Dennis,
Thanks for the code and suggestions.
"The app server should have some way of configuring SSL support, and even
though that configuration is going to be intended more for inbound
connections it might also have settings for outbound connections."
yes, I have configures the application server and I could see the
certificates loaded from my custom key/trust store but still it complains no
trust certificate found.
I am not sure why it is working first time when i deploy the war, and it
doesn't work after I restart the application server.
but my concern is that I am using web service client stub/proxy(Axis2), and
I am providing the endpoint to the stub, my code does't handle connections
thanks again
On Wed, Jun 24, 2009 at 10:12 AM, Dennis Sosnoski <d...@sosnoski.com> wrote:
> I'm surprised this works at all in an app server environment. The app
> server should have some way of configuring SSL support, and even though that
> configuration is going to be intended more for inbound connections it might
> also have settings for outbound connections.
>
> Aside from that, you can take direct control over the authentication of the
> presented server certificate by implementing your own TrustManager. Here's a
> method which illustrates this approach, from an open source project I
> developed which needed to work with custom certificate authorities for
> server SSL/TLS certificates:
> /**
> * Open a connection to a server. If the connection type is 'https' and a
> * certificate authority keystore is supplied, that certificate authority
> * will be used when establishing the connection to the server.
> *
> * @param target destination URL (must use 'http' or 'https' protocol)
> * @param castore keystore containing certificate authority certificate
> * @return connection
> * @throws IOException
> * @throws NoSuchAlgorithmException
> * @throws KeyManagementException
> * @throws KeyStoreException
> */
> private HttpURLConnection openConnection(String target, KeyStore castore)
> throws IOException, NoSuchAlgorithmException, KeyManagementException,
> KeyStoreException {
> URL url = new URL(target);
> HttpURLConnection conn = (HttpURLConnection)url.openConnection();
> if (castore != null && target.toLowerCase().startsWith("https:")) {
> String alg = TrustManagerFactory.getDefaultAlgorithm();
> SSLContext context = SSLContext.getInstance("TLS");
> TrustManagerFactory tmfact0 =
> TrustManagerFactory.getInstance(alg);
> tmfact0.init((KeyStore)null);
> final TrustManager[] managers0 = tmfact0.getTrustManagers();
> TrustManagerFactory tmfact1 =
> TrustManagerFactory.getInstance(alg);
> tmfact1.init(castore);
> final TrustManager[] managers1 = tmfact1.getTrustManagers();
> TrustManager manager = new X509TrustManager() {
> private X509TrustManager getTM(TrustManager[]
> tms) {
> for (int i = 0; i < tms.length; i++) {
> TrustManager tm = tms[i];
> if (tm instanceof X509TrustManager) {
> return (X509TrustManager)tm;
> }
> }
> return null;
> }
>
> public void checkClientTrusted(X509Certificate[] chain,
> String type) throws CertificateException {
> X509TrustManager tm = getTM(managers0);
> if (tm != null) {
> tm.checkClientTrusted(chain, type);
> }
> }
>
> public void checkServerTrusted(X509Certificate[] chain,
> String type) throws CertificateException {
> X509TrustManager tm = getTM(managers0);
> if (tm != null) {
> try {
> tm.checkServerTrusted(chain, type);
> return;
> } catch (CertificateException e) {
> // deliberately empty
> }
> }
> tm = getTM(managers1);
> if (tm != null) {
> try {
> tm.checkServerTrusted(chain, type);
> return;
> } catch (CertificateException e) {
> // deliberately empty
> }
> }
> throw new CertificateException("Certificate chain cannot
> be verified");
> }
>
> public X509Certificate[] getAcceptedIssuers() {
> X509TrustManager tm = getTM(managers0);
> X509Certificate[] certs0 = s_emptyCertArray;
> if (tm != null) {
> certs0 = tm.getAcceptedIssuers();
> }
> tm = getTM(managers1);
> X509Certificate[] certs1 = s_emptyCertArray;
> if (tm != null) {
> certs1 = tm.getAcceptedIssuers();
> }
> X509Certificate[] certs = new
> X509Certificate[certs0.length+certs1.length];
> System.arraycopy(certs0, 0, certs, 0, certs0.length);
> System.arraycopy(certs1, 0, certs, certs0.length,
> certs1.length);
> return certs;
> }
> };
> context.init(null, new TrustManager[] { manager }, null);
> SSLSocketFactory sockfactory = context.getSocketFactory();
> ((HttpsURLConnection)conn).setSSLSocketFactory(sockfactory);
> }
> return conn;
> }
>
> - Dennis
>
> --
> Dennis M. Sosnoski
> Java XML and Web Services
> Axis2 Training and Consulting
> http://www.sosnoski.com - http://www.sosnoski.co.nz
> Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
>
>
> asheikh wrote:
>
>> Hi,
>>
>> I have a strange problem with using SSL server. I have a war application
>> which has a jar that connects to a SSL web service.
