Re: Reload keystore file
gt; >>>>> You need to set the a property in the options [1]. >>>>> >>>>> thanks, >>>>> nandana >>>>> >>>>> [1] - http://wso2.org/library/1646 >>>>> >>>>> >>>>> >>>>>> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL >>>>>> Socket Factory to make use of my keystore and force reloading. >>>>>> >>>>>> Thanks again for your help. >>>>>> >>>>>> Kind regards, >>>>>> Sebastian >>>>>> >>>>>> >>>>>> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya < >>>>>> nandana@gmail.com> wrote: >>>>>> >>>>>>> I assume you use Axis2 as a web service client. I think better >>>>>>> solution for you would be to use a custom SSL Socket factory to handle >>>>>>> your >>>>>>> scenario. You can find more information on how to implement and use a >>>>>>> custom >>>>>>> SSL Socket factory here [1]. You can also raise the question in commons >>>>>>> http >>>>>>> client list too. >>>>>>> >>>>>>> thanks, >>>>>>> nandana >>>>>>> >>>>>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html >>>>>>> >>>>>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande < >>>>>>> sebast...@vansande.org> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> Thanks for your reply, Yves Marie! >>>>>>>> >>>>>>>> Unfortunately, restarting the application is something we don't want >>>>>>>> since this application will run 24/7 in a production environment. >>>>>>>> >>>>>>>> I'm looking for a way to let Axis2 know to reload the keystore file, >>>>>>>> at runtime without restarting my application. >>>>>>>> I know *when* it has to reload the keystore file, I just don't know >>>>>>>> *how* to do this in code. >>>>>>>> >>>>>>>> If anyone knows how to let Axis2 reload the keystore file, let me >>>>>>>> know! >>>>>>>> >>>>>>>> Kind regards, >>>>>>>> Sebastian >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie < >>>>>>>> yves-marie.dan...@capgemini.com> wrote: >>>>>>>> >>>>>>>>> Hi ! >>>>>>>>> >>>>>>>>> With a Jonas application server and a mutual authentication with >>>>>>>>> SSL, we find that we had to restart Jonas so it could see change the >>>>>>>>> changes >>>>>>>>> of path or content for keystores. It seems to be the same with >>>>>>>>> tomcat, don't >>>>>>>>> know if it Axis2 or the application server. >>>>>>>>> >>>>>>>>> Yves-Marie >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *De :* Sebastian Van Sande [mailto:sebast...@vansande.org] >>>>>>>>> *Envoyé :* jeudi 29 janvier 2009 08:07 >>>>>>>>> *À :* axis-user@ws.apache.org >>>>>>>>> *Objet :* Re: Reload keystore file >>>>>>>>> >>>>>>>>> Does anyone have a clue how I can refresh the keystore in axis2? >>>>>>>>> Thank you. >>>>>>>>> >>>>>>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande < >>>>>>>>> sebast...@vansande.org> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I have a problem with Axis2. >>>>>>>>>> >>>>>>>>>> At my project, we have an Microsoft Exchange 2007, and some other >>>>>>
Re: Reload keystore file
gt;>> nandana@gmail.com> wrote:
>>>>>
>>>>>> I assume you use Axis2 as a web service client. I think better
>>>>>> solution for you would be to use a custom SSL Socket factory to handle
>>>>>> your
>>>>>> scenario. You can find more information on how to implement and use a
>>>>>> custom
>>>>>> SSL Socket factory here [1]. You can also raise the question in commons
>>>>>> http
>>>>>> client list too.
>>>>>>
>>>>>> thanks,
>>>>>> nandana
>>>>>>
>>>>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html
>>>>>>
>>>>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande <
>>>>>> sebast...@vansande.org> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Thanks for your reply, Yves Marie!
>>>>>>>
>>>>>>> Unfortunately, restarting the application is something we don't want
>>>>>>> since this application will run 24/7 in a production environment.
>>>>>>>
>>>>>>> I'm looking for a way to let Axis2 know to reload the keystore file,
>>>>>>> at runtime without restarting my application.
>>>>>>> I know *when* it has to reload the keystore file, I just don't know
>>>>>>> *how* to do this in code.
>>>>>>>
>>>>>>> If anyone knows how to let Axis2 reload the keystore file, let me
>>>>>>> know!
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Sebastian
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <
>>>>>>> yves-marie.dan...@capgemini.com> wrote:
>>>>>>>
>>>>>>>> Hi !
>>>>>>>>
>>>>>>>> With a Jonas application server and a mutual authentication with
>>>>>>>> SSL, we find that we had to restart Jonas so it could see change the
>>>>>>>> changes
>>>>>>>> of path or content for keystores. It seems to be the same with tomcat,
>>>>>>>> don't
>>>>>>>> know if it Axis2 or the application server.
>>>>>>>>
>>>>>>>> Yves-Marie
>>>>>>>>
>>>>>>>> --
>>>>>>>> *De :* Sebastian Van Sande [mailto:sebast...@vansande.org]
>>>>>>>> *Envoyé :* jeudi 29 janvier 2009 08:07
>>>>>>>> *À :* axis-user@ws.apache.org
>>>>>>>> *Objet :* Re: Reload keystore file
>>>>>>>>
>>>>>>>> Does anyone have a clue how I can refresh the keystore in axis2?
>>>>>>>> Thank you.
