Re: jax-ws and tomcat 7 with ssl
On Tue, Mar 18, 2014 at 2:58 PM, Maria Cristina Siena mariacristinasi...@sourcecable.net wrote: Hi, I developed a web service using jax-ws and configured Tomcat to support SSL connection. Here are my steps: ** Step 1 - Generate a self-signed server certificate Use JDK 1.7 keytool: keytool -genkey -alias trackerdev -keypass changeit -storepass changeit -keystore D:\Tomcat7\htdkeystore\trackerdev.ks -ext san=ip:xx.x.x.xxx Is CN=xx.x.x.xxx, OU=it, O=companynamehere, L=citynamehere, ST=provincenamehere, C=ca correct? [no]: yes They claim that the certificate is not properly signed. Well, I don't know. It is a self-signed certificate. How do they access your web service? Using the fully qualified machine name in the URL? Does CN=xx.x.x.xxx represent your server name? If the cert is created for your server name, and your other team is on the same network, all they need to do is place the cert in their trusted store and it should be fine. The name of the cert should be the same name your team would use to access your server. In other words, when your team views the certificate from their end, it should say something like: Issued to: your fully qualified server name Issued by: your fully qualified server name You are essentially issuing your server a cert by your server. Did this help or make it worse?
Re: jax-ws and tomcat 7 with ssl
2014-03-18 22:58 GMT+01:00 Maria Cristina Siena mariacristinasi...@sourcecable.net: Hi, I developed a web service using jax-ws and configured Tomcat to support SSL connection. Here are my steps: ** Step 1 - Generate a self-signed server certificate Use JDK 1.7 keytool: keytool -genkey -alias trackerdev -keypass changeit -storepass changeit -keystore D:\Tomcat7\htdkeystore\trackerdev.ks -ext san=ip:xx.x.x.xxx Is CN=xx.x.x.xxx, OU=it, O=companynamehere, L=citynamehere, ST=provincenamehere, C=ca correct? [no]: yes ** Step 2 - Configure Tomcat to support SSL connection On the dev server: Modify TOMCAT_HOME\conf\server.xml by adding the following block where keystoreFile and keystorePass are set to values from the previous step: Connector port=8444 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=htdkeystore/trackerdev.ks keystorePass=changeit / ** Step 3 - Export the generated server certificate to a certificate file On the dev server: keytool -export -alias trackerdev -storepass changeit -file D:\Tomcat7\htdkeystore\serverdev.cer -keystore D:\Tomcat7\htdkeystore\trackerdev.ks ** Step 4 - Import the server certificate into the truststore file (Open an administrator cmd window and hit Shift, Ctrl, Enter) Copy serverdev.cer from the dev server and on the local machine: keytool -import -v -trustcacerts -alias trackerdev -file C:\fromdevserver\serverdev.cer -keystore C:\Program Files\Java\jdk1.7.0_51\jre\lib\security\cacerts -keypass changeit -storepass changeit Trust this certificate? [no]: yes ** Step 5 - Modify webapps's web.xml Add the following: listener listener-class com.sun.xml.ws.transport.http.servlet.WSServletContextListener /listener-class /listener servlet servlet-nametracker/servlet-name servlet-class com.sun.xml.ws.transport.http.servlet.WSServlet /servlet-class /servlet servlet-mapping servlet-nametracker/servlet-name url-pattern/tracker/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-namesecuredapp/web-resource-name url-pattern/tracker/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint ** MY QUESTION IS THIS: I tested the web service using https and it worked for me. I provided another team with my server certificate so that they could add it to their truststore file but I have no idea if they did or not. All I know is that they got an error loading the wsdl. The exception they got was: Error loading [https://xx.x.x.xxx:8444/appname/tracker?wsdl] org.apache.xmlbeans.XmlException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target They claim that the certificate is not properly signed. Well, I don't know. It is a self-signed certificate. Any ideas would help! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org I guess that they must add your PK certificate to their keystore. Ask them Read the next link ( in Spanish ): http://danielriab.wordpress.com/2012/08/13/java-pkix-path-building-failed/ Regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: jax-ws and tomcat 7 with ssl
