I'm surprised this works at all in an app server environment. The app
server should have some way of configuring SSL support, and even though
that configuration is going to be intended more for inbound connections
it might also have settings for outbound connections.
Aside from that, you can take direct control over the authentication of
the presented server certificate by implementing your own TrustManager.
Here's a method which illustrates this approach, from an open source
project I developed which needed to work with custom certificate
authorities for server SSL/TLS certificates:
/**
* Open a connection to a server. If the connection type is 'https'
and a
* certificate authority keystore is supplied, that certificate
authority
* will be used when establishing the connection to the server.
*
* @param target destination URL (must use 'http' or 'https' protocol)
* @param castore keystore containing certificate authority certificate
* @return connection
* @throws IOException
* @throws NoSuchAlgorithmException
* @throws KeyManagementException
* @throws KeyStoreException
*/
private HttpURLConnection openConnection(String target, KeyStore
castore)
throws IOException, NoSuchAlgorithmException,
KeyManagementException, KeyStoreException {
URL url = new URL(target);
HttpURLConnection conn = (HttpURLConnection)url.openConnection();
if (castore != null && target.toLowerCase().startsWith("https:")) {
String alg = TrustManagerFactory.getDefaultAlgorithm();
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmfact0 =
TrustManagerFactory.getInstance(alg);
tmfact0.init((KeyStore)null);
final TrustManager[] managers0 = tmfact0.getTrustManagers();
TrustManagerFactory tmfact1 =
TrustManagerFactory.getInstance(alg);
tmfact1.init(castore);
final TrustManager[] managers1 = tmfact1.getTrustManagers();
TrustManager manager = new X509TrustManager() {
private X509TrustManager getTM(TrustManager[] tms) {
for (int i = 0; i < tms.length; i++) {
TrustManager tm = tms[i];
if (tm instanceof X509TrustManager) {
return (X509TrustManager)tm;
}
}
return null;
}
public void checkClientTrusted(X509Certificate[] chain,
String type) throws CertificateException {
X509TrustManager tm = getTM(managers0);
if (tm != null) {
tm.checkClientTrusted(chain, type);
}
}
public void checkServerTrusted(X509Certificate[] chain,
String type) throws CertificateException {
X509TrustManager tm = getTM(managers0);
if (tm != null) {
try {
tm.checkServerTrusted(chain, type);
return;
} catch (CertificateException e) {
// deliberately empty
}
}
tm = getTM(managers1);
if (tm != null) {
try {
tm.checkServerTrusted(chain, type);
return;
} catch (CertificateException e) {
// deliberately empty
}
}
throw new CertificateException("Certificate chain
cannot be verified");
}
public X509Certificate[] getAcceptedIssuers() {
X509TrustManager tm = getTM(managers0);
X509Certificate[] certs0 = s_emptyCertArray;
if (tm != null) {
certs0 = tm.getAcceptedIssuers();
}
tm = getTM(managers1);
X509Certificate[] certs1 = s_emptyCertArray;
if (tm != null) {
certs1 = tm.getAcceptedIssuers();
}
X509Certificate[] certs = new
X509Certificate[certs0.length+certs1.length];
System.arraycopy(certs0, 0, certs, 0, certs0.length);
System.arraycopy(certs1, 0, certs, certs0.length,
certs1.length);
return certs;
}
};
context.init(null, new TrustManager[] { manager }, null);
SSLSocketFactory sockfactory = context.getSocketFactory();
((HttpsURLConnection)conn).setSSLSocketFactory(sockfactory);
}
return conn;
}
- Dennis
--
Dennis M. Sosnoski
Java XML and Web Services
Axis2 Training and Consulting
http://www.sosnoski.com - http://www.sosnoski.co.nz
Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
asheikh wrote:
Hi,
I have a strange problem with using SSL server. I have a war
application which has a jar that connects to a SSL web service.
System.setProperty("javax.net.ssl.keyStore", url.getPath());
System.setProperty("jjavax.net.ssl.keyStoreType", "jks");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.trustStore", url.getPath());
System.setProperty("javax.net.ssl.trustStoreType", "jks");
System.setProperty("javax.net.ssl.trustStorePassword",
"changeit");
First time, when I deploy the application on weblogic server
everything works, but after restarting the application server then I
get "no trust certificate found"
any idea please
thanks
On Wed, Jun 24, 2009 at 7:19 AM, Dennis Sosnoski <d...@sosnoski.com
<mailto:d...@sosnoski.com>> wrote:
Hi Shasta,
I've never had any problems setting the client truststore using
the javax.net.ssl.truststore property, so I suspect something is
wrong with your actual truststore/keystore files. You might want
to check what's actually in the stores using a tool such as
http://portecle.sourceforge.net/
For convenience, you can also set the value of these properties
using JVM parameters rather than in your client code, using this
type of format: -Djavax.net.ssl.trustStore=path
If you do a search on javax.net.ssl.truststore you'll find many
articles and discussions of the topic. The Tomcat documentation
also has a good discussion of configuring SSL for the server,
though I don't think that includes anything on a Java client
configuration.
- Dennis
--
Dennis M. Sosnoski
Java XML and Web Services
Axis2 Training and Consulting
http://www.sosnoski.com - http://www.sosnoski.co.nz
Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
Shasta Willson wrote:
Thought I'd reply to my own message with some information that
might be useful:
despite using keytool
(http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html)
to
install the certificate, and various combinations of these
properties
to theoretically point to it (where keyStore and
trustStorePass are
paths to generated files):
System.setProperty("javax.net.ssl.keyStore",keyStore);
System.setProperty("javax.net.ssl.keyStorePassword",
keyPass);
System.setProperty("javax.net.ssl.trustStore",
trustStore);
System.setProperty("javax.net.ssl.trustStorePassword",
trustStorePass);
I never did get it to work that way. (I eventually built an
SSLTest.java that JUST connected so I could eliminate other
configuration issues, but even in that simplified context I
couldn't
get it working.)
What finally worked for me (for the SSLTest program) was to
put the
certificate into the normal java location and over-write
cacerts. I
could do that since noone else is using Java on this server
and this
is the first time I've needed to place a certificate. i.e. I
wasn't
going to break something else in the process.
I found this very useful tool during my research :
http://dreamingthings.blogspot.com/2006/12/no-more-unable-to-find-valid.html
I could have avoided three days waiting for the service-owner
to send
a certificate, had I known about it.
Hope that helps someone else save time.
- Shasta
On Tue, Jun 23, 2009 at 8:34 AM, Shasta
Willson<shas...@gmail.com <mailto:shas...@gmail.com>> wrote:
I have an SSL secured web service to consume. It also uses a
usertoken/password in the SOAP header, which I'm doing
with Rampart,
but I don't think that's relevant to my question.
I'd like to understand how to go from "have a certificate" to
trustStore (and/or KeyStore?) properly configured.
Currently I get
this error, which a google search suggests is related to
not having it
set up right:
org.apache.axis2.AxisFault: Unconnected sockets not
implemented
at
org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
Thank you,
- Shasta