If you blindly pull certificates from the server and don't need trust validation, why do you need a keystore then?
Andreas On Thu, Jan 29, 2009 at 14:22, Sebastian Van Sande <[email protected]> wrote: > I don't think so, I iterate over the certificate chain of the trustManager > and put each certificate in the keystore. > > How do I do a trust validation? And why should I need it? This is an > intranet application and the service url (which also provides the > certificates) basically stays the same. > > Kind regards, > Sebastian > > On Thu, Jan 29, 2009 at 2:16 PM, Nandana Mihindukulasooriya > <[email protected]> wrote: >> >> Great. BTW, do you do a trust validation on the received certificate ? >> >> thanks, >> nandana >> >> On Thu, Jan 29, 2009 at 6:29 PM, Sebastian Van Sande >> <[email protected]> wrote: >>> >>> Thanks a lot, Nandana, injecting a custom socket factory to axis2 did the >>> job! >>> >>> This is what I did: >>> - I created a custom socket factory, based on the one you can find at >>> http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup >>> - I added a method in this custom socket factory to reset the sslContext. >>> This will result in reloading the keystore. >>> >>> The whole flow works now as following when a certificate should get >>> renewed in the keystore: >>> - The application calls a method which will call a method on a stub >>> - The stub method throws an exception which is catched ... >>> - In this catch block I try to do an SSL handshake with the keystore. >>> - If the SSL handshake fails, I start an update method on a keystore >>> manager .. >>> - this update method will extract all the certificates from the service >>> and put them in the keystore file >>> - then, it will re-init the sslcontext in the custom socket factory >>> - the flow returns to the catch block in the original called method which >>> will call 1 more time the method on the stub with the same parameters. If it >>> fails again, it will throw an exception to the caller ... >>> >>> The result is taht no operator action is needed to update the keystore >>> manually with new certificates and/or restart the application. Everything >>> goes automatically! >>> >>> Thanks again! >>> >>> Kind regards, >>> Sebastian >>> >>> On Thu, Jan 29, 2009 at 11:57 AM, Nandana Mihindukulasooriya >>> <[email protected]> wrote: >>>> >>>>> ... will Axis2 detect this and use my custom Protocol and >>>>> MySSLSocketFactory? >>>>> >>>>> >>>>> >>>>> >>>> >>>> You need to set the a property in the options [1]. >>>> >>>> thanks, >>>> nandana >>>> >>>> [1] - http://wso2.org/library/1646 >>>> >>>> >>>>> >>>>> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL >>>>> Socket Factory to make use of my keystore and force reloading. >>>>> >>>>> Thanks again for your help. >>>>> >>>>> Kind regards, >>>>> Sebastian >>>>> >>>>> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya >>>>> <[email protected]> wrote: >>>>>> >>>>>> I assume you use Axis2 as a web service client. I think better >>>>>> solution for you would be to use a custom SSL Socket factory to handle >>>>>> your >>>>>> scenario. You can find more information on how to implement and use a >>>>>> custom >>>>>> SSL Socket factory here [1]. You can also raise the question in commons >>>>>> http >>>>>> client list too. >>>>>> >>>>>> thanks, >>>>>> nandana >>>>>> >>>>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html >>>>>> >>>>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande >>>>>> <[email protected]> wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Thanks for your reply, Yves Marie! >>>>>>> >>>>>>> Unfortunately, restarting the application is something we don't want >>>>>>> since this application will run 24/7 in a production environment. >>>>>>> >>>>>>> I'm looking for a way to let Axis2 know to reload the keystore file, >>>>>>> at runtime without restarting my application. >>>>>>> I know *when* it has to reload the keystore file, I just don't know >>>>>>> *how* to do this in code. >>>>>>> >>>>>>> If anyone knows how to let Axis2 reload the keystore file, let me >>>>>>> know! >>>>>>> >>>>>>> Kind