I don't think so, I iterate over the certificate chain of the trustManager and put each certificate in the keystore.
How do I do a trust validation? And why should I need it? This is an intranet application and the service url (which also provides the certificates) basically stays the same. Kind regards, Sebastian On Thu, Jan 29, 2009 at 2:16 PM, Nandana Mihindukulasooriya < [email protected]> wrote: > Great. BTW, do you do a trust validation on the received certificate ? > > thanks, > nandana > > > On Thu, Jan 29, 2009 at 6:29 PM, Sebastian Van Sande < > [email protected]> wrote: > >> Thanks a lot, Nandana, injecting a custom socket factory to axis2 did the >> job! >> >> This is what I did: >> - I created a custom socket factory, based on the one you can find at >> http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup >> - I added a method in this custom socket factory to reset the sslContext. >> This will result in reloading the keystore. >> >> The whole flow works now as following when a certificate should get >> renewed in the keystore: >> - The application calls a method which will call a method on a stub >> - The stub method throws an exception which is catched ... >> - In this catch block I try to do an SSL handshake with the keystore. >> - If the SSL handshake fails, I start an update method on a keystore >> manager .. >> - this update method will extract all the certificates from the service >> and put them in the keystore file >> - then, it will re-init the sslcontext in the custom socket factory >> - the flow returns to the catch block in the original called method which >> will call 1 more time the method on the stub with the same parameters. If it >> fails again, it will throw an exception to the caller ... >> >> The result is taht no operator action is needed to update the keystore >> manually with new certificates and/or restart the application. Everything >> goes automatically! >> >> Thanks again! >> >> Kind regards, >> Sebastian >> >> >> On Thu, Jan 29, 2009 at 11:57 AM, Nandana Mihindukulasooriya < >> [email protected]> wrote: >> >>> >>> ... will Axis2 detect this and use my custom Protocol and >>> MySSLSocketFactory? >>>> >>>> >>>> >>> You need to set the a property in the options [1]. >>> >>> thanks, >>> nandana >>> >>> [1] - http://wso2.org/library/1646 >>> >>> >>> >>>> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL >>>> Socket Factory to make use of my keystore and force reloading. >>>> >>>> Thanks again for your help. >>>> >>>> Kind regards, >>>> Sebastian >>>> >>>> >>>> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya < >>>> [email protected]> wrote: >>>> >>>>> I assume you use Axis2 as a web service client. I think better solution >>>>> for you would be to use a custom SSL Socket factory to handle your >>>>> scenario. >>>>> You can find more information on how to implement and use a custom SSL >>>>> Socket factory here [1]. You can also raise the question in commons http >>>>> client list too. >>>>> >>>>> thanks, >>>>> nandana >>>>> >>>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html >>>>> >>>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Thanks for your reply, Yves Marie! >>>>>> >>>>>> Unfortunately, restarting the application is something we don't want >>>>>> since this application will run 24/7 in a production environment. >>>>>> >>>>>> I'm looking for a way to let Axis2 know to reload the keystore file, >>>>>> at runtime without restarting my application. >>>>>> I know *when* it has to reload the keystore file, I just don't know >>>>>> *how* to do this in code. >>>>>> >>>>>> If anyone knows how to let Axis2 reload the keystore file, let me >>>>>> know! >>>>>> >>>>>> Kind regards, >>>>>> Sebastian >>>>>> >>>>>> >>>>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi ! >>>>>>> >>>>>>> With a Jonas application server and a mutual authentication with SSL, >>>>>>> we find that we had to restart Jonas so it could see change the changes >>>>>>> of >>>>>>> path or content for keystores. It seems to be the same with tomcat, >>>>>>> don't >>>>>>> know if it Axis2 or the application server. >>>>>>> >>>>>>> Yves-Marie >>>>>>> >>>>>>> ------------------------------ >>>>>>> *De :* Sebastian Van Sande [mailto:[email protected]] >>>>>>> *Envoyé :* jeudi 29 janvier 2009 08:07 >>>>>>> *À :* [email protected] >>>>>>> *Objet :* Re: Reload keystore file >>>>>>> >>>>>>> Does anyone have a clue how I can refresh the keystore in axis2? >>>>>>> Thank you. >>>>>>> >>>>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have a problem with Axis2. >>>>>>>> >>>>>>>> At my project, we have an Microsoft Exchange 2007, and some other >>>>>>>> project has created an API to interact with this Exchange server with >>>>>>>> the >>>>>>>> help of Axis2. >>>>>>>> This other project uses a Websphere server to manage a keystore to >>>>>>>> do basic authentication over SSL. >>>>>>>> My application on the otherhand runs as a standalone application, >>>>>>>> and I have to manage the keystore myself. >>>>>>>> >>>>>>>> Now, I managed to use this keystore to calling the Exchange 2007 Web >>>>>>>> services over SSL, and it works great. >>>>>>>> But, as you probably know, certificates expire ... and they have to >>>>>>>> get renewed. >>>>>>>> >>>>>>>> So, I managed to create something a 'KeyStoreManager' that will >>>>>>>> fetch the new certificates from the Exchange server and put it in the >>>>>>>> keystore file. >>>>>>>> And this works great as well .. *IF* I restart my application. >>>>>>>> >>>>>>>> When my application modifies the keystore file, it looks like Axis2 >>>>>>>> is using some caching mechanism. Because when I make the web service >>>>>>>> call >>>>>>>> again (after inserting the new certificate in my keystore), it can't >>>>>>>> authenticate because it cached the keystore file in memory. >>>>>>>> >>>>>>>> To specify the keystore to Axis2, I use this code: >>>>>>>> >>>>>>>> System.setProperty("javax.net.ssl.trustStore", >>>>>>>> "/path/to/keystore.jks"); >>>>>>>> System.setProperty("javax.net.ssl.trustStorePassword", >>>>>>>> "thisisnottherealpassword"); >>>>>>>> >>>>>>>> To extract the new certificate and add it to my keystore, I use code >>>>>>>> based on the one you can find at >>>>>>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore >>>>>>>> >>>>>>>> The problem is: when the keystore file is updated with the new >>>>>>>> certificate, axis2 doesn't seem to know about it because it uses a >>>>>>>> cached >>>>>>>> version of the keystore file. >>>>>>>> >>>>>>>> So my question is: how can I clear this axis2 keystore cache in some >>>>>>>> way so axis2 will be forced to read the keystore file again? >>>>>>>> >>>>>>>> Thank you for your help, >>>>>>>> >>>>>>>> Kind regards, >>>>>>>> Sebastian >>>>>>> >>>>>>> >>>>>>> This message contains information that may be privileged or >>>>>>> confidential and is the property of the Capgemini Group. It is >>>>>>> intended only for the person to whom it is addressed. If you are not >>>>>>> the intended recipient, you are not authorized to >>>>>>> read, print, retain, copy, disseminate, distribute, or use this message >>>>>>> or any part thereof. If you receive this message >>>>>>> in error, please notify the sender immediately and delete all copies of >>>>>>> this message. >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Nandana Mihindukulasooriya >>>>> WSO2 inc. >>>>> >>>>> http://nandana83.blogspot.com/ >>>>> http://www.wso2.org >>>>> >>>> >>>> >>> >> > > > -- > Nandana Mihindukulasooriya > WSO2 inc. > > http://nandana83.blogspot.com/ > http://www.wso2.org >