>>>>>>>>
>>>>>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
>>>>>>>> sebast...@vansande.org> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I have a problem with Axis2.
>>>>>>>>>
>>>>>>>>> At my project, we have an Microsoft Exchange 2007, and some other
>>>>>>>>> project has created an API to interact with this Exchange server with
>>>>>>>>> the
>>>>>>>>> help of Axis2.
>>>>>>>>> This other project uses a Websphere server to manage a keystore to
>>>>>>>>> do basic authentication over SSL.
>>>>>>>>> My application on the otherhand runs as a standalone application,
>>>>>>>>> and I have to manage the keystore myself.
>>>>>>>>>
>>>>>>>>> Now, I managed to use this keystore to calling the Exchange 2007
>>>>>>>>> Web services over SSL, and it works great.
>>>>>>>>> But, as you probably know, certificates expire ... and they have to
>>>>>>>>> get renewed.
>>>>>>>>>
>>>>>>>>> So, I managed to create something a 'KeyStoreManager' that will
>>>>>>>>> fetch the new certificates from the Exchange server and put it in the
>>>>>>>>> keystore file.
>>>>>>>>> And this works great as well .. *IF* I restart my application.
>>>>>>>>>
>>>>>>>>> When my application modifies the keystore file, it looks like Axis2
>>>>>>>>> is using some caching mechanism. Because when I make the web service
>>>>>>>>> call
>>>>>>>>> again (after inserting the new certificate in my keystore), it can't
>>>>>>>>> authenticate because it cached the keystore file in memory.
>>>>>>>>>
>>>>>>>>> To specify the keystore to Axis2, I use this code:
>>>>>>>>>
>>>>>>>>> System.setProperty("javax.net.ssl.trustStore",
>>>>>>>>> "/path/to/keystore.jks");
>>>>>>>>> System.setProperty("javax.net.ssl.trustStorePassword",
>>>>>>>>> "thisisnottherealpassword");
>>>>>>>>>
>>>>>>>>> To extract the new certificate and add it to my keystore, I use
>>>>>>>>> code based on the one you can find at
>>>>>>>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>>>>>>>>>
>>>>>>>>> The problem is: when the keystore file is updated with the new
>>>>>>>>> certificate, axis2 doesn't seem to know about it because it uses a
>>>>>>>>> cached
>>>>>>>>> version of the keystore file.
>>>>>>>>>
>>>>>>>>> So my question is: how can I clear this axis2 keystore cache in
>>>>>>>>> some way so axis2 will be forced to read the keystore file again?
>>>>>>>>>
>>>>>>>>> Thank you for your help,
>>>>>>>>>
>>>>>>>>> Kind regards,
>>>>>>>>> Sebastian
>>>>>>>>
>>>>>>>>
>>>>>>>> This message contains information that may be privileged or
>>>>>>>> confidential and is the property of the Capgemini Group. It is
>>>>>>>> intended only for the person to whom it is addressed. If you are not
>>>>>>>> the intended recipient, you are not authorized to
>>>>>>>> read, print, retain, copy, disseminate, distribute, or use this
>>>>>>>> message or any part thereof. If you receive this message
>>>>>>>> in error, please notify the sender immediately and delete all copies
>>>>>>>> of this message.
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Nandana Mihindukulasooriya
>>>>>> WSO2 inc.
>>>>>>
>>>>>> http://nandana83.blogspot.com/
>>>>>> http://www.wso2.org
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>>
>> --
>> Nandana Mihindukulasooriya
>> WSO2 inc.
>>
>> http://nandana83.blogspot.com/
>> http://www.wso2.org
>>
>
>
Re: Reload keystore file
If you blindly pull certificates from the server and don't need trust validation, why do you need a keystore then? Andreas On Thu, Jan 29, 2009 at 14:22, Sebastian Van Sande wrote: > I don't think so, I iterate over the certificate chain of the trustManager > and put each certificate in the keystore. > > How do I do a trust validation? And why should I need it? This is an > intranet application and the service url (which also provides the > certificates) basically stays the same. > > Kind regards, > Sebastian > > On Thu, Jan 29, 2009 at 2:16 PM, Nandana Mihindukulasooriya > wrote: >> >> Great. BTW, do you do a trust validation on the received certificate ? >> >> thanks, >> nandana >> >> On Thu, Jan 29, 2009 at 6:29 PM, Sebastian Van Sande >> wrote: >>> >>> Thanks a lot, Nandana, injecting a custom socket factory to axis2 did the >>> job! >>> >>> This is what I did: >>> - I created a custom socket factory, based on the one you can find at >>> http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup >>> - I added a method in this custom socket factory to reset the sslContext. >>> This will result in reloading the keystore. >>> >>> The whole flow works now as following when a certificate should get >>> renewed in the keystore: >>> - The application calls a method which will call a method on a stub >>> - The stub method throws an exception which is catched ... >>> - In this catch block I try to do an SSL handshake with the keystore. >>> - If the SSL handshake fails, I start an update method on a keystore >>> manager .. >>> - this update method will extract all the certificates from the service >>> and put them in the keystore file >>> - then, it will re-init the sslcontext in the custom socket factory >>> - the flow returns to the catch block in the original called method which >>> will call 1 more time the method on the stub with the same parameters. If it >>> fails again, it will throw an exception to the caller ... >>> >>> The result is taht no operator action is needed to update the keystore >>> manually with new certificates and/or restart the application. Everything >>> goes automatically! >>> >>> Thanks again! >>> >>> Kind regards, >>> Sebastian >>> >>> On Thu, Jan 29, 2009 at 11:57 AM, Nandana Mihindukulasooriya >>> wrote: >>>> >>>>> ... will Axis2 detect this and use my custom Protocol and >>>>> MySSLSocketFactory? >>>>> >>>>> >>>>> >>>>> >>>> >>>> You need to set the a property in the options [1]. >>>> >>>> thanks, >>>> nandana >>>> >>>> [1] - http://wso2.org/library/1646 >>>> >>>> >>>>> >>>>> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL >>>>> Socket Factory to make use of my keystore and force reloading. >>>>> >>>>> Thanks again for your help. >>>>> >>>>> Kind regards, >>>>> Sebastian >>>>> >>>>> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya >>>>> wrote: >>>>>> >>>>>> I assume you use Axis2 as a web service client. I think better >>>>>> solution for you would be to use a custom SSL Socket factory to handle >>>>>> your >>>>>> scenario. You can find more information on how to implement and use a >>>>>> custom >>>>>> SSL Socket factory here [1]. You can also raise the question in commons >>>>>> http >>>>>> client list too. >>>>>> >>>>>> thanks, >>>>>> nandana >>>>>> >>>>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html >>>>>> >>>>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande >>>>>> wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Thanks for your reply, Yves Marie! >>>>>>> >>>>>>> Unfortunately, restarting the application is something we don't want >>>>>>> since this application will run 24/7 in a production environment. &
