checkClientTrusted(X509Certificate[]
chain, String type) throws CertificateException {
X509TrustManager tm = getTM(managers0);
if (tm != null) {
tm.checkClientTrusted(chain, type);
}
}
public void checkServerTrusted(X509Certificate[]
chain, String type) throws CertificateException {
X509TrustManager tm = getTM(managers0);
if (tm != null) {
try {
tm.checkServerTrusted(chain, type);
return;
} catch (CertificateException e) {
// deliberately empty
}
}
tm = getTM(managers1);
if (tm != null) {
try {
tm.checkServerTrusted(chain, type);
return;
} catch (CertificateException e) {
// deliberately empty
}
}
throw new CertificateException("Certificate
chain cannot be verified");
}
public X509Certificate[] getAcceptedIssuers() {
X509TrustManager tm = getTM(managers0);
X509Certificate[] certs0 = s_emptyCertArray;
if (tm != null) {
certs0 = tm.getAcceptedIssuers();
}
tm = getTM(managers1);
X509Certificate[] certs1 = s_emptyCertArray;
if (tm != null) {
certs1 = tm.getAcceptedIssuers();
}
X509Certificate[] certs = new
X509Certificate[certs0.length+certs1.length];
System.arraycopy(certs0, 0, certs, 0,
certs0.length);
System.arraycopy(certs1, 0, certs,
certs0.length, certs1.length);
return certs;
}
};
context.init(null, new TrustManager[] { manager }, null);
SSLSocketFactory sockfactory = context.getSocketFactory();
((HttpsURLConnection)conn).setSSLSocketFactory(sockfactory);
}
return conn;
}
- Dennis
--
Dennis M. Sosnoski
Java XML and Web Services
Axis2 Training and Consulting
http://www.sosnoski.com - http://www.sosnoski.co.nz
Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
asheikh wrote:
Hi,
I have a strange problem with using SSL server. I have a war
application which has a jar that connects to a SSL web service.
System.setProperty("javax.net.ssl.keyStore", url.getPath());
System.setProperty("jjavax.net.ssl.keyStoreType", "jks");
System.setProperty("javax.net.ssl.keyStorePassword",
"changeit");
System.setProperty("javax.net.ssl.trustStore",
url.getPath());
System.setProperty("javax.net.ssl.trustStoreType", "jks");
System.setProperty("javax.net.ssl.trustStorePassword",
"changeit");
First time, when I deploy the application on weblogic server
everything works, but after restarting the application server
then I get "no trust certificate found"
any idea please
thanks
On Wed, Jun 24, 2009 at 7:19 AM, Dennis Sosnoski
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
Hi Shasta,
I've never had any problems setting the client truststore using
the javax.net.ssl.truststore property, so I suspect
something is
wrong with your actual truststore/keystore files. You might
want
to check what's actually in the stores using a tool such as
http://portecle.sourceforge.net/
For convenience, you can also set the value of these properties
using JVM parameters rather than in your client code, using
this
type of format: -Djavax.net.ssl.trustStore=path
If you do a search on javax.net.ssl.truststore you'll find many
articles and discussions of the topic. The Tomcat documentation
also has a good discussion of configuring SSL for the server,
though I don't think that includes anything on a Java client
configuration.
- Dennis
-- Dennis M. Sosnoski
Java XML and Web Services
Axis2 Training and Consulting
http://www.sosnoski.com - http://www.sosnoski.co.nz
Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
Shasta Willson wrote:
Thought I'd reply to my own message with some
information that
might be useful:
despite using keytool
(http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html)
to
install the certificate, and various combinations of these
properties
to theoretically point to it (where keyStore and
trustStorePass are
paths to generated files):
System.setProperty("javax.net.ssl.keyStore",keyStore);
System.setProperty("javax.net.ssl.keyStorePassword",
keyPass);
System.setProperty("javax.net.ssl.trustStore",
trustStore);
System.setProperty("javax.net.ssl.trustStorePassword",
trustStorePass);
I never did get it to work that way. (I eventually
built an
SSLTest.java that JUST connected so I could eliminate other
configuration issues, but even in that simplified context I
couldn't
get it working.)
What finally worked for me (for the SSLTest program) was to
put the
certificate into the normal java location and over-write
cacerts. I
could do that since noone else is using Java on this server
and this
is the first time I've needed to place a certificate.
i.e. I
wasn't
going to break something else in the process.
I found this very useful tool during my research :
http://dreamingthings.blogspot.com/2006/12/no-more-unable-to-find-valid.html
I could have avoided three days waiting for the
service-owner
to send
a certificate, had I known about it.
Hope that helps someone else save time.
- Shasta
On Tue, Jun 23, 2009 at 8:34 AM, Shasta
Willson<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
I have an SSL secured web service to consume. It
also uses a
usertoken/password in the SOAP header, which I'm doing
with Rampart,
but I don't think that's relevant to my question.
I'd like to understand how to go from "have a
certificate" to
trustStore (and/or KeyStore?) properly configured.
Currently I get
this error, which a google search suggests is
related to
not having it
set up right:
org.apache.axis2.AxisFault: Unconnected sockets not
implemented
at
org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
Thank you,
- Shasta
