Thanks Dennis, I will try your suggestion and links
On Wed, Jun 24, 2009 at 11:08 AM, Dennis Sosnoski <[email protected]> wrote: > I understand you're not opening the connection directly, but having it > opened for you by the Axis2-generated stub, and admittedly my code doesn't > help much directly in that situation. > > I'm not sure offhand how to make the server certificate authentication work > in that situation, but I believe Axis2 is using the Commons HttpClient by > default, and that appears to offer a way of using your own socket factory: > http://hc.apache.org/httpclient-3.x/sslguide.html You should be able to > use the Protocol.registerProtocol() approach outlined on that page (perhaps > with "myhttps" rather than just "https" as the protocol, just to make sure > your handling doesn't interfere with other requests - and see their link to > http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java?view=markupfor > an example). > > - Dennis > > -- > Dennis M. Sosnoski > Java XML and Web Services > Axis2 Training and Consulting > http://www.sosnoski.com - http://www.sosnoski.co.nz > Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117 > > > > asheikh wrote: > >> Dennis, >> >> Thanks for the code and suggestions. >> "The app server should have some way of configuring SSL support, and even >> though that configuration is going to be intended more for inbound >> connections it might also have settings for outbound connections." >> >> yes, I have configures the application server and I could see the >> certificates loaded from my custom key/trust store but still it complains no >> trust certificate found. >> >> I am not sure why it is working first time when i deploy the war, and it >> doesn't work after I restart the application server. >> >> but my concern is that I am using web service client stub/proxy(Axis2), >> and I am providing the endpoint to the stub, my code does't handle >> connections >> >> thanks again >> >> >> On Wed, Jun 24, 2009 at 10:12 AM, Dennis Sosnoski <[email protected]<mailto: >> [email protected]>> wrote: >> >> I'm surprised this works at all in an app server environment. The >> app server should have some way of configuring SSL support, and >> even though that configuration is going to be intended more for >> inbound connections it might also have settings for outbound >> connections. >> >> Aside from that, you can take direct control over the >> authentication of the presented server certificate by implementing >> your own TrustManager. Here's a method which illustrates this >> approach, from an open source project I developed which needed to >> work with custom certificate authorities for server SSL/TLS >> certificates: >> /** >> * Open a connection to a server. If the connection type is >> 'https' and a >> * certificate authority keystore is supplied, that certificate >> authority >> * will be used when establishing the connection to the server. >> * >> * @param target destination URL (must use 'http' or 'https' >> protocol) >> * @param castore keystore containing certificate authority >> certificate >> * @return connection >> * @throws IOException >> * @throws NoSuchAlgorithmException >> * @throws KeyManagementException >> * @throws KeyStoreException >> */ >> private HttpURLConnection openConnection(String target, KeyStore >> castore) >> throws IOException, NoSuchAlgorithmException, >> KeyManagementException, KeyStoreException { >> URL url = new URL(target); >> HttpURLConnection conn = >> (HttpURLConnection)url.openConnection(); >> if (castore != null && >> target.toLowerCase().startsWith("https:")) { >> String alg = TrustManagerFactory.getDefaultAlgorithm(); >> SSLContext context = SSLContext.getInstance("TLS"); >> TrustManagerFactory tmfact0 = >> TrustManagerFactory.getInstance(alg); >> tmfact0.init((KeyStore)null); >> final TrustManager[] managers0 = tmfact0.getTrustManagers(); >> TrustManagerFactory tmfact1 = >> TrustManagerFactory.getInstance(alg); >> tmfact1.init(castore); >> final TrustManager[] managers1 = tmfact1.getTrustManagers(); >> TrustManager manager = new X509TrustManager() { >> private X509TrustManager >> getTM(TrustManager[] tms) { >> for (int i = 0; i < tms.length; i++) { >> TrustManager tm = tms[i]; >> if (tm instanceof X509TrustManager) { >> return (X509TrustManager)tm; >> } >> } >> return null; >> } >> >> public void checkClientTrusted(X509Certificate[] >> chain, String type) throws CertificateException { >> X509TrustManager tm = getTM(managers0); >> if (tm != null) { >> tm.checkClientTrusted(chain, type); >> } >> } >> >> public void checkServerTrusted(X509Certificate[] >> chain, String type) throws CertificateException { >> X509TrustManager tm = getTM(managers0); >> if (tm != null) { >> try { >> tm.checkServerTrusted(chain, type); >> return; >> } catch (CertificateException e) { >> // deliberately empty >> } >> } >> tm = getTM(managers1); >> if (tm != null) { >> try { >> tm.checkServerTrusted(chain, type); >> return; >> } catch (CertificateException e) { >> // deliberately empty >> } >> } >> throw new CertificateException("Certificate >> chain cannot be verified"); >> } >> >> public X509Certificate[] getAcceptedIssuers() { >> X509TrustManager tm = getTM(managers0); >> X509Certificate[] certs0 = s_emptyCertArray; >> if (tm != null) { >> certs0 = tm.getAcceptedIssuers(); >> } >> tm = getTM(managers1); >> X509Certificate[] certs1 = s_emptyCertArray; >> if (tm != null) { >> certs1 = tm.getAcceptedIssuers(); >> } >> X509Certificate[] certs = new >> X509Certificate[certs0.length+certs1.length]; >> System.arraycopy(certs0, 0, certs, 0, >> certs0.length); >> System.arraycopy(certs1, 0, certs, >> certs0.length, certs1.length); >> return certs; >> } >> }; >> context.init(null, new TrustManager[] { manager }, null); >> SSLSocketFactory sockfactory = context.getSocketFactory(); >> ((HttpsURLConnection)conn).setSSLSocketFactory(sockfactory); >> } >> return conn; >> >> } >> >> - Dennis >> >> -- Dennis M. Sosnoski >> Java XML and Web Services >> Axis2 Training and Consulting >> http://www.sosnoski.com - http://www.sosnoski.co.nz >> Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117 >> >> >> asheikh wrote: >> >> Hi, >> >> I have a strange problem with using SSL server. I have a war >> application which has a jar that connects to a SSL web service. >> >> System.setProperty("javax.net.ssl.keyStore", url.getPath()); >> System.setProperty("jjavax.net.ssl.keyStoreType", "jks"); >> System.setProperty("javax.net.ssl.keyStorePassword", >> "changeit"); >> System.setProperty("javax.net.ssl.trustStore", >> url.getPath()); >> System.setProperty("javax.net.ssl.trustStoreType", "jks"); >> System.setProperty("javax.net.ssl.trustStorePassword", >> "changeit"); >> >> First time, when I deploy the application on weblogic server >> everything works, but after restarting the application server >> then I get "no trust certificate found" >> >> any idea please >> >> thanks >> >> On Wed, Jun 24, 2009 at 7:19 AM, Dennis Sosnoski >> <[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> wrote: >> >> Hi Shasta, >> >> I've never had any problems setting the client truststore using >> the javax.net.ssl.truststore property, so I suspect >> something is >> wrong with your actual truststore/keystore files. You might >> want >> to check what's actually in the stores using a tool such as >> http://portecle.sourceforge.net/ >> >> For convenience, you can also set the value of these properties >> using JVM parameters rather than in your client code, using >> this >> type of format: -Djavax.net.ssl.trustStore=path >> >> If you do a search on javax.net.ssl.truststore you'll find many >> articles and discussions of the topic. The Tomcat documentation >> also has a good discussion of configuring SSL for the server, >> though I don't think that includes anything on a Java client >> configuration. >> >> - Dennis >> >> -- Dennis M. Sosnoski >> Java XML and Web Services >> Axis2 Training and Consulting >> http://www.sosnoski.com - http://www.sosnoski.co.nz >> Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117 >> >> >> >> >> Shasta Willson wrote: >> >> Thought I'd reply to my own message with some >> information that >> might be useful: >> >> despite using keytool >> ( >> http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html) >> to >> install the certificate, and various combinations of these >> properties >> to theoretically point to it (where keyStore and >> trustStorePass are >> paths to generated files): >> >> >> System.setProperty("javax.net.ssl.keyStore",keyStore); >> >> System.setProperty("javax.net.ssl.keyStorePassword", >> keyPass); >> System.setProperty("javax.net.ssl.trustStore", >> trustStore); >> >> System.setProperty("javax.net.ssl.trustStorePassword", >> trustStorePass); >> >> >> I never did get it to work that way. (I eventually >> built an >> SSLTest.java that JUST connected so I could eliminate other >> configuration issues, but even in that simplified context I >> couldn't >> get it working.) >> >> What finally worked for me (for the SSLTest program) was to >> put the >> certificate into the normal java location and over-write >> cacerts. I >> could do that since noone else is using Java on this server >> and this >> is the first time I've needed to place a certificate. >> i.e. I >> wasn't >> going to break something else in the process. >> >> I found this very useful tool during my research : >> >> http://dreamingthings.blogspot.com/2006/12/no-more-unable-to-find-valid.html >> >> I could have avoided three days waiting for the >> service-owner >> to send >> a certificate, had I known about it. >> >> Hope that helps someone else save time. >> >> - Shasta >> >> On Tue, Jun 23, 2009 at 8:34 AM, Shasta >> Willson<[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> wrote: >> I have an SSL secured web service to >> consume. It >> also uses a >> usertoken/password in the SOAP header, which I'm doing >> with Rampart, >> but I don't think that's relevant to my question. >> >> I'd like to understand how to go from "have a >> certificate" to >> trustStore (and/or KeyStore?) properly configured. >> Currently I get >> this error, which a google search suggests is >> related to >> not having it >> set up right: >> >> org.apache.axis2.AxisFault: Unconnected sockets not >> implemented >> at >> >> org.apache.axis2.AxisFault.makeFault(AxisFault.java:430) >> >> Thank you, >> >> - Shasta >> >> >> >> >>