Re: Reload keystore file
I don't think so, I iterate over the certificate chain of the trustManager and put each certificate in the keystore. How do I do a trust validation? And why should I need it? This is an intranet application and the service url (which also provides the certificates) basically stays the same. Kind regards, Sebastian On Thu, Jan 29, 2009 at 2:16 PM, Nandana Mihindukulasooriya < nandana@gmail.com> wrote: > Great. BTW, do you do a trust validation on the received certificate ? > > thanks, > nandana > > > On Thu, Jan 29, 2009 at 6:29 PM, Sebastian Van Sande < > sebast...@vansande.org> wrote: > >> Thanks a lot, Nandana, injecting a custom socket factory to axis2 did the >> job! >> >> This is what I did: >> - I created a custom socket factory, based on the one you can find at >> http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup >> - I added a method in this custom socket factory to reset the sslContext. >> This will result in reloading the keystore. >> >> The whole flow works now as following when a certificate should get >> renewed in the keystore: >> - The application calls a method which will call a method on a stub >> - The stub method throws an exception which is catched ... >> - In this catch block I try to do an SSL handshake with the keystore. >> - If the SSL handshake fails, I start an update method on a keystore >> manager .. >> - this update method will extract all the certificates from the service >> and put them in the keystore file >> - then, it will re-init the sslcontext in the custom socket factory >> - the flow returns to the catch block in the original called method which >> will call 1 more time the method on the stub with the same parameters. If it >> fails again, it will throw an exception to the caller ... >> >> The result is taht no operator action is needed to update the keystore >> manually with new certificates and/or restart the application. Everything >> goes automatically! >> >> Thanks again! >> >> Kind regards, >> Sebastian >> >> >> On Thu, Jan 29, 2009 at 11:57 AM, Nandana Mihindukulasooriya < >> nandana@gmail.com> wrote: >> >>> >>> ... will Axis2 detect this and use my custom Protocol and >>> MySSLSocketFactory? >>>> >>>> >>>> >>> You need to set the a property in the options [1]. >>> >>> thanks, >>> nandana >>> >>> [1] - http://wso2.org/library/1646 >>> >>> >>> >>>> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL >>>> Socket Factory to make use of my keystore and force reloading. >>>> >>>> Thanks again for your help. >>>> >>>> Kind regards, >>>> Sebastian >>>> >>>> >>>> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya < >>>> nandana@gmail.com> wrote: >>>> >>>>> I assume you use Axis2 as a web service client. I think better solution >>>>> for you would be to use a custom SSL Socket factory to handle your >>>>> scenario. >>>>> You can find more information on how to implement and use a custom SSL >>>>> Socket factory here [1]. You can also raise the question in commons http >>>>> client list too. >>>>> >>>>> thanks, >>>>> nandana >>>>> >>>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html >>>>> >>>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande < >>>>> sebast...@vansande.org> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Thanks for your reply, Yves Marie! >>>>>> >>>>>> Unfortunately, restarting the application is something we don't want >>>>>> since this application will run 24/7 in a production environment. >>>>>> >>>>>> I'm looking for a way to let Axis2 know to reload the keystore file, >>>>>> at runtime without restarting my application. >>>>>> I know *when* it has to reload the keystore file, I just don't know >>>>>> *how* to do this in code. >>>>>> >>>>>> If anyone knows how to let Axis2 reload the keystore file, let me >>>>>> know! >>>>>> >>>>&g
Re: Reload keystore file
Great. BTW, do you do a trust validation on the received certificate ? thanks, nandana On Thu, Jan 29, 2009 at 6:29 PM, Sebastian Van Sande wrote: > Thanks a lot, Nandana, injecting a custom socket factory to axis2 did the > job! > > This is what I did: > - I created a custom socket factory, based on the one you can find at > http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup > - I added a method in this custom socket factory to reset the sslContext. > This will result in reloading the keystore. > > The whole flow works now as following when a certificate should get renewed > in the keystore: > - The application calls a method which will call a method on a stub > - The stub method throws an exception which is catched ... > - In this catch block I try to do an SSL handshake with the keystore. > - If the SSL handshake fails, I start an update method on a keystore > manager .. > - this update method will extract all the certificates from the service and > put them in the keystore file > - then, it will re-init the sslcontext in the custom socket factory > - the flow returns to the catch block in the original called method which > will call 1 more time the method on the stub with the same parameters. If it > fails again, it will throw an exception to the caller ... > > The result is taht no operator action is needed to update the keystore > manually with new certificates and/or restart the application. Everything > goes automatically! > > Thanks again! > > Kind regards, > Sebastian > > > On Thu, Jan 29, 2009 at 11:57 AM, Nandana Mihindukulasooriya < > nandana@gmail.com> wrote: > >> >> ... will Axis2 detect this and use my custom Protocol and MySSLSocketFactory? >>> >>> >> You need to set the a property in the options [1]. >> >> thanks, >> nandana >> >> [1] - http://wso2.org/library/1646 >> >> >> >>> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL Socket >>> Factory to make use of my keystore and force reloading. >>> >>> Thanks again for your help. >>> >>> Kind regards, >>> Sebastian >>> >>> >>> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya < >>> nandana@gmail.com> wrote: >>> >>>> I assume you use Axis2 as a web service client. I think better solution >>>> for you would be to use a custom SSL Socket factory to handle your >>>> scenario. >>>> You can find more information on how to implement and use a custom SSL >>>> Socket factory here [1]. You can also raise the question in commons http >>>> client list too. >>>> >>>> thanks, >>>> nandana >>>> >>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html >>>> >>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande < >>>> sebast...@vansande.org> wrote: >>>> >>>>> Hi, >>>>> >>>>> Thanks for your reply, Yves Marie! >>>>> >>>>> Unfortunately, restarting the application is something we don't want >>>>> since this application will run 24/7 in a production environment. >>>>> >>>>> I'm looking for a way to let Axis2 know to reload the keystore file, at >>>>> runtime without restarting my application. >>>>> I know *when* it has to reload the keystore file, I just don't know >>>>> *how* to do this in code. >>>>> >>>>> If anyone knows how to let Axis2 reload the keystore file, let me know! >>>>> >>>>> Kind regards, >>>>> Sebastian >>>>> >>>>> >>>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie < >>>>> yves-marie.dan...@capgemini.com> wrote: >>>>> >>>>>> Hi ! >>>>>> >>>>>> With a Jonas application server and a mutual authentication with SSL, >>>>>> we find that we had to restart Jonas so it could see change the changes >>>>>> of >>>>>> path or content for keystores. It seems to be the same with tomcat, don't >>>>>> know if it Axis2 or the application server. >>>>>> >>>>>> Yves-Marie >>>>>> >>>>>> -- >>>>>> *De :* Sebastian Van Sande [mailto:sebast.
Re: Reload keystore file
Thanks a lot, Nandana, injecting a custom socket factory to axis2 did the job! This is what I did: - I created a custom socket factory, based on the one you can find at http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup - I added a method in this custom socket factory to reset the sslContext. This will result in reloading the keystore. The whole flow works now as following when a certificate should get renewed in the keystore: - The application calls a method which will call a method on a stub - The stub method throws an exception which is catched ... - In this catch block I try to do an SSL handshake with the keystore. - If the SSL handshake fails, I start an update method on a keystore manager .. - this update method will extract all the certificates from the service and put them in the keystore file - then, it will re-init the sslcontext in the custom socket factory - the flow returns to the catch block in the original called method which will call 1 more time the method on the stub with the same parameters. If it fails again, it will throw an exception to the caller ... The result is taht no operator action is needed to update the keystore manually with new certificates and/or restart the application. Everything goes automatically! Thanks again! Kind regards, Sebastian On Thu, Jan 29, 2009 at 11:57 AM, Nandana Mihindukulasooriya < nandana@gmail.com> wrote: > > ... will Axis2 detect this and use my custom Protocol and MySSLSocketFactory? >> >> > You need to set the a property in the options [1]. > > thanks, > nandana > > [1] - http://wso2.org/library/1646 > > > >> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL Socket >> Factory to make use of my keystore and force reloading. >> >> Thanks again for your help. >> >> Kind regards, >> Sebastian >> >> >> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya < >> nandana@gmail.com> wrote: >> >>> I assume you use Axis2 as a web service client. I think better solution >>> for you would be to use a custom SSL Socket factory to handle your scenario. >>> You can find more information on how to implement and use a custom SSL >>> Socket factory here [1]. You can also raise the question in commons http >>> client list too. >>> >>> thanks, >>> nandana >>> >>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html >>> >>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande < >>> sebast...@vansande.org> wrote: >>> >>>> Hi, >>>> >>>> Thanks for your reply, Yves Marie! >>>> >>>> Unfortunately, restarting the application is something we don't want >>>> since this application will run 24/7 in a production environment. >>>> >>>> I'm looking for a way to let Axis2 know to reload the keystore file, at >>>> runtime without restarting my application. >>>> I know *when* it has to reload the keystore file, I just don't know >>>> *how* to do this in code. >>>> >>>> If anyone knows how to let Axis2 reload the keystore file, let me know! >>>> >>>> Kind regards, >>>> Sebastian >>>> >>>> >>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie < >>>> yves-marie.dan...@capgemini.com> wrote: >>>> >>>>> Hi ! >>>>> >>>>> With a Jonas application server and a mutual authentication with SSL, >>>>> we find that we had to restart Jonas so it could see change the changes of >>>>> path or content for keystores. It seems to be the same with tomcat, don't >>>>> know if it Axis2 or the application server. >>>>> >>>>> Yves-Marie >>>>> >>>>> -- >>>>> *De :* Sebastian Van Sande [mailto:sebast...@vansande.org] >>>>> *Envoyé :* jeudi 29 janvier 2009 08:07 >>>>> *À :* axis-user@ws.apache.org >>>>> *Objet :* Re: Reload keystore file >>>>> >>>>> Does anyone have a clue how I can refresh the keystore in axis2? >>>>> Thank you. >>>>> >>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande < >>>>> sebast...@vansande.org> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I have a problem with Axis2. >>>>>> >>>>
Re: Reload keystore file
> ... will Axis2 detect this and use my custom Protocol and MySSLSocketFactory?
