Re: service over https
Thanks, Fred! Your openssl trick worked a treat. I imported the certificate into the key store and can process transactions now. I guess, now I need not forget to do the same for production :-) Thanks, Alex. On Dec 16, 2007 10:08 PM, Fred Dushin <[EMAIL PROTECTED]> wrote: > > You don't necessarily need to use keytool. You can now use a plain > PEM file, containing the CA's X.509 certificate: > > {{{ > > > > > > > .* > .*_DH_anon_.* > > > > }}} > > You'll need to get a hold of this certificate, if you don't already > have it. Here is the information about the peer you can get through > openssl: > > 15:57:32 spock:~> openssl s_client -host api-aa.sandbox.paypal.com - > port 443 > CONNECTED(0004) > depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary > Certification Authority > verify error:num=19:self signed certificate in certificate chain > verify return:0 > --- > Certificate chain > 0 s:/C=US/ST=California/L=San Jose/O=Paypal, Inc./OU=Information > Systems/OU=Terms of use at www.verisign.com/rpa (c)00/CN=api- > aa.sandbox.paypal.com > i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign > International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by > Ref. LIABILITY LTD.(c)97 VeriSign > 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign > International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by > Ref. LIABILITY LTD.(c)97 VeriSign > i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification > Authority > 2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification > Authority > i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification > Authority > --- > Server certificate > -BEGIN CERTIFICATE- > MIIEfzCCA+igAwIBAgIQLSP23WPvaFBTi2w3DtahojANBgkqhkiG9w0BAQUFADCB > ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy > aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy > dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg > SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w > NjAzMDcwMDAwMDBaFw0wODAzMDYyMzU5NTlaMIHDMQswCQYDVQQGEwJVUzETMBEG > A1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxQIU2FuIEpvc2UxFTATBgNVBAoUDFBh > eXBhbCwgSW5jLjEcMBoGA1UECxQTSW5mb3JtYXRpb24gU3lzdGVtczEzMDEGA1UE > CxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTAwMSIw > IAYDVQQDFBlhcGktYWEuc2FuZGJveC5wYXlwYWwuY29tMIGfMA0GCSqGSIb3DQEB > AQUAA4GNADCBiQKBgQDGgeP8JtZJp8/pP4xkPFWkK+ZGskDW2S8NFbk+zoGOnNN5 > vFwvrd2AqtU7bBqgVUfjqjGoUY03f/taNpdjfGcjWIPgjQzr9DUOF6dvh+/DBpCz > 75lecSiyrVi70VqbxnrDFoBisbErMsJul5gzKiLwAzdLCja2sNcRFZmg06qHNwID > AQABo4IBeTCCAXUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7 > oDmgN4Y1aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRpb25h > bFNlcnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUF > BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCWCG > SAGG+EIEAQYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggr > BgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEMBGEw > X6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PP > gGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lm > MA0GCSqGSIb3DQEBBQUAA4GBAApy0YfJ6u2U+dtaRIAqnwqdYeeYk85C3AAWTYjn > t6meV1fjVNCkA1uHNW12qoTgpaposI/B/TEzi4oVzV7icki7jqpx+KdFOukoMn8D > dVbGOCZ+wh867qkrgypiSESxTbnCPLKXxk5iHyVH07Aid9NEFcicwvflay5bZVee > fOE4 > -END CERTIFICATE- > subject=/C=US/ST=California/L=San Jose/O=Paypal, Inc./OU=Information > Systems/OU=Terms of use at www.verisign.com/rpa (c)00/CN=api- > aa.sandbox.paypal.com > issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign > International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by > Ref. LIABILITY LTD.(c)97 VeriSign > --- > Acceptable client certificate CA names > /C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=sandbox_certs/ > CN=sandbox_camerchapi/[EMAIL PROTECTED] > --- > SSL handshake has read 3379 bytes and written 334 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Server public key is 1024 bit > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher: DHE-RSA-AES256-SHA > Session-ID: > 85E1D239A982C834730D359EBD5D009F1D64705CD2F44192E6081CF7A55CA88F > Session-ID-ctx: > Master-Key: > C7C10F6A3503C174C2B276FBE109F6C249B4C2B252BA45AFAFA157EB920B10DEB80BD9B1 > 2971A54CA42805A4940785D0 > Key-Arg : None > Start Time: 1197838663 > Timeout : 300 (sec) > Verify return code: 19 (self signed certificate in certificate > chain) > --- > > So it looks like you'll need one of those 2 verisign certs. > > -Fred > > > On Dec 16, 2007, at 3:53 PM, Alex Shneyderman wrote: > > > Hi, Fred! > > > > On Dec 16, 2007 8:49 PM, Fred Dushin <[EMAIL PROTECTED]> wrote: > >> > >> You need to specify a trust store containing the appropriate > >> certificate authority to be used when performing the hands
