Re: SSL : setting up truststore (and keystore?)
Hi, I have a strange problem with using SSL server. I have a war application which has a jar that connects to a SSL web service. System.setProperty(javax.net.ssl.keyStore, url.getPath()); System.setProperty(jjavax.net.ssl.keyStoreType, jks); System.setProperty(javax.net.ssl.keyStorePassword, changeit); System.setProperty(javax.net.ssl.trustStore, url.getPath()); System.setProperty(javax.net.ssl.trustStoreType, jks); System.setProperty(javax.net.ssl.trustStorePassword, changeit); First time, when I deploy the application on weblogic server everything works, but after restarting the application server then I get no trust certificate found any idea please thanks On Wed, Jun 24, 2009 at 7:19 AM, Dennis Sosnoski d...@sosnoski.com wrote: Hi Shasta, I've never had any problems setting the client truststore using the javax.net.ssl.truststore property, so I suspect something is wrong with your actual truststore/keystore files. You might want to check what's actually in the stores using a tool such as http://portecle.sourceforge.net/ For convenience, you can also set the value of these properties using JVM parameters rather than in your client code, using this type of format: -Djavax.net.ssl.trustStore=path If you do a search on javax.net.ssl.truststore you'll find many articles and discussions of the topic. The Tomcat documentation also has a good discussion of configuring SSL for the server, though I don't think that includes anything on a Java client configuration. - Dennis -- Dennis M. Sosnoski Java XML and Web Services Axis2 Training and Consulting http://www.sosnoski.com - http://www.sosnoski.co.nz Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117 Shasta Willson wrote: Thought I'd reply to my own message with some information that might be useful: despite using keytool (http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html) to install the certificate, and various combinations of these properties to theoretically point to it (where keyStore and trustStorePass are paths to generated files): System.setProperty(javax.net.ssl.keyStore,keyStore); System.setProperty(javax.net.ssl.keyStorePassword, keyPass); System.setProperty(javax.net.ssl.trustStore, trustStore); System.setProperty(javax.net.ssl.trustStorePassword, trustStorePass); I never did get it to work that way. (I eventually built an SSLTest.java that JUST connected so I could eliminate other configuration issues, but even in that simplified context I couldn't get it working.) What finally worked for me (for the SSLTest program) was to put the certificate into the normal java location and over-write cacerts. I could do that since noone else is using Java on this server and this is the first time I've needed to place a certificate. i.e. I wasn't going to break something else in the process. I found this very useful tool during my research : http://dreamingthings.blogspot.com/2006/12/no-more-unable-to-find-valid.html I could have avoided three days waiting for the service-owner to send a certificate, had I known about it. Hope that helps someone else save time. - Shasta On Tue, Jun 23, 2009 at 8:34 AM, Shasta Willsonshas...@gmail.com wrote: I have an SSL secured web service to consume. It also uses a usertoken/password in the SOAP header, which I'm doing with Rampart, but I don't think that's relevant to my question. I'd like to understand how to go from have a certificate to trustStore (and/or KeyStore?) properly configured. Currently I get this error, which a google search suggests is related to not having it set up right: org.apache.axis2.AxisFault: Unconnected sockets not implemented at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430) Thank you, - Shasta
Re: SSL : setting up truststore (and keystore?)
I'm surprised this works at all in an app server environment. The app
server should have some way of configuring SSL support, and even though
that configuration is going to be intended more for inbound connections
it might also have settings for outbound connections.
Aside from that, you can take direct control over the authentication of
the presented server certificate by implementing your own TrustManager.
Here's a method which illustrates this approach, from an open source
project I developed which needed to work with custom certificate
authorities for server SSL/TLS certificates:
/**
* Open a connection to a server. If the connection type is 'https'
and a
* certificate authority keystore is supplied, that certificate
authority
* will be used when establishing the connection to the server.