>
>
You need to set the a property in the options [1].
thanks,
nandana
[1] - http://wso2.org/library/1646
> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL Socket
> Factory to make use of my keystore and force reloading.
>
> Thanks again for your help.
>
> Kind regards,
> Sebastian
>
>
> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya <
> nandana@gmail.com> wrote:
>
>> I assume you use Axis2 as a web service client. I think better solution
>> for you would be to use a custom SSL Socket factory to handle your scenario.
>> You can find more information on how to implement and use a custom SSL
>> Socket factory here [1]. You can also raise the question in commons http
>> client list too.
>>
>> thanks,
>> nandana
>>
>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html
>>
>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande <
>> sebast...@vansande.org> wrote:
>>
>>> Hi,
>>>
>>> Thanks for your reply, Yves Marie!
>>>
>>> Unfortunately, restarting the application is something we don't want
>>> since this application will run 24/7 in a production environment.
>>>
>>> I'm looking for a way to let Axis2 know to reload the keystore file, at
>>> runtime without restarting my application.
>>> I know *when* it has to reload the keystore file, I just don't know *how*
>>> to do this in code.
>>>
>>> If anyone knows how to let Axis2 reload the keystore file, let me know!
>>>
>>> Kind regards,
>>> Sebastian
>>>
>>>
>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <
>>> yves-marie.dan...@capgemini.com> wrote:
>>>
>>>> Hi !
>>>>
>>>> With a Jonas application server and a mutual authentication with SSL, we
>>>> find that we had to restart Jonas so it could see change the changes of
>>>> path
>>>> or content for keystores. It seems to be the same with tomcat, don't know
>>>> if
>>>> it Axis2 or the application server.
>>>>
>>>> Yves-Marie
>>>>
>>>> --
>>>> *De :* Sebastian Van Sande [mailto:sebast...@vansande.org]
>>>> *Envoyé :* jeudi 29 janvier 2009 08:07
>>>> *À :* axis-user@ws.apache.org
>>>> *Objet :* Re: Reload keystore file
>>>>
>>>> Does anyone have a clue how I can refresh the keystore in axis2?
>>>> Thank you.
>>>>
>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
>>>> sebast...@vansande.org> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have a problem with Axis2.
>>>>>
>>>>> At my project, we have an Microsoft Exchange 2007, and some other
>>>>> project has created an API to interact with this Exchange server with the
>>>>> help of Axis2.
>>>>> This other project uses a Websphere server to manage a keystore to do
>>>>> basic authentication over SSL.
>>>>> My application on the otherhand runs as a standalone application, and I
>>>>> have to manage the keystore myself.
>>>>>
>>>>> Now, I managed to use this keystore to calling the Exchange 2007 Web
>>>>> services over SSL, and it works great.
>>>>> But, as you probably know, certificates expire ... and they have to get
>>>>> renewed.
>>>>>
>>>>> So, I managed to create something a 'KeyStoreManager' that will fetch
>>>>> the new certificates from the Exchange server and put it in the keystore
>>>>> file.
>>>>> And this works great as well .. *IF* I restart my application.
>>>>>
>>>>> When my application modifies the keystore file, it looks like Axis2 is
>>>>> using some caching mechanism. Because when I make the web service call
>>>>> again
>>>>> (after inserting the new certificate in my keystore), it can't
>>>>> authenticate
>>>>> because it cached the keystore file in memory.
>>>>>
>>>>> To specify the keystore to Axis2, I use this code:
>>>>>
>>>>> System.setProperty("javax.net.ssl.trustStore",
>>>>> "/path/to/keystore.jks");
>>&g
Re: Reload keystore file
Hi Nandana,
Thanks for your reply. If I use a custom SSL Socket Factory for my 'custom
protocol' and use this as the SSL default protocol handler with this code:
Protocol.registerProtocol("https",
new Protocol("https", new MySSLSocketFactory(), 443));
... will Axis2 detect this and use my custom Protocol and
MySSLSocketFactory?
I see that I can use AuthSSLProtocolSocketFactory as my custom SSL Socket
Factory to make use of my keystore and force reloading.
Thanks again for your help.