Re: service over https
You don't necessarily need to use keytool. You can now use a plain PEM file, containing the CA's X.509 certificate: {{{ .* .*_DH_anon_.* }}} You'll need to get a hold of this certificate, if you don't already have it. Here is the information about the peer you can get through openssl: 15:57:32 spock:~> openssl s_client -host api-aa.sandbox.paypal.com - port 443 CONNECTED(0004) depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=San Jose/O=Paypal, Inc./OU=Information Systems/OU=Terms of use at www.verisign.com/rpa (c)00/CN=api- aa.sandbox.paypal.com i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority 2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -BEGIN CERTIFICATE- MIIEfzCCA+igAwIBAgIQLSP23WPvaFBTi2w3DtahojANBgkqhkiG9w0BAQUFADCB ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w NjAzMDcwMDAwMDBaFw0wODAzMDYyMzU5NTlaMIHDMQswCQYDVQQGEwJVUzETMBEG A1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxQIU2FuIEpvc2UxFTATBgNVBAoUDFBh eXBhbCwgSW5jLjEcMBoGA1UECxQTSW5mb3JtYXRpb24gU3lzdGVtczEzMDEGA1UE CxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTAwMSIw IAYDVQQDFBlhcGktYWEuc2FuZGJveC5wYXlwYWwuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQDGgeP8JtZJp8/pP4xkPFWkK+ZGskDW2S8NFbk+zoGOnNN5 vFwvrd2AqtU7bBqgVUfjqjGoUY03f/taNpdjfGcjWIPgjQzr9DUOF6dvh+/DBpCz 75lecSiyrVi70VqbxnrDFoBisbErMsJul5gzKiLwAzdLCja2sNcRFZmg06qHNwID AQABo4IBeTCCAXUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7 oDmgN4Y1aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRpb25h bFNlcnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUF BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCWCG SAGG+EIEAQYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggr BgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEMBGEw X6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PP gGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lm MA0GCSqGSIb3DQEBBQUAA4GBAApy0YfJ6u2U+dtaRIAqnwqdYeeYk85C3AAWTYjn t6meV1fjVNCkA1uHNW12qoTgpaposI/B/TEzi4oVzV7icki7jqpx+KdFOukoMn8D dVbGOCZ+wh867qkrgypiSESxTbnCPLKXxk5iHyVH07Aid9NEFcicwvflay5bZVee fOE4 -END CERTIFICATE- subject=/C=US/ST=California/L=San Jose/O=Paypal, Inc./OU=Information Systems/OU=Terms of use at www.verisign.com/rpa (c)00/CN=api- aa.sandbox.paypal.com issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign --- Acceptable client certificate CA names /C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=sandbox_certs/ CN=sandbox_camerchapi/[EMAIL PROTECTED] --- SSL handshake has read 3379 bytes and written 334 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: 85E1D239A982C834730D359EBD5D009F1D64705CD2F44192E6081CF7A55CA88F Session-ID-ctx: Master-Key: C7C10F6A3503C174C2B276FBE109F6C249B4C2B252BA45AFAFA157EB920B10DEB80BD9B1 2971A54CA42805A4940785D0 Key-Arg : None Start Time: 1197838663 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- So it looks like you'll need one of those 2 verisign certs. -Fred On Dec 16, 2007, at 3:53 PM, Alex Shneyderman wrote: Hi, Fred! On Dec 16, 2007 8:49 PM, Fred Dushin <[EMAIL PROTECTED]> wrote: You need to specify a trust store containing the appropriate certificate authority to be used when performing the handshake with the paypal service. Could you explain this step in a bit more details. I guess I have to use something like keytool but I am not sure what "appropriate certificate authority" means ? Where do I get it, how do I deal with it ? I have tried to search PayPal's docs nothing of relevance turned up. Thanks, Alex.
Re: service over https
Hi, Fred! On Dec 16, 2007 8:49 PM, Fred Dushin <[EMAIL PROTECTED]> wrote: > > You need to specify a trust store containing the appropriate > certificate authority to be used when performing the handshake with > the paypal service. Could you explain this step in a bit more details. I guess I have to use something like keytool but I am not sure what "appropriate certificate authority" means ? Where do I get it, how do I deal with it ? I have tried to search PayPal's docs nothing of relevance turned up. Thanks, Alex.