*
* @param target destination URL (must use 'http' or 'https' protocol)
* @param castore keystore containing certificate authority certificate
* @return connection
* @throws IOException
* @throws NoSuchAlgorithmException
* @throws KeyManagementException
* @throws KeyStoreException
*/
private HttpURLConnection openConnection(String target, KeyStore
castore)
throws IOException, NoSuchAlgorithmException,
KeyManagementException, KeyStoreException {
URL url = new URL(target);
HttpURLConnection conn = (HttpURLConnection)url.openConnection();
if (castore != null target.toLowerCase().startsWith(https:)) {
String alg = TrustManagerFactory.getDefaultAlgorithm();
SSLContext context = SSLContext.getInstance(TLS);
TrustManagerFactory tmfact0 =
TrustManagerFactory.getInstance(alg);
tmfact0.init((KeyStore)null);
final TrustManager[] managers0 = tmfact0.getTrustManagers();
TrustManagerFactory tmfact1 =
TrustManagerFactory.getInstance(alg);
tmfact1.init(castore);
final TrustManager[] managers1 = tmfact1.getTrustManagers();
TrustManager manager = new X509TrustManager() {
private X509TrustManager getTM(TrustManager[] tms) {
for (int i = 0; i tms.length; i++) {
TrustManager tm = tms[i];
if (tm instanceof X509TrustManager) {
return (X509TrustManager)tm;
}
}
return null;
}
public void checkClientTrusted(X509Certificate[] chain,
String type) throws CertificateException {
X509TrustManager tm = getTM(managers0);
if (tm != null) {
tm.checkClientTrusted(chain, type);
}
}
public void checkServerTrusted(X509Certificate[] chain,
String type) throws CertificateException {
X509TrustManager tm = getTM(managers0);
if (tm != null) {
try {
tm.checkServerTrusted(chain, type);
return;
} catch (CertificateException e) {
// deliberately empty
}
}
tm = getTM(managers1);
if (tm != null) {
try {
tm.checkServerTrusted(chain, type);
return;
} catch (CertificateException e) {
// deliberately empty
}
}
throw new CertificateException(Certificate chain
cannot be verified);
}
public X509Certificate[] getAcceptedIssuers() {
X509TrustManager tm = getTM(managers0);
X509Certificate[] certs0 = s_emptyCertArray;
if (tm != null) {
certs0 = tm.getAcceptedIssuers();
}
tm = getTM(managers1);
X509Certificate[] certs1 = s_emptyCertArray;
if (tm != null) {
certs1 = tm.getAcceptedIssuers();
}
X509Certificate[] certs = new
X509Certificate[certs0.length+certs1.length];
System.arraycopy(certs0, 0, certs, 0, certs0.length);
System.arraycopy(certs1, 0, certs, certs0.length,
certs1.length);
return certs;
}
};
context.init(null, new TrustManager[] { manager }, null);
SSLSocketFactory sockfactory = context.getSocketFactory();
((HttpsURLConnection)conn).setSSLSocketFactory(sockfactory);
}
return conn;
}
- Dennis
--
Dennis M. Sosnoski
Java XML and Web Services
Axis2 Training and Consulting
http://www.sosnoski.com - http://www.sosnoski.co.nz
Seattle, WA
Re: SSL : setting up truststore (and keystore?)
Dennis,
Thanks for the code and suggestions.
The app server should have some way of configuring SSL support, and even
though that configuration is going to be intended more for inbound
connections it might also have settings for outbound connections.
yes, I have configures the application server and I could see the
certificates loaded from my custom key/trust store but still it complains no
trust certificate found.
I am not sure why it is working first time when i deploy the war, and it
doesn't work after I restart the application server.
but my concern is that I am using web service client stub/proxy(Axis2), and
I am providing the endpoint to the stub, my code does't handle connections
thanks again
On Wed, Jun 24, 2009 at 10:12 AM, Dennis Sosnoski d...@sosnoski.com wrote:
I'm surprised this works at all in an app server environment. The app
server should have some way of configuring SSL support, and even though that
configuration is going to be intended more for inbound connections it might
also have settings for outbound connections.
Aside from that, you can take direct control over the authentication of the
presented server certificate by implementing your own TrustManager. Here's a
method which illustrates this approach, from an open source project I
developed which needed to work with custom certificate authorities for
server SSL/TLS certificates:
/**
* Open a connection to a server. If the connection type is 'https' and a
* certificate authority keystore is supplied, that certificate authority
* will be used when establishing the connection to the server.