Kind regards,
Sebastian
On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya <
nandana@gmail.com> wrote:
> I assume you use Axis2 as a web service client. I think better solution for
> you would be to use a custom SSL Socket factory to handle your scenario. You
> can find more information on how to implement and use a custom SSL Socket
> factory here [1]. You can also raise the question in commons http client
> list too.
>
> thanks,
> nandana
>
> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html
>
> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande <
> sebast...@vansande.org> wrote:
>
>> Hi,
>>
>> Thanks for your reply, Yves Marie!
>>
>> Unfortunately, restarting the application is something we don't want since
>> this application will run 24/7 in a production environment.
>>
>> I'm looking for a way to let Axis2 know to reload the keystore file, at
>> runtime without restarting my application.
>> I know *when* it has to reload the keystore file, I just don't know *how*
>> to do this in code.
>>
>> If anyone knows how to let Axis2 reload the keystore file, let me know!
>>
>> Kind regards,
>> Sebastian
>>
>>
>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <
>> yves-marie.dan...@capgemini.com> wrote:
>>
>>> Hi !
>>>
>>> With a Jonas application server and a mutual authentication with SSL, we
>>> find that we had to restart Jonas so it could see change the changes of path
>>> or content for keystores. It seems to be the same with tomcat, don't know if
>>> it Axis2 or the application server.
>>>
>>> Yves-Marie
>>>
>>> --
>>> *De :* Sebastian Van Sande [mailto:sebast...@vansande.org]
>>> *Envoyé :* jeudi 29 janvier 2009 08:07
>>> *À :* axis-user@ws.apache.org
>>> *Objet :* Re: Reload keystore file
>>>
>>> Does anyone have a clue how I can refresh the keystore in axis2?
>>> Thank you.
>>>
>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
>>> sebast...@vansande.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have a problem with Axis2.
>>>>
>>>> At my project, we have an Microsoft Exchange 2007, and some other
>>>> project has created an API to interact with this Exchange server with the
>>>> help of Axis2.
>>>> This other project uses a Websphere server to manage a keystore to do
>>>> basic authentication over SSL.
>>>> My application on the otherhand runs as a standalone application, and I
>>>> have to manage the keystore myself.
>>>>
>>>> Now, I managed to use this keystore to calling the Exchange 2007 Web
>>>> services over SSL, and it works great.
>>>> But, as you probably know, certificates expire ... and they have to get
>>>> renewed.
>>>>
>>>> So, I managed to create something a 'KeyStoreManager' that will fetch
>>>> the new certificates from the Exchange server and put it in the keystore
>>>> file.
>>>> And this works great as well .. *IF* I restart my application.
>>>>
>>>> When my application modifies the keystore file, it looks like Axis2 is
>>>> using some caching mechanism. Because when I make the web service call
>>>> again
>>>> (after inserting the new certificate in my keystore), it can't authenticate
>>>> because it cached the keystore file in memory.
>>>>
>>>> To specify the keystore to Axis2, I use this code:
>>>>
>>>> System.setProperty("javax.net.ssl.trustStore",
>>>> "/path/to/keystore.jks");
>>>> System.setProperty("javax.net.ssl.trustStorePassword",
>>>> "thisisnottherealpassword");
>>>>
>>>> To extract the new certificate and add it to my keystore, I use code
>>>> based on the one you can find at
>>>
Re: Reload keystore file
I assume you use Axis2 as a web service client. I think better solution for
you would be to use a custom SSL Socket factory to handle your scenario. You
can find more information on how to implement and use a custom SSL Socket
factory here [1]. You can also raise the question in commons http client
list too.
thanks,
nandana
[1] - http://hc.apache.org/httpclient-3.x/sslguide.html
On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande wrote:
> Hi,
>
> Thanks for your reply, Yves Marie!
>
> Unfortunately, restarting the application is something we don't want since
> this application will run 24/7 in a production environment.
>
> I'm looking for a way to let Axis2 know to reload the keystore file, at
> runtime without restarting my application.
> I know *when* it has to reload the keystore file, I just don't know *how*
> to do this in code.
>
> If anyone knows how to let Axis2 reload the keystore file, let me know!
>
> Kind regards,
> Sebastian
>
>
> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <
> yves-marie.dan...@capgemini.com> wrote:
>
>> Hi !
>>
>> With a Jonas application server and a mutual authentication with SSL, we
>> find that we had to restart Jonas so it could see change the changes of path
>> or content for keystores. It seems to be the same with tomcat, don't know if
>> it Axis2 or the application server.
>>
>> Yves-Marie
>>
>> --
>> *De :* Sebastian Van Sande [mailto:sebast...@vansande.org]
>> *Envoyé :* jeudi 29 janvier 2009 08:07
>> *À :* axis-user@ws.apache.org
>> *Objet :* Re: Reload keystore file
>>
>> Does anyone have a clue how I can refresh the keystore in axis2?
>> Thank you.
>>
>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
>> sebast...@vansande.org> wrote:
>>
>>> Hi,
>>>
>>> I have a problem with Axis2.
>>>
>>> At my project, we have an Microsoft Exchange 2007, and some other project
>>> has created an API to interact with this Exchange server with the help of
>>> Axis2.
>>> This other project uses a Websphere server to manage a keystore to do
>>> basic authentication over SSL.
>>> My application on the otherhand runs as a standalone application, and I
>>> have to manage the keystore myself.