>>
>> System.setProperty("javax.net.ssl.keyStore", url.getPath());
>> System.setProperty("jjavax.net.ssl.keyStoreType", "jks");
>> System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
>> System.setProperty("javax.net.ssl.trustStore", url.getPath());
>> System.setProperty("javax.net.ssl.trustStoreType", "jks");
>> System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
>>
>> First time, when I deploy the application on weblogic server everything
>> works, but after restarting the application server then I get "no trust
>> certificate found"
>>
>> any idea please
>>
>> thanks
>>
>> On Wed, Jun 24, 2009 at 7:19 AM, Dennis Sosnoski <d...@sosnoski.com<mailto:
>> d...@sosnoski.com>> wrote:
>>
>> Hi Shasta,
>>
>> I've never had any problems setting the client truststore using
>> the javax.net.ssl.truststore property, so I suspect something is
>> wrong with your actual truststore/keystore files. You might want
>> to check what's actually in the stores using a tool such as
>> http://portecle.sourceforge.net/
>>
>> For convenience, you can also set the value of these properties
>> using JVM parameters rather than in your client code, using this
>> type of format: -Djavax.net.ssl.trustStore=path
>>
>> If you do a search on javax.net.ssl.truststore you'll find many
>> articles and discussions of the topic. The Tomcat documentation
>> also has a good discussion of configuring SSL for the server,
>> though I don't think that includes anything on a Java client
>> configuration.
>>
>> - Dennis
>>
>> -- Dennis M. Sosnoski
>> Java XML and Web Services
>> Axis2 Training and Consulting
>> http://www.sosnoski.com - http://www.sosnoski.co.nz
>> Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
>>
>>
>>
>>
>> Shasta Willson wrote:
>>
>> Thought I'd reply to my own message with some information that
>> might be useful:
>>
>> despite using keytool
>> (http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html
>> )
>> to
>> install the certificate, and various combinations of these
>> properties
>> to theoretically point to it (where keyStore and
>> trustStorePass are
>> paths to generated files):
>>
>> System.setProperty("javax.net.ssl.keyStore",keyStore);
>> System.setProperty("javax.net.ssl.keyStorePassword",
>> keyPass);
>> System.setProperty("javax.net.ssl.trustStore",
>> trustStore);
>> System.setProperty("javax.net.ssl.trustStorePassword",
>> trustStorePass);
>>
>>
>> I never did get it to work that way. (I eventually built an
>> SSLTest.java that JUST connected so I could eliminate other
>> configuration issues, but even in that simplified context I
>> couldn't
>> get it working.)
>>
>> What finally worked for me (for the SSLTest program) was to
>> put the
>> certificate into the normal java location and over-write
>> cacerts. I
>> could do that since noone else is using Java on this server
>> and this
>> is the first time I've needed to place a certificate. i.e. I
>> wasn't
>> going to break something else in the process.
>>
>> I found this very useful tool during my research :
>>
>> http://dreamingthings.blogspot.com/2006/12/no-more-unable-to-find-valid.html
>>
>> I could have avoided three days waiting for the service-owner
>> to send
>> a certificate, had I known about it.
>>
>> Hope that helps someone else save time.
>>
>> - Shasta
>>
>> On Tue, Jun 23, 2009 at 8:34 AM, Shasta
>> Willson<shas...@gmail.com <mailto:shas...@gmail.com>> wrote:
>>
>> I have an SSL secured web service to consume. It also uses a
>> usertoken/password in the SOAP header, which I'm doing
>> with Rampart,
>> but I don't think that's relevant to my question.
>>
>> I'd like to understand how to go from "have a certificate" to
>> trustStore (and/or KeyStore?) properly configured.
>> Currently I get
>> this error, which a google search suggests is related to
>> not having it
>> set up right:
>>
>> org.apache.axis2.AxisFault: Unconnected sockets not
>> implemented
>> at
>> org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
>>
>> Thank you,
>>
>> - Shasta
>>
>>
>>
>>
>>
>