regards, >>>>>>> Sebastian >>>>>>> >>>>>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie >>>>>>> <[email protected]> wrote: >>>>>>>> >>>>>>>> Hi ! >>>>>>>> >>>>>>>> With a Jonas application server and a mutual authentication with >>>>>>>> SSL, we find that we had to restart Jonas so it could see change the >>>>>>>> changes >>>>>>>> of path or content for keystores. It seems to be the same with tomcat, >>>>>>>> don't >>>>>>>> know if it Axis2 or the application server. >>>>>>>> >>>>>>>> Yves-Marie >>>>>>>> ________________________________ >>>>>>>> De : Sebastian Van Sande [mailto:[email protected]] >>>>>>>> Envoyé : jeudi 29 janvier 2009 08:07 >>>>>>>> À : [email protected] >>>>>>>> Objet : Re: Reload keystore file >>>>>>>> >>>>>>>> Does anyone have a clue how I can refresh the keystore in axis2? >>>>>>>> Thank you. >>>>>>>> >>>>>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande >>>>>>>> <[email protected]> wrote: >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I have a problem with Axis2. >>>>>>>>> >>>>>>>>> At my project, we have an Microsoft Exchange 2007, and some other >>>>>>>>> project has created an API to interact with this Exchange server with >>>>>>>>> the >>>>>>>>> help of Axis2. >>>>>>>>> This other project uses a Websphere server to manage a keystore to >>>>>>>>> do basic authentication over SSL. >>>>>>>>> My application on the otherhand runs as a standalone application, >>>>>>>>> and I have to manage the keystore myself. >>>>>>>>> >>>>>>>>> Now, I managed to use this keystore to calling the Exchange 2007 >>>>>>>>> Web services over SSL, and it works great. >>>>>>>>> But, as you probably know, certificates expire ... and they have to >>>>>>>>> get renewed. >>>>>>>>> >>>>>>>>> So, I managed to create something a 'KeyStoreManager' that will >>>>>>>>> fetch the new certificates from the Exchange server and put it in the >>>>>>>>> keystore file. >>>>>>>>> And this works great as well .. *IF* I restart my application. >>>>>>>>> >>>>>>>>> When my application modifies the keystore file, it looks like Axis2 >>>>>>>>> is using some caching mechanism. Because when I make the web service >>>>>>>>> call >>>>>>>>> again (after inserting the new certificate in my keystore), it can't >>>>>>>>> authenticate because it cached the keystore file in memory. >>>>>>>>> >>>>>>>>> To specify the keystore to Axis2, I use this code: >>>>>>>>> >>>>>>>>> System.setProperty("javax.net.ssl.trustStore", >>>>>>>>> "/path/to/keystore.jks"); >>>>>>>>> System.setProperty("javax.net.ssl.trustStorePassword", >>>>>>>>> "thisisnottherealpassword"); >>>>>>>>> >>>>>>>>> To extract the new certificate and add it to my keystore, I use >>>>>>>>> code based on the one you can find at >>>>>>>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore >>>>>>>>> >>>>>>>>> The problem is: when the keystore file is updated with the new >>>>>>>>> certificate, axis2 doesn't seem to know about it because it uses a >>>>>>>>> cached >>>>>>>>> version of the keystore file. >>>>>>>>> >>>>>>>>> So my question is: how can I clear this axis2 keystore cache in >>>>>>>>> some way so axis2 will be forced to read the keystore file again? >>>>>>>>> >>>>>>>>> Thank you for your help, >>>>>>>>> >>>>>>>>> Kind regards, >>>>>>>>> Sebastian >>>>>>>> >>>>>>>> This message contains information that may be privileged or >>>>>>>> confidential and is the property of the Capgemini Group. It is >>>>>>>> intended only for the person to whom it is addressed. If you are not >>>>>>>> the intended recipient, you are not authorized to >>>>>>>> read, print, retain, copy, disseminate, distribute, or use this >>>>>>>> message or any part thereof. If you receive this message >>>>>>>> in error, please notify the sender immediately and delete all copies >>>>>>>> of this message. >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Nandana Mihindukulasooriya >>>>>> WSO2 inc. >>>>>> >>>>>> http://nandana83.blogspot.com/ >>>>>> http://www.wso2.org >>>>> >>>> >>> >> >> >> >> -- >> Nandana Mihindukulasooriya >> WSO2 inc. >> >> http://nandana83.blogspot.com/ >> http://www.wso2.org > >