>>>
>>> Now, I managed to use this keystore to calling the Exchange 2007 Web
>>> services over SSL, and it works great.
>>> But, as you probably know, certificates expire ... and they have to get
>>> renewed.
>>>
>>> So, I managed to create something a 'KeyStoreManager' that will fetch the
>>> new certificates from the Exchange server and put it in the keystore file.
>>> And this works great as well .. *IF* I restart my application.
>>>
>>> When my application modifies the keystore file, it looks like Axis2 is
>>> using some caching mechanism. Because when I make the web service call again
>>> (after inserting the new certificate in my keystore), it can't authenticate
>>> because it cached the keystore file in memory.
>>>
>>> To specify the keystore to Axis2, I use this code:
>>>
>>> System.setProperty("javax.net.ssl.trustStore",
>>> "/path/to/keystore.jks");
>>> System.setProperty("javax.net.ssl.trustStorePassword",
>>> "thisisnottherealpassword");
>>>
>>> To extract the new certificate and add it to my keystore, I use code
>>> based on the one you can find at
>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>>>
>>> The problem is: when the keystore file is updated with the new
>>> certificate, axis2 doesn't seem to know about it because it uses a cached
>>> version of the keystore file.
>>>
>>> So my question is: how can I clear this axis2 keystore cache in some way
>>> so axis2 will be forced to read the keystore file again?
>>>
>>> Thank you for your help,
>>>
>>> Kind regards,
>>> Sebastian
>>
>>
>> This message contains information that may be privileged or confidential and
>> is the property of the Capgemini Group. It is
>> intended only for the person to whom it is addressed. If you are not the
>> intended recipient, you are not authorized to
>> read, print, retain, copy, disseminate, distribute, or use this message or
>> any part thereof. If you receive this message
>> in error, please notify the sender immediately and delete all copies of this
>> message.
>>
>>
>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
http://www.wso2.org
Re: Reload keystore file
Hi,
Thanks for your reply, Yves Marie!
Unfortunately, restarting the application is something we don't want since
this application will run 24/7 in a production environment.
I'm looking for a way to let Axis2 know to reload the keystore file, at
runtime without restarting my application.
I know *when* it has to reload the keystore file, I just don't know *how* to
do this in code.
If anyone knows how to let Axis2 reload the keystore file, let me know!
Kind regards,
Sebastian
On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <
yves-marie.dan...@capgemini.com> wrote:
> Hi !
>
> With a Jonas application server and a mutual authentication with SSL, we
> find that we had to restart Jonas so it could see change the changes of path
> or content for keystores. It seems to be the same with tomcat, don't know if
> it Axis2 or the application server.
>
> Yves-Marie
>
> --
> *De :* Sebastian Van Sande [mailto:sebast...@vansande.org]
> *Envoyé :* jeudi 29 janvier 2009 08:07
> *À :* axis-user@ws.apache.org
> *Objet :* Re: Reload keystore file
>
> Does anyone have a clue how I can refresh the keystore in axis2?
> Thank you.
>
> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
> sebast...@vansande.org> wrote:
>
>> Hi,
>>
>> I have a problem with Axis2.
>>
>> At my project, we have an Microsoft Exchange 2007, and some other project
>> has created an API to interact with this Exchange server with the help of
>> Axis2.
>> This other project uses a Websphere server to manage a keystore to do
>> basic authentication over SSL.
>> My application on the otherhand runs as a standalone application, and I
>> have to manage the keystore myself.
>>
>> Now, I managed to use this keystore to calling the Exchange 2007 Web
>> services over SSL, and it works great.
>> But, as you probably know, certificates expire ... and they have to get
>> renewed.
>>
>> So, I managed to create something a 'KeyStoreManager' that will fetch the
>> new certificates from the Exchange server and put it in the keystore file.
>> And this works great as well .. *IF* I restart my application.
>>
>> When my application modifies the keystore file, it looks like Axis2 is
>> using some caching mechanism. Because when I make the web service call again
>> (after inserting the new certificate in my keystore), it can't authenticate
>> because it cached the keystore file in memory.
>>
>> To specify the keystore to Axis2, I use this code:
>>
>> System.setProperty("javax.net.ssl.trustStore",
>> "/path/to/keystore.jks");
>> System.setProperty("javax.net.ssl.trustStorePassword",
>> "thisisnottherealpassword");
>>
>> To extract the new certificate and add it to my keystore, I use code based
>> on the one you can find at
>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>>
>> The problem is: when the keystore file is updated with the new
>> certificate, axis2 doesn't seem to know about it because it uses a cached
>> version of the keystore file.
>>
>> So my question is: how can I clear this axis2 keystore cache in some way
>> so axis2 will be forced to read the keystore file again?
>>
>> Thank you for your help,
>>
>> Kind regards,
>> Sebastian
>
>
>
>
>
> This message contains information that may be privileged or confidential and
> is the property of the Capgemini Group. It is
> intended only for the person to whom it is addressed. If you are not the
> intended recipient, you are not authorized to
> read, print, retain, copy, disseminate, distribute, or use this message or
> any part thereof. If you receive this message
> in error, please notify the sender immediately and delete all copies of this
> message.
>
>
RE: Reload keystore file
Hi !
With a Jonas application server and a mutual authentication with SSL, we find
that we had to restart Jonas so it could see change the changes of path or
content for keystores. It seems to be the same with tomcat, don't know if it
Axis2 or the application server.