i assume they copied OptionalPrefixcacerts $JAVA_HOME\jre\lib\security? make sure validation dates are correct for Certificate a self-signed cert is designed to work on the machine where you created the cert only *CN* to implement a cert that will work on FQDN with correct dates you will need a REAL cert from verisign / thawte / DigiCert Fixing PKIX Errors: http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/ Making Self-Signed Certs http://torlanglo.wordpress.com/2008/05/03/how-to-create-a-ssl-certificate-with-custom-domain-name-for-use-in-iis7-web-sites/ Get your 'REAL CERTS' here http://safire.net/support/verisign.html Martin Date: Tue, 18 Mar 2014 17:58:32 -0400 From: mariacristinasi...@sourcecable.net To: users@tomcat.apache.org Subject: jax-ws and tomcat 7 with ssl Hi, I developed a web service using jax-ws and configured Tomcat to support SSL connection. Here are my steps: ** Step 1 - Generate a self-signed server certificate Use JDK 1.7 keytool: keytool -genkey -alias trackerdev -keypass changeit -storepass changeit -keystore D:\Tomcat7\htdkeystore\trackerdev.ks –ext san=ip:xx.x.x.xxx Is CN=xx.x.x.xxx, OU=it, O=companynamehere, L=citynamehere, ST=provincenamehere, C=ca correct? [no]: yes ** Step 2 – Configure Tomcat to support SSL connection On the dev server: Modify TOMCAT_HOME\conf\server.xml by adding the following block where keystoreFile and keystorePass are set to values from the previous step: Connector port=8444 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=htdkeystore/trackerdev.ks keystorePass=changeit / ** Step 3 - Export the generated server certificate to a certificate file On the dev server: keytool –export -alias trackerdev -storepass changeit –file D:\Tomcat7\htdkeystore\serverdev.cer -keystore D:\Tomcat7\htdkeystore\trackerdev.ks ** Step 4 - Import the server certificate into the truststore file (Open an administrator cmd window and hit Shift, Ctrl, Enter) Copy serverdev.cer from the dev server and on the local machine: keytool –import –v –trustcacerts –alias trackerdev –file C:\fromdevserver\serverdev.cer –keystore C:\Program Files\Java\jdk1.7.0_51\jre\lib\security\cacerts -keypass changeit -storepass changeit Trust this certificate? [no]: yes ** Step 5 – Modify webapps’s web.xml Add the following: listener listener-class com.sun.xml.ws.transport.http.servlet.WSServletContextListener /listener-class /listener servlet servlet-nametracker/servlet-name servlet-class com.sun.xml.ws.transport.http.servlet.WSServlet /servlet-class /servlet servlet-mapping servlet-nametracker/servlet-name url-pattern/tracker/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-namesecuredapp/web-resource-name url-pattern/tracker/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint ** MY QUESTION IS THIS: I tested the web service using https and it worked for me. I provided another team with my server certificate so that they could add it to their truststore file but I have no idea if they did or not. All I know is that they got an error loading the wsdl. The exception they got was: Error loading [https://xx.x.x.xxx:8444/appname/tracker?wsdl] org.apache.xmlbeans.XmlException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target They claim that the certificate is not properly signed. Well, I don't know. It is a self-signed certificate. Any ideas would help! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: jax-ws and tomcat 7 with ssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Maria, On 3/18/14, 5:58 PM, Maria Cristina Siena wrote: Hi, I developed a web service using jax-ws and configured Tomcat to support SSL connection. Here are my steps: ** Step 1 - Generate a self-signed server certificate Use JDK 1.7 keytool: keytool -genkey -alias trackerdev -keypass changeit -storepass changeit -keystore D:\Tomcat7\htdkeystore\trackerdev.ks –ext san=ip:xx.x.x.xxx Is CN=xx.x.x.xxx, OU=it, O=companynamehere, L=citynamehere, ST=provincenamehere, C=ca correct? [no]: yes ** Step 2 – Configure Tomcat to support SSL connection On the dev server: Modify TOMCAT_HOME\conf\server.xml by adding the following block where keystoreFile and keystorePass are set to values from the previous step: Connector port=8444 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=htdkeystore/trackerdev.ks keystorePass=changeit / ** Step 3 - Export the generated server certificate to a certificate file On the dev server: keytool –export -alias trackerdev -storepass changeit –file D:\Tomcat7\htdkeystore\serverdev.cer -keystore D:\Tomcat7\htdkeystore\trackerdev.ks ** Step 4 - Import the server certificate into the truststore file (Open an administrator cmd window and hit Shift, Ctrl, Enter) Copy serverdev.cer from the dev server and on the local machine: keytool –import –v –trustcacerts –alias trackerdev –file C:\fromdevserver\serverdev.cer –keystore C:\Program Files\Java\jdk1.7.0_51\jre\lib\security\cacerts -keypass changeit -storepass changeit Trust this certificate? [no]: yes ** Step 5 – Modify webapps’s web.xml Add the following: listener listener-class com.sun.xml.ws.transport.http.servlet.WSServletContextListener /listener-class /listener servlet servlet-nametracker/servlet-name servlet-class com.sun.xml.ws.transport.http.servlet.WSServlet /servlet-class /servlet servlet-mapping servlet-nametracker/servlet-name url-pattern/tracker/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-namesecuredapp/web-resource-name url-pattern/tracker/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint ** MY QUESTION IS THIS: I tested the web service using https and it worked for me. I provided another team with my server certificate so that they could add it to their truststore file but I have no idea if they did or not. All I know is that they got an error loading the wsdl. The exception they got was: Error loading [https://xx.x.x.xxx:8444/appname/tracker?wsdl] org.apache.xmlbeans.XmlException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target They claim that the certificate is not properly signed. Well, I don't know. It is a self-signed certificate. Self-signed certificates are almost never trusted by outsiders. Why not go ahead and get a trusted cert? You can get them for free at StartSSL.com. Note that Java does not ship with a StartSSL CA root-level certificate, so you still have to import the CA's root key into the client's key store. If your client is willing to import /your/ self-signed CA's certificate (that is, your own certificate) into their trust store, then just send them your CA cert. They may not know how to configure that correctly -- it's not exactly the easiest thing in the world for a Java client. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTKOUVAAoJEBzwKT+lPKRYxuQP+gOh9NnPEjB2nfXw3qe1r1v6 jzPkDxRFf7qIqhdJMEuGy40ndatK2Q2xU2IPPZi0P2ba+y/PWQ7g9egFlutZC3H5 uR+TtPOxw67njLGy2QehCgOaQ+/eBoXUFlU9bywfMYpm22OmrIxogiahvlAnP6Y4 ZKEPaJ5GxJaq+f6kiWsgWNPZMIQUYEL2eK9CKdMWz2GzIwdVXnHqRhaqHlP5u3hE SZrEOOubYCLaQN6AtGV4kyBBj97zR/u5JWh7t8jlHekZwY5jeroP/s8knOTxAXOn 6aEbmdEh85uSyLc02FixDzPA41h6BHSRyM1X1TrhgInABkIMBJtC3kecscjcWnUV CXaNW69vq/2l64z4O7CR/IrRtR8gLHcUDNpIN2PjpOFHD9oSNvBAXEMv5sM/VYFc hHIJbStUi/q/3JUGe6m2qVvCkeuxKORXzZ1KwczVK2o+J7IXO1XZ0wzKAWvig63A paGi1jNEFJTLia+vy8Xsr5g+Qw1AxnKS0unSNIvZdMaWj/zxKrYKsXn09BUJcgzg AJeRtK1zbadFVbj5Plct52/EpRjFlErLi1UlErFptYr2NRBDC8+rqRY2e73vsTar dU0n3C7W4l5mJtKvdJnVYl390RVDfF6GlYgHHVrejfj3tJXUoD620ZIQgm4tn7Um OG0P6Q9NyO7JzeVFSOcd =Q4ZE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
