You don't necessarily need to use keytool. You can now use a plain
PEM file, containing the CA's X.509 certificate:
{{{
<http:conduit name="...">
<http:tlsClientParameters>
<csec:trustManagers>
<csec:certStore resource="path-to-pem-relative-to-
classpath"/>
</csec:trustManagers>
<csec:cipherSuitesFilter>
<csec:include>.*</csec:include>
<csec:exclude>.*_DH_anon_.*</csec:exclude>
</csec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
}}}
You'll need to get a hold of this certificate, if you don't already
have it. Here is the information about the peer you can get through
openssl:
15:57:32 spock:~> openssl s_client -host api-aa.sandbox.paypal.com -
port 443
CONNECTED(00000004)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary
Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=San Jose/O=Paypal, Inc./OU=Information
Systems/OU=Terms of use at www.verisign.com/rpa (c)00/CN=api-
aa.sandbox.paypal.com
i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEfzCCA+igAwIBAgIQLSP23WPvaFBTi2w3DtahojANBgkqhkiG9w0BAQUFADCB
ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w
NjAzMDcwMDAwMDBaFw0wODAzMDYyMzU5NTlaMIHDMQswCQYDVQQGEwJVUzETMBEG
A1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxQIU2FuIEpvc2UxFTATBgNVBAoUDFBh
eXBhbCwgSW5jLjEcMBoGA1UECxQTSW5mb3JtYXRpb24gU3lzdGVtczEzMDEGA1UE
CxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTAwMSIw
IAYDVQQDFBlhcGktYWEuc2FuZGJveC5wYXlwYWwuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDGgeP8JtZJp8/pP4xkPFWkK+ZGskDW2S8NFbk+zoGOnNN5
vFwvrd2AqtU7bBqgVUfjqjGoUY03f/taNpdjfGcjWIPgjQzr9DUOF6dvh+/DBpCz
75lecSiyrVi70VqbxnrDFoBisbErMsJul5gzKiLwAzdLCja2sNcRFZmg06qHNwID
AQABo4IBeTCCAXUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7
oDmgN4Y1aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRpb25h
bFNlcnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUF
BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCWCG
SAGG+EIEAQYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEMBGEw
X6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PP
gGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lm
MA0GCSqGSIb3DQEBBQUAA4GBAApy0YfJ6u2U+dtaRIAqnwqdYeeYk85C3AAWTYjn
t6meV1fjVNCkA1uHNW12qoTgpaposI/B/TEzi4oVzV7icki7jqpx+KdFOukoMn8D
dVbGOCZ+wh867qkrgypiSESxTbnCPLKXxk5iHyVH07Aid9NEFcicwvflay5bZVee
fOE4
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Jose/O=Paypal, Inc./OU=Information
Systems/OU=Terms of use at www.verisign.com/rpa (c)00/CN=api-
aa.sandbox.paypal.com
issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
---
Acceptable client certificate CA names
/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=sandbox_certs/
CN=sandbox_camerchapi/[EMAIL PROTECTED]
---
SSL handshake has read 3379 bytes and written 334 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
85E1D239A982C834730D359EBD5D009F1D64705CD2F44192E6081CF7A55CA88F
Session-ID-ctx:
Master-Key:
C7C10F6A3503C174C2B276FBE109F6C249B4C2B252BA45AFAFA157EB920B10DEB80BD9B1
2971A54CA42805A4940785D0
Key-Arg : None
Start Time: 1197838663
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate
chain)
---
So it looks like you'll need one of those 2 verisign certs.
-Fred
On Dec 16, 2007, at 3:53 PM, Alex Shneyderman wrote:
Hi, Fred!
On Dec 16, 2007 8:49 PM, Fred Dushin <[EMAIL PROTECTED]> wrote:
You need to specify a trust store containing the appropriate
certificate authority to be used when performing the handshake with
the paypal service.
Could you explain this step in a bit more details. I guess I have
to use
something like keytool but I am not sure what "appropriate certificate
authority" means ? Where do I get it, how do I deal with it ? I
have tried
to search PayPal's docs nothing of relevance turned up.
Thanks,
Alex.