Re: service over https
You need to specify a trust store containing the appropriate certificate authority to be used when performing the handshake with the paypal service. In the case where you are specifying a cxf.xml file, be sure to include the right trustManagers stanza, as in https://svn.apache.org/repos/asf/incubator/cxf/trunk/distribution/src/ main/release/samples/wsdl_first_https/WibbleClient.cxf In the case where you are not using a cxf.xml file, the conduit is failing to initialize because it has not been configured to use SSL. -Fred On Dec 16, 2007, at 2:10 PM, Alex Shneyderman wrote: I am new to web service or CXF, so forgive me if this is somehow obvious for everyone. I have been trying to figure out how to utilize paypal's WS. Here is their WSDL http://www.paypal.com/wsdl/PayPalSvc.wsdl (if anyone is interested). At the end of the file there is ports section that looks like so: https://api-aa.sandbox.paypal.com/ 2.0/"/> port named PayPalAPIAA talks over https. I have written some code to process direct payments and if I provide cxf.xml on my classpath of the following content: There is a an error I get back: Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils getCiphersuites INFO: The cipher suites have not been configured, falling back to cipher suite filters. Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils getCiphersuites INFO: The cipher suite filters have not been configured, falling back to default filters. Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils getCiphersFromList INFO: The cipher suites have been set to SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5. Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.http.HTTPConduit prepare INFO: AutoRedirect is turned on. Dec 16, 2007 7:18:31 PM org.apache.cxf.phase.PhaseInterceptorChain doIntercept INFO: Interceptor has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Received fatal alert: handshake_failure at org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writePart s(AbstractOutDatabindingInterceptor.java:75) at org.apache.cxf.interceptor.BareOutInterceptor.handleMessage (BareOutInterceptor.java:68) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept (PhaseInterceptorChain.java:207) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:254) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:205) ... If I do not provide cxf.xml I get an error stating: Dec 16, 2007 8:01:42 PM org.apache.cxf.phase.PhaseInterceptorChain doIntercept .. Caused by: java.io.IOException: Illegal Protocol https for HTTP URLConnection Factory. at org.apache.cxf.transport.http.HttpURLConnectionFactoryImpl.createConne ction(HttpURLConnectionFactoryImpl.java:44) at org.apache.cxf.transport.http.HTTPConduit.prepare (HTTPConduit.java:474) at org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage (MessageSenderInterceptor.java:46) ... 12 more Any ideas. BTW if I simply connect to the URL I can connect and get content fine, so default java https connectivity works (I run java 6). Somehow CXF screws stuff up for me. Any ideas of what I am to fix here? -- Thanks, Alex.
service over https
I am new to web service or CXF, so forgive me if this is somehow obvious for everyone. I have been trying to figure out how to utilize paypal's WS. Here is their WSDL http://www.paypal.com/wsdl/PayPalSvc.wsdl (if anyone is interested). At the end of the file there is ports section that looks like so: https://api-aa.sandbox.paypal.com/2.0/"/> port named PayPalAPIAA talks over https. I have written some code to process direct payments and if I provide cxf.xml on my classpath of the following content: There is a an error I get back: Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils getCiphersuites INFO: The cipher suites have not been configured, falling back to cipher suite filters. Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils getCiphersuites INFO: The cipher suite filters have not been configured, falling back to default filters. Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils getCiphersFromList INFO: The cipher suites have been set to SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5. Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.http.HTTPConduit prepare INFO: AutoRedirect is turned on. Dec 16, 2007 7:18:31 PM org.apache.cxf.phase.PhaseInterceptorChain doIntercept INFO: Interceptor has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Received fatal alert: handshake_failure at org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:75) at org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInterceptor.java:68) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:207) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:254) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:205) ... If I do not provide cxf.xml I get an error stating: Dec 16, 2007 8:01:42 PM org.apache.cxf.phase.PhaseInterceptorChain doIntercept .. Caused by: java.io.IOException: Illegal Protocol https for HTTP URLConnection Factory. at org.apache.cxf.transport.http.HttpURLConnectionFactoryImpl.createConnection(HttpURLConnectionFactoryImpl.java:44) at org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:474) at org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46) ... 12 more Any ideas. BTW if I simply connect to the URL I can connect and get content fine, so default java https connectivity works (I run java 6). Somehow CXF screws stuff up for me. Any ideas of what I am to fix here? -- Thanks, Alex.