Hi Cyril, When establishing a TLS connection the client application needs to confirm the validity of the certificate provided by the server. The JVMs, browsers come with a set of trusted third-party certificate authorities, like Verisign, Semantic, etc. Thus, the certificate signed by these authorities are automatically trusted. However, in case of self-signed certificate you need to provide a trust store containing client certificate(s), otherwise, no trust can be established between client and server. For example, you can specify a path to the trust store using JVM setting javax.net.ssl.trustStoreType, For example -Djavax.net.ssl.trustStoreType=/path/to/trust-store.jks. The web browsers can ask whether to trust server certificate or not but in case of non-interactive application you have to vonfigure your application to trust server in advance.
Thus, you needs either to download the trust store or sign your server certificate with standard CA which are already trusted by JVM. Kind Regards, Alex On Fri, 29 Mar 2019 at 08:50, Cyril Micoud <[email protected]> wrote: > HI Alex, > > When a browser access a SSL site, the certificate is downloaded by the > browser and after that the page is opened in the browser. > Can I do the same thing with my SSL REST request (request REST API in SSL > and download certificate in the same time)? Or I must download the > certificate and java trust store with the certificate before? > > Thanks by advance, > Best regards, > > Cyril MICOUD > Software Development Engineer > σLink Team > > > Office: +33 (0)4 76 33 59 88 > email: [email protected] > Skype: cyril.micoud_vitech > > > > Vi TECHNOLOGY > Rue de Rochepleine - 38120 SAINT EGREVE - France > Further information at www.vitechnology.com > > You are hereby formally notified that all information contained in tis > communication and any attachments shall be deemed strictly confidential and > privileged unless explicitly stated otherwise. Please note that your use of > confidential information may be governed, and restricted, by a > non-disclosure agreement. The information contained in this communication > and any attachments is disclosed for the sole use of the intended > recipient(s). If you are not the intended recipient, you are hereby > formally notified that any unauthorized review, use, disclosure or > distribution of this message is prohibited. Please notify the sender > immediately by replying to this message and destroy all copies of this > message and any attachments. Mycronic is neither liable for the proper and > complete transmission of the information contained in this communication, > nor for any delay in its receipt. Please note that email correspondence > generally includes processing of personal data. For information on > Mycronic’s processing of your personal data, please see our Privacy Policy: > http://www.mycronic.com/fr/about-us/privacy-policy/ > > -----Message d'origine----- > De : Oleksandr Rudyy <[email protected]> > Envoyé : vendredi 29 mars 2019 09:14 > À : [email protected] > Objet : Re: [Broker-J] How to configure HTTPS > > Hi Cyril, > The exception message "Caused by: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target" indicates that SSL handshake > failed due to not being able to find the certificate. > Did you download and specify the self-signed certificate with your request? > > Please note that you can download the certificate and java trust store > with the certificate from broker Web Management Console tab for > AutoGeneratedSelfSigned. > > Kind Regards, > Alex > > On Thu, 28 Mar 2019 at 15:33, Cyril Micoud <[email protected]> > wrote: > > > Hi Keith, > > > > Thanks a lot for your response. > > > > I restart my configuration from scratch to be sure and did it like > > that 1. create an AutoGeneratedSelfSigned keystore 2. create 2 new > > port AMQPS (port 5671) and HTTPS (port 8089, because my HTTP port is > > 8090 and I would like to keep the same thing as AMQP port) > > > > After restart my broker httpManagement access via HTTPS url works fine > > (except normal warning when access from chrome due to autosigned). > > But now the HTTP access give me an HTTP 417! > > However, HTTP port is always defined... I don't understand why!? > > > > And when I try to use REST api via HTTPS, I got an Exception : > > > > javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path building failed: > > sun.security.provider.certpath.SunCertPathBuilderException: unable to > > find valid certification path to requested target > > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) > > at > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) > > at > > > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) > > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) > > at > sun.security.ssl.Handshaker.process_record(Handshaker.java:965) > > at > > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) > > at > > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) > > at > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) > > at > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) > > at > > > org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) > > at > > > org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) > > at > > > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141) > > at > > > org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) > > at > > > org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) > > at > > > org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) > > at > > > org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) > > at > > org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) > > at > > > org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) > > at > > > org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) > > at > > > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > > at > > > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) > > at > > > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) > > at > > > com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:138) > > ... 27 more > > Caused by: sun.security.validator.ValidatorException: PKIX path > > building > > failed: sun.security.provider.certpath.SunCertPathBuilderException: > > unable to find valid certification path to requested target > > at > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > > at > > > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > > at sun.security.validator.Validator.validate(Validator.java:262) > > at > > > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > > at > > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > > at > > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > > at > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) > > ... 48 more > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > > unable to find valid certification path to requested target > > at > > > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > > at > > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > > at > > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > at > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > > ... 54 more > > > > I just would like to know if it is normal or not (due to autosigned > > for > > example) or if I must add some configuration to my httpclient? > > > > Thank a lot by advance, > > Best regards, > > > > Cyril > > > > > > > > Cyril MICOUD > > Software Development Engineer > > σLink Team > > > > > > Office: +33 (0)4 76 33 59 88 > > email: [email protected] > > Skype: cyril.micoud_vitech > > > > > > > > Vi TECHNOLOGY > > Rue de Rochepleine - 38120 SAINT EGREVE - France Further information > > at www.vitechnology.com > > > > You are hereby formally notified that all information contained in tis > > communication and any attachments shall be deemed strictly > > confidential and privileged unless explicitly stated otherwise. Please > > note that your use of confidential information may be governed, and > > restricted, by a non-disclosure agreement. The information contained > > in this communication and any attachments is disclosed for the sole > > use of the intended recipient(s). If you are not the intended > > recipient, you are hereby formally notified that any unauthorized > > review, use, disclosure or distribution of this message is prohibited. > > Please notify the sender immediately by replying to this message and > > destroy all copies of this message and any attachments. Mycronic is > > neither liable for the proper and complete transmission of the > > information contained in this communication, nor for any delay in its > > receipt. Please note that email correspondence generally includes > > processing of personal data. For information on Mycronic’s processing of > your personal data, please see our Privacy Policy: > > http://www.mycronic.com/fr/about-us/privacy-policy/ > > > > -----Message d'origine----- > > De : Keith W <[email protected]> > > Envoyé : jeudi 28 mars 2019 10:19 > > À : [email protected] > > Objet : Re: [Broker-J] How to configure HTTPS > > > > Cyril > > > > What exactly are you seeing? Are you seeing error messages when you > > try and connect a browser? > > > > To set up TLS for the Broker, you create a keystore containing your key > > material, then assign this to the port(s) you desire. You need to cause > > the Broker to restart after changing an existing port. This can be done > > through the console or you can bounce the whole process. You don’t > need a > > trust store on the Broker unless you want to use client certs. The > > Broker reports the ports it listens to and the transports assign as it > > comes up. Check the qpid.log. > > > > The broker’s documentation covers the concepts (see the sections on > > ports and key stores), but unfortunately does provide a step by step > recipe. > > > > Hope this helps > > > > Keith. > > > > > > > > On Wed, 27 Mar 2019 at 17:27, Cyril Micoud <[email protected]> > > wrote: > > > > > Hi all, > > > > > > > > > > > > I would like to enable HTTPS on my broker, but I don’t know how!? > > > > > > I have add new dedicated port, authentication provider, key store > > > and trust store but without any success! > > > > > > > > > > > > One of you can help me or give me the best way to configure my > > > Broker-J 7.1.1? > > > > > > > > > > > > Thank you by advance, > > > > > > Best regards, > > > > > > > > > > > > Cyril > > > > > > > > > > > > > > > > > > *Cyril MICOUD* > > > > > > Software Development Engineer > > > > > > σLink Team > > > > > > > > > > > > > > > > > > Office: +33 (0)4 76 33 59 88 > > > > > > email: [email protected] > > > > > > Skype: cyril.micoud_vitech > > > > > > > > > > > > [image: cid:[email protected]] > > > > > > > > > > > > *Vi TECHNOLOGY* > > > > > > Rue de Rochepleine - 38120 SAINT EGREVE - France > > > > > > Further information at www.vitechnology.com > > > > > > > > > > > > You are hereby formally notified that all information contained in > > > tis communication and any attachments shall be deemed strictly > > > confidential and privileged unless explicitly stated otherwise. > > > Please note that your use of confidential information may be > > > governed, and restricted, by a non-disclosure agreement. The > > > information contained in this communication and any attachments is > > > disclosed for the sole use of the intended recipient(s). If you are > > > not the intended recipient, you are hereby formally notified that > > > any unauthorized review, use, disclosure or distribution of this > message is prohibited. > > > Please notify the sender immediately by replying to this message and > > > destroy all copies of this message and any attachments. Mycronic is > > > neither liable for the proper and complete transmission of the > > > information contained in this communication, nor for any delay in > > > its receipt. Please note that email correspondence generally > > > includes processing of personal data. For information on Mycronic’s > > > processing of > > your personal data, please see our Privacy Policy: > > > http://www.mycronic.com/fr/about-us/privacy-policy/ > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] For > > additional commands, e-mail: [email protected] > > > > >