*
* @param target destination URL (must use 'http' or 'https' protocol)
* @param castore keystore containing certificate authority certificate
* @return connection
* @throws IOException
* @throws NoSuchAlgorithmException
* @throws KeyManagementException
* @throws KeyStoreException
*/
private HttpURLConnection openConnection(String target, KeyStore castore)
throws IOException, NoSuchAlgorithmException, KeyManagementException,
KeyStoreException {
URL url = new URL(target);
HttpURLConnection conn = (HttpURLConnection)url.openConnection();
if (castore != null target.toLowerCase().startsWith(https:)) {
String alg = TrustManagerFactory.getDefaultAlgorithm();
SSLContext context = SSLContext.getInstance(TLS);
TrustManagerFactory tmfact0 =
TrustManagerFactory.getInstance(alg);
tmfact0.init((KeyStore)null);
final TrustManager[] managers0 = tmfact0.getTrustManagers();
TrustManagerFactory tmfact1 =
TrustManagerFactory.getInstance(alg);
tmfact1.init(castore);
final TrustManager[] managers1 = tmfact1.getTrustManagers();
TrustManager manager = new X509TrustManager() {
private X509TrustManager getTM(TrustManager[]
tms) {
for (int i = 0; i tms.length; i++) {
TrustManager tm = tms[i];
if (tm instanceof X509TrustManager) {
return (X509TrustManager)tm;
}
}
return null;
}
public void checkClientTrusted(X509Certificate[] chain,
String type) throws CertificateException {
X509TrustManager tm = getTM(managers0);
if (tm != null) {
tm.checkClientTrusted(chain, type);
}
}
public void checkServerTrusted(X509Certificate[] chain,
String type) throws CertificateException {
X509TrustManager tm = getTM(managers0);
if (tm != null) {
try {
tm.checkServerTrusted(chain, type);
return;
} catch (CertificateException e) {
// deliberately empty
}
}
tm = getTM(managers1);
if (tm != null) {
try {
tm.checkServerTrusted(chain, type);
return;
} catch (CertificateException e) {
// deliberately empty
}
}
throw new CertificateException(Certificate chain cannot
be verified);
}
public X509Certificate[] getAcceptedIssuers() {
X509TrustManager tm = getTM(managers0);
X509Certificate[] certs0 = s_emptyCertArray;
if (tm != null) {
certs0 = tm.getAcceptedIssuers();
}
tm = getTM(managers1);
X509Certificate[] certs1 = s_emptyCertArray;
if (tm != null) {
Re: SSL : setting up truststore (and keystore?)
I understand you're not opening the connection directly, but having it
opened for you by the Axis2-generated stub, and admittedly my code
doesn't help much directly in that situation.
I'm not sure offhand how to make the server certificate authentication
work in that situation, but I believe Axis2 is using the Commons
HttpClient by default, and that appears to offer a way of using your own
socket factory: http://hc.apache.org/httpclient-3.x/sslguide.html You
should be able to use the Protocol.registerProtocol() approach outlined
on that page (perhaps with myhttps rather than just https as the
protocol, just to make sure your handling doesn't interfere with other
requests - and see their link to
http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java?view=markup
for an example).
- Dennis
--
Dennis M. Sosnoski
Java XML and Web Services
Axis2 Training and Consulting
http://www.sosnoski.com - http://www.sosnoski.co.nz
Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
asheikh wrote:
Dennis,
Thanks for the code and suggestions.
The app server should have some way of configuring SSL support, and
even though that configuration is going to be intended more for
inbound connections it might also have settings for outbound connections.
yes, I have configures the application server and I could see the
certificates loaded from my custom key/trust store but still it
complains no trust certificate found.
I am not sure why it is working first time when i deploy the war, and
it doesn't work after I restart the application server.
but my concern is that I am using web service client
stub/proxy(Axis2), and I am providing the endpoint to the stub, my
code does't handle connections
thanks again
On Wed, Jun 24, 2009 at 10:12 AM, Dennis Sosnoski d...@sosnoski.com
mailto:d...@sosnoski.com wrote:
I'm surprised this works at all in an app server environment. The
app server should have some way of configuring SSL support, and
even though that configuration is going to be intended more for
inbound connections it might also have settings for outbound
connections.
Aside from that, you can take direct control over the
authentication of the presented server certificate by implementing
your own TrustManager. Here's a method which illustrates this
approach, from an open source project I developed which needed to
work with custom certificate authorities for server SSL/TLS
certificates:
/**
* Open a connection to a server. If the connection type is
'https' and a
* certificate authority keystore is supplied, that certificate
authority
* will be used when establishing the connection to the server.
