Re: Debugging outbound SSL communications?

2003-09-05 Thread Christopher Williams