Hi Bruno,
It's well working , thanx...
To complete your post, below is a client code for the example we made :
Context ctx = new Context();
Client client = new Client(ctx, Protocol.HTTPS);
ClientResource service = new ClientResource("
https://192.168.2.199/........./status";);
ctx.getParameters().add("truststorePath","C:/Program
Files/Java/jre6/lib/security/mycacerts.jks");
ctx.getParameters().add("truststorePassword","<our pswd>");
ctx.getParameters().add("truststoreType","JKS");
service.setNext(client);
Representation rep = service.get();
regards
Xavier
2010/8/25 Bruno Harbulot <[email protected]>
> On 25/08/10 13:53, Xavier Méhaut wrote:
> > Hi Bruno,
> > Actually our architecture is the following :
> > A PC runs a restlet server locally (withou a servlet container); the
> > resources served by this server call themselves other restlets which are
> > located into another restlet serveron another PC, but this restlet
> > server one is hosted in Tomcat with SSL setted.
> > The problem occurs when trying to call these remote restlets from the
> > first PC.
> > SSL is managed by tomcat and the certificate has been generated by java
> > keygen.
>
> Ah, this makes sense. When you say "the certificate has been generated
> by java keygen", presumably, you haven't sent the certificate request to
> a Certification Authority, so you're effectively using a self-signed
> certificate on your Tomcat server (presumably, you meant "keytool"
> instead of "keygen" too?).
> There's nothing wrong with that (although this could become an issue if
> you expect other clients to connect). However, for the client to be able
> to connect, you need to tell it to trust your server's certificate
> explicitly. This means that the trust store you're using on the client
> side needs to contain this self-signed certificate.
>
> The default trust store in Java is usually in
> $JAVA_HOME/lib/security/cacerts (and the default password is "changeme").
> I wouldn't necessarily modify that file, but you can take a copy of it
> and import the certificate you've generated on the server into it.
>
> * On the server:
>
> 1. Find the alias you need from the keystore (otherwise, the default
> will be "mykey":
> keytool -list -keystore keystore.jks
>
> You should see a list like this:
> Certificate fingerprint (MD5):
> 5B:91:3D:BB:A7:0D:04:F9:92:A0:79:0E:EA:30:45:6A
> the alias name, 25-Aug-2010, PrivateKeyEntry,
>
> 2. Export the certificate:
> keytool -exportcert -keystore keystore.jks -alias "the alias name"
> -file servercert.der
>
> (Note that you only export the certificate here, not the private key,
> which is not to be distributed.)
>
>
> * On the client:
>
> 1. It's not strictly required, but I would copy
> $JAVA_HOME/lib/security/cacerts to a file that doesn't affect the whole
> system, let's say "mycacerts.jks".
>
> 2. Import the server certificate into that store:
> keytool -importcert -keystore mycacerts.jks -trustcacerts -file
> servercert.der
>
> (Optionally, use '-alias "some alias name"' if you want it to be easier
> to identity later on in the list. I'd go for the host name there, but
> it's just an internal indication in the store.)
>
> 3. Configure your Restlet client to use that as a trust store.
>
> If you think it's a good idea to use this as a trust store across
> everything that runs within that JVM, you can use the
> javax.net.ssl.trustStore properties.
>
> Otherwise, you can set it on a per-connector basis, using the Context
> parameters:
> parameters.add("truststorePath", "<path>mycacerts.jks");
> parameters.add("truststorePassword", "password");
> // parameters.add("truststoreType", "JKS");
>
>
>
> Best wishes,
>
> Bruno.
>
> ------------------------------------------------------
>
> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2651208
>
>
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2651698