*
* @param target destination URL (must use 'http' or 'https'
protocol)
* @param castore keystore containing certificate authority
certificate
* @return connection
* @throws IOException
* @throws NoSuchAlgorithmException
* @throws KeyManagementException
* @throws KeyStoreException
*/
private HttpURLConnection openConnection(String target, KeyStore
castore)
throws IOException, NoSuchAlgorithmException,
KeyManagementException, KeyStoreException {
URL url = new URL(target);
HttpURLConnection conn =
(HttpURLConnection)url.openConnection();
if (castore != null
target.toLowerCase().startsWith(https:)) {
String alg = TrustManagerFactory.getDefaultAlgorithm();
SSLContext context = SSLContext.getInstance(TLS);
TrustManagerFactory tmfact0 =
TrustManagerFactory.getInstance(alg);
tmfact0.init((KeyStore)null);
final TrustManager[] managers0 = tmfact0.getTrustManagers();
TrustManagerFactory tmfact1 =
TrustManagerFactory.getInstance(alg);
tmfact1.init(castore);
final TrustManager[] managers1 = tmfact1.getTrustManagers();
TrustManager manager = new X509TrustManager() {
private X509TrustManager
getTM(TrustManager[] tms) {
for (int i = 0; i tms.length; i++) {
TrustManager tm = tms[i];
if (tm instanceof X509TrustManager) {
return (X509TrustManager)tm;
}
}
return null;
}
public void checkClientTrusted(X509Certificate[]
chain, String type) throws CertificateException {
X509TrustManager tm = getTM(managers0);
if (tm != null) {
tm.checkClientTrusted(chain, type);
}
}
public void checkServerTrusted(X509Certificate[]
Re: SSL : setting up truststore (and keystore?)
Thanks Dennis, I will try your suggestion and links
On Wed, Jun 24, 2009 at 11:08 AM, Dennis Sosnoski d...@sosnoski.com wrote:
I understand you're not opening the connection directly, but having it
opened for you by the Axis2-generated stub, and admittedly my code doesn't
help much directly in that situation.
I'm not sure offhand how to make the server certificate authentication work
in that situation, but I believe Axis2 is using the Commons HttpClient by
default, and that appears to offer a way of using your own socket factory:
http://hc.apache.org/httpclient-3.x/sslguide.html You should be able to
use the Protocol.registerProtocol() approach outlined on that page (perhaps
with myhttps rather than just https as the protocol, just to make sure
your handling doesn't interfere with other requests - and see their link to
http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java?view=markupfor
an example).
- Dennis
--
Dennis M. Sosnoski
Java XML and Web Services
Axis2 Training and Consulting
http://www.sosnoski.com - http://www.sosnoski.co.nz
Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
asheikh wrote:
Dennis,
Thanks for the code and suggestions.
The app server should have some way of configuring SSL support, and even
though that configuration is going to be intended more for inbound
connections it might also have settings for outbound connections.
yes, I have configures the application server and I could see the
certificates loaded from my custom key/trust store but still it complains no
trust certificate found.
I am not sure why it is working first time when i deploy the war, and it
doesn't work after I restart the application server.
but my concern is that I am using web service client stub/proxy(Axis2),
and I am providing the endpoint to the stub, my code does't handle
connections
thanks again
On Wed, Jun 24, 2009 at 10:12 AM, Dennis Sosnoski d...@sosnoski.commailto:
d...@sosnoski.com wrote:
I'm surprised this works at all in an app server environment. The
app server should have some way of configuring SSL support, and
even though that configuration is going to be intended more for
inbound connections it might also have settings for outbound
connections.
Aside from that, you can take direct control over the
authentication of the presented server certificate by implementing
your own TrustManager. Here's a method which illustrates this
approach, from an open source project I developed which needed to
work with custom certificate authorities for server SSL/TLS
certificates:
/**
* Open a connection to a server. If the connection type is
'https' and a
* certificate authority keystore is supplied, that certificate
authority
* will be used when establishing the connection to the server.
*
* @param target destination URL (must use 'http' or 'https'
protocol)
* @param castore keystore containing certificate authority
certificate
* @return connection
* @throws IOException
* @throws NoSuchAlgorithmException
* @throws KeyManagementException
* @throws KeyStoreException
*/
private HttpURLConnection openConnection(String target, KeyStore
castore)
throws IOException, NoSuchAlgorithmException,
KeyManagementException, KeyStoreException {
URL url = new URL(target);
HttpURLConnection conn =
(HttpURLConnection)url.openConnection();
if (castore != null
target.toLowerCase().startsWith(https:)) {
String alg = TrustManagerFactory.getDefaultAlgorithm();
SSLContext context = SSLContext.getInstance(TLS);
TrustManagerFactory tmfact0 =
TrustManagerFactory.getInstance(alg);
tmfact0.init((KeyStore)null);
final TrustManager[] managers0 = tmfact0.getTrustManagers();
TrustManagerFactory tmfact1 =
TrustManagerFactory.getInstance(alg);
tmfact1.init(castore);
final TrustManager[] managers1 = tmfact1.getTrustManagers();
TrustManager manager = new X509TrustManager() {
private X509TrustManager
getTM(TrustManager[] tms) {
for (int i = 0; i tms.length; i++) {
TrustManager tm = tms[i];
if (tm instanceof X509TrustManager) {
return (X509TrustManager)tm;
}
}
return null;
}
public void checkClientTrusted(X509Certificate[]
chain, String type) throws CertificateException {
X509TrustManager tm = getTM(managers0);
if (tm != null) {
Re: SSL : setting up truststore (and keystore?)
