Nandana, Thanks again for your reply. How can I do trust validation? Can you give me some code example to make it more clear?
Kind regards, Sebastian On Thu, Jan 29, 2009 at 3:04 PM, Nandana Mihindukulasooriya < [email protected]> wrote: > I just looked at the javadocs of the AuthSSLProtocolSocketFactory and it's > default implementation doing the correct thing. > > "AuthSSLProtocolSocketFactory will enable server authentication when > supplied with KeyStore truststore file containg one or several trusted > certificates. The client secure socket will reject the connection during the > SSL session handshake if the target HTTPS server attempts to authenticate > itself with a non-trusted certificate. > AuthSSLProtocolSocketFactory will enable client authentication when > supplied with KeyStore keystore file containg a private key/public > certificate pair. The client secure socket will use the private key to > authenticate itself to the target HTTPS server during the SSL session > handshake if requested to do so by the server. The target HTTPS server will > in its turn verify the certificate presented by the client in order to > establish client's authenticity." > > What I meant by a trust validation is we should check whether the > certificate we received was signed with a certificate which is in our trust > chain. Else how can you be sure that you got the legitimate certificate. > Living the intranet may make you little safer, but still I think it is > better to do a trust validation. > > thanks, > nandana > > On Thu, Jan 29, 2009 at 6:52 PM, Sebastian Van Sande < > [email protected]> wrote: > >> I don't think so, I iterate over the certificate chain of the trustManager >> and put each certificate in the keystore. >> >> How do I do a trust validation? And why should I need it? This is an >> intranet application and the service url (which also provides the >> certificates) basically stays the same. >> >> Kind regards, >> Sebastian >> coul >> >> >> On Thu, Jan 29, 2009 at 2:16 PM, Nandana Mihindukulasooriya < >> [email protected]> wrote: >> >>> Great. BTW, do you do a trust validation on the received certificate ? >>> >>> thanks, >>> nandana >>> >>> >>> On Thu, Jan 29, 2009 at 6:29 PM, Sebastian Van Sande < >>> [email protected]> wrote: >>> >>>> Thanks a lot, Nandana, injecting a custom socket factory to axis2 did >>>> the job! >>>> >>>> This is what I did: >>>> - I created a custom socket factory, based on the one you can find at >>>> http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup >>>> - I added a method in this custom socket factory to reset the >>>> sslContext. This will result in reloading the keystore. >>>> >>>> The whole flow works now as following when a certificate should get >>>> renewed in the keystore: >>>> - The application calls a method which will call a method on a stub >>>> - The stub method throws an exception which is catched ... >>>> - In this catch block I try to do an SSL handshake with the keystore. >>>> - If the SSL handshake fails, I start an update method on a keystore >>>> manager .. >>>> - this update method will extract all the certificates from the service >>>> and put them in the keystore file >>>> - then, it will re-init the sslcontext in the custom socket factory >>>> - the flow returns to the catch block in the original called method >>>> which will call 1 more time the method on the stub with the same >>>> parameters. >>>> If it fails again, it will throw an exception to the caller ... >>>> >>>> The result is taht no operator action is needed to update the keystore >>>> manually with new certificates and/or restart the application. Everything >>>> goes automatically! >>>> >>>> Thanks again! >>>> >>>> Kind regards, >>>> Sebastian >>>> >>>> >>>> On Thu, Jan 29, 2009 at 11:57 AM, Nandana Mihindukulasooriya < >>>> [email protected]> wrote: >>>> >>>>> >>>>> ... will Axis2 detect this and use my custom Protocol and >>>>> MySSLSocketFactory? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> You need to set the a property in the options [1]. >>>>> >>>>> thanks, >>>>> nandana >>>>> >>>>> [1] - http://wso2.org/library/1646 >>>>> >>>>> >>>>> >>>>>> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL >>>>>> Socket Factory to make use of my keystore and force reloading. >>>>>> >>>>>> Thanks again for your help. >>>>>> >>>>>> Kind regards, >>>>>> Sebastian >>>>>> >>>>>> >>>>>> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> I assume you use Axis2 as a web service client. I think better >>>>>>> solution for you would be to use a custom SSL Socket factory to handle >>>>>>> your >>>>>>> scenario. You can find more information on how to implement and use a >>>>>>> custom >>>>>>> SSL Socket factory here [1]. You can also raise the question in commons >>>>>>> http >>>>>>> client list too. >>>>>>> >>>>>>> thanks, >>>>>>> nandana >>>>>>> >>>>>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html >>>>>>> >>>>>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> Thanks for your reply, Yves Marie! >>>>>>>> >>>>>>>> Unfortunately, restarting the application is something we don't want >>>>>>>> since this application will run 24/7 in a production environment. >>>>>>>> >>>>>>>> I'm looking for a way to let Axis2 know to reload the keystore file, >>>>>>>> at runtime without restarting my application. >>>>>>>> I know *when* it has to reload the keystore file, I just don't know >>>>>>>> *how* to do this in code. >>>>>>>> >>>>>>>> If anyone knows how to let Axis2 reload the keystore file, let me >>>>>>>> know! >>>>>>>> >>>>>>>> Kind regards, >>>>>>>> Sebastian >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi ! >>>>>>>>> >>>>>>>>> With a Jonas application server and a mutual authentication with >>>>>>>>> SSL, we find that we had to restart Jonas so it could see change the >>>>>>>>> changes >>>>>>>>> of path or content for keystores. It seems to be the same with >>>>>>>>> tomcat, don't >>>>>>>>> know if it Axis2 or the application server. >>>>>>>>> >>>>>>>>> Yves-Marie >>>>>>>>> >>>>>>>>> ------------------------------ >>>>>>>>> *De :* Sebastian Van Sande [mailto:[email protected]] >>>>>>>>> *Envoyé :* jeudi 29 janvier 2009 08:07 >>>>>>>>> *À :* [email protected] >>>>>>>>> *Objet :* Re: Reload keystore file >>>>>>>>> >>>>>>>>> Does anyone have a clue how I can refresh the keystore in axis2? >>>>>>>>> Thank you. >>>>>>>>> >>>>>>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I have a problem with Axis2. >>>>>>>>>> >>>>>>>>>> At my project, we have an Microsoft Exchange 2007, and some other >>>>>>>>>> project has created an API to interact with this Exchange server >>>>>>>>>> with the >>>>>>>>>> help of Axis2. >>>>>>>>>> This other project uses a Websphere server to manage a keystore to >>>>>>>>>> do basic authentication over SSL. >>>>>>>>>> My application on the otherhand runs as a standalone application, >>>>>>>>>> and I have to manage the keystore myself. >>>>>>>>>> >>>>>>>>>> Now, I managed to use this keystore to calling the Exchange 2007 >>>>>>>>>> Web services over SSL, and it works great. >>>>>>>>>> But, as you probably know, certificates expire ... and they have >>>>>>>>>> to get renewed. >>>>>>>>>> >>>>>>>>>> So, I managed to create something a 'KeyStoreManager' that will >>>>>>>>>> fetch the new certificates from the Exchange server and put it in the >>>>>>>>>> keystore file. >>>>>>>>>> And this works great as well .. *IF* I restart my application. >>>>>>>>>> >>>>>>>>>> When my application modifies the keystore file, it looks like >>>>>>>>>> Axis2 is using some caching mechanism. Because when I make the web >>>>>>>>>> service >>>>>>>>>> call again (after inserting the new certificate in my keystore), it >>>>>>>>>> can't >>>>>>>>>> authenticate because it cached the keystore file in memory. >>>>>>>>>> >>>>>>>>>> To specify the keystore to Axis2, I use this code: >>>>>>>>>> >>>>>>>>>> System.setProperty("javax.net.ssl.trustStore", >>>>>>>>>> "/path/to/keystore.jks"); >>>>>>>>>> System.setProperty("javax.net.ssl.trustStorePassword", >>>>>>>>>> "thisisnottherealpassword"); >>>>>>>>>> >>>>>>>>>> To extract the new certificate and add it to my keystore, I use >>>>>>>>>> code based on the one you can find at >>>>>>>>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore >>>>>>>>>> >>>>>>>>>> The problem is: when the keystore file is updated with the new >>>>>>>>>> certificate, axis2 doesn't seem to know about it because it uses a >>>>>>>>>> cached >>>>>>>>>> version of the keystore file. >>>>>>>>>> >>>>>>>>>> So my question is: how can I clear this axis2 keystore cache in >>>>>>>>>> some way so axis2 will be forced to read the keystore file again? >>>>>>>>>> >>>>>>>>>> Thank you for your help, >>>>>>>>>> >>>>>>>>>> Kind regards, >>>>>>>>>> Sebastian >>>>>>>>> >>>>>>>>> >>>>>>>>> This message contains information that may be privileged or >>>>>>>>> confidential and is the property of the Capgemini Group. It is >>>>>>>>> intended only for the person to whom it is addressed. If you are not >>>>>>>>> the intended recipient, you are not authorized to >>>>>>>>> read, print, retain, copy, disseminate, distribute, or use this >>>>>>>>> message or any part thereof. If you receive this message >>>>>>>>> in error, please notify the sender immediately and delete all copies >>>>>>>>> of this message. >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Nandana Mihindukulasooriya >>>>>>> WSO2 inc. >>>>>>> >>>>>>> http://nandana83.blogspot.com/ >>>>>>> http://www.wso2.org >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >>> >>> -- >>> Nandana Mihindukulasooriya >>> WSO2 inc. >>> >>> http://nandana83.blogspot.com/ >>> http://www.wso2.org >>> >> >> >