Yves-Marie
De : Sebastian Van Sande [mailto:sebast...@vansande.org]
Envoyé : jeudi 29 janvier 2009 08:07
À : axis-user@ws.apache.org
Objet : Re: Reload keystore file
Does anyone have a clue how I can refresh the keystore in axis2?
Thank you.
On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande
wrote:
Hi,
I have a problem with Axis2.
At my project, we have an Microsoft Exchange 2007, and some other
project has created an API to interact with this Exchange server with the help
of Axis2.
This other project uses a Websphere server to manage a keystore to do
basic authentication over SSL.
My application on the otherhand runs as a standalone application, and I
have to manage the keystore myself.
Now, I managed to use this keystore to calling the Exchange 2007 Web
services over SSL, and it works great.
But, as you probably know, certificates expire ... and they have to get
renewed.
So, I managed to create something a 'KeyStoreManager' that will fetch
the new certificates from the Exchange server and put it in the keystore file.
And this works great as well .. *IF* I restart my application.
When my application modifies the keystore file, it looks like Axis2 is
using some caching mechanism. Because when I make the web service call again
(after inserting the new certificate in my keystore), it can't authenticate
because it cached the keystore file in memory.
To specify the keystore to Axis2, I use this code:
System.setProperty("javax.net.ssl.trustStore",
"/path/to/keystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword",
"thisisnottherealpassword");
To extract the new certificate and add it to my keystore, I use code
based on the one you can find at
http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
The problem is: when the keystore file is updated with the new
certificate, axis2 doesn't seem to know about it because it uses a cached
version of the keystore file.
So my question is: how can I clear this axis2 keystore cache in some
way so axis2 will be forced to read the keystore file again?
Thank you for your help,
Kind regards,
Sebastian
This message contains information that may be privileged or confidential and is
the property of the Capgemini Group. It is
intended only for the person to whom it is addressed. If you are not the
intended recipient, you are not authorized to
read, print, retain, copy, disseminate, distribute, or use this message or any
part thereof. If you receive this message
in error, please notify the sender immediately and delete all copies of this
message.
Re: Reload keystore file
Does anyone have a clue how I can refresh the keystore in axis2?
Thank you.
On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
sebast...@vansande.org> wrote:
> Hi,
>
> I have a problem with Axis2.
>
> At my project, we have an Microsoft Exchange 2007, and some other project
> has created an API to interact with this Exchange server with the help of
> Axis2.
> This other project uses a Websphere server to manage a keystore to do basic
> authentication over SSL.
> My application on the otherhand runs as a standalone application, and I
> have to manage the keystore myself.
>
> Now, I managed to use this keystore to calling the Exchange 2007 Web
> services over SSL, and it works great.
> But, as you probably know, certificates expire ... and they have to get
> renewed.
>
> So, I managed to create something a 'KeyStoreManager' that will fetch the
> new certificates from the Exchange server and put it in the keystore file.
> And this works great as well .. *IF* I restart my application.
>
> When my application modifies the keystore file, it looks like Axis2 is
> using some caching mechanism. Because when I make the web service call again
> (after inserting the new certificate in my keystore), it can't authenticate
> because it cached the keystore file in memory.
>
> To specify the keystore to Axis2, I use this code:
>
> System.setProperty("javax.net.ssl.trustStore",
> "/path/to/keystore.jks");
> System.setProperty("javax.net.ssl.trustStorePassword",
> "thisisnottherealpassword");
>
> To extract the new certificate and add it to my keystore, I use code based
> on the one you can find at
> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>
> The problem is: when the keystore file is updated with the new certificate,
> axis2 doesn't seem to know about it because it uses a cached version of the
> keystore file.
>
> So my question is: how can I clear this axis2 keystore cache in some way so
> axis2 will be forced to read the keystore file again?
>
> Thank you for your help,
>
> Kind regards,
> Sebastian
Reload keystore file
Hi,
I have a problem with Axis2.
At my project, we have an Microsoft Exchange 2007, and some other project
has created an API to interact with this Exchange server with the help of
Axis2.
This other project uses a Websphere server to manage a keystore to do basic
authentication over SSL.
My application on the otherhand runs as a standalone application, and I have
to manage the keystore myself.
Now, I managed to use this keystore to calling the Exchange 2007 Web
services over SSL, and it works great.
But, as you probably know, certificates expire ... and they have to get
renewed.
So, I managed to create something a 'KeyStoreManager' that will fetch the
new certificates from the Exchange server and put it in the keystore file.
And this works great as well .. *IF* I restart my application.
When my application modifies the keystore file, it looks like Axis2 is using
some caching mechanism. Because when I make the web service call again
(after inserting the new certificate in my keystore), it can't authenticate
because it cached the keystore file in memory.
To specify the keystore to Axis2, I use this code:
System.setProperty("javax.net.ssl.trustStore",
"/path/to/keystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword",
"thisisnottherealpassword");
To extract the new certificate and add it to my keystore, I use code based
on the one you can find at
http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
The problem is: when the keystore file is updated with the new certificate,
axis2 doesn't seem to know about it because it uses a cached version of the
keystore file.
So my question is: how can I clear this axis2 keystore cache in some way so
axis2 will be forced to read the keystore file again?
Thank you for your help,
Kind regards,
Sebastian