Thought I'd reply to my own message with some information that might be useful: despite using keytool (http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html) to install the certificate, and various combinations of these properties to theoretically point to it (where keyStore and trustStorePass are paths to generated files): System.setProperty(javax.net.ssl.keyStore,keyStore); System.setProperty(javax.net.ssl.keyStorePassword, keyPass); System.setProperty(javax.net.ssl.trustStore, trustStore); System.setProperty(javax.net.ssl.trustStorePassword, trustStorePass); I never did get it to work that way. (I eventually built an SSLTest.java that JUST connected so I could eliminate other configuration issues, but even in that simplified context I couldn't get it working.) What finally worked for me (for the SSLTest program) was to put the certificate into the normal java location and over-write cacerts. I could do that since noone else is using Java on this server and this is the first time I've needed to place a certificate. i.e. I wasn't going to break something else in the process. I found this very useful tool during my research : http://dreamingthings.blogspot.com/2006/12/no-more-unable-to-find-valid.html I could have avoided three days waiting for the service-owner to send a certificate, had I known about it. Hope that helps someone else save time. - Shasta On Tue, Jun 23, 2009 at 8:34 AM, Shasta Willsonshas...@gmail.com wrote: I have an SSL secured web service to consume. It also uses a usertoken/password in the SOAP header, which I'm doing with Rampart, but I don't think that's relevant to my question. I'd like to understand how to go from have a certificate to trustStore (and/or KeyStore?) properly configured. Currently I get this error, which a google search suggests is related to not having it set up right: org.apache.axis2.AxisFault: Unconnected sockets not implemented at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430) Thank you, - Shasta
Re: SSL : setting up truststore (and keystore?)
Hi Shasta, I've never had any problems setting the client truststore using the javax.net.ssl.truststore property, so I suspect something is wrong with your actual truststore/keystore files. You might want to check what's actually in the stores using a tool such as http://portecle.sourceforge.net/ For convenience, you can also set the value of these properties using JVM parameters rather than in your client code, using this type of format: -Djavax.net.ssl.trustStore=path If you do a search on javax.net.ssl.truststore you'll find many articles and discussions of the topic. The Tomcat documentation also has a good discussion of configuring SSL for the server, though I don't think that includes anything on a Java client configuration. - Dennis -- Dennis M. Sosnoski Java XML and Web Services Axis2 Training and Consulting http://www.sosnoski.com - http://www.sosnoski.co.nz Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117 Shasta Willson wrote: Thought I'd reply to my own message with some information that might be useful: despite using keytool (http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html) to install the certificate, and various combinations of these properties to theoretically point to it (where keyStore and trustStorePass are paths to generated files): System.setProperty(javax.net.ssl.keyStore,keyStore); System.setProperty(javax.net.ssl.keyStorePassword, keyPass); System.setProperty(javax.net.ssl.trustStore, trustStore); System.setProperty(javax.net.ssl.trustStorePassword, trustStorePass); I never did get it to work that way. (I eventually built an SSLTest.java that JUST connected so I could eliminate other configuration issues, but even in that simplified context I couldn't get it working.) What finally worked for me (for the SSLTest program) was to put the certificate into the normal java location and over-write cacerts. I could do that since noone else is using Java on this server and this is the first time I've needed to place a certificate. i.e. I wasn't going to break something else in the process. I found this very useful tool during my research : http://dreamingthings.blogspot.com/2006/12/no-more-unable-to-find-valid.html I could have avoided three days waiting for the service-owner to send a certificate, had I known about it. Hope that helps someone else save time. - Shasta On Tue, Jun 23, 2009 at 8:34 AM, Shasta Willsonshas...@gmail.com wrote: I have an SSL secured web service to consume. It also uses a usertoken/password in the SOAP header, which I'm doing with Rampart, but I don't think that's relevant to my question. I'd like to understand how to go from have a certificate to trustStore (and/or KeyStore?) properly configured. Currently I get this error, which a google search suggests is related to not having it set up right: org.apache.axis2.AxisFault: Unconnected sockets not implemented at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430) Thank you, - Shasta
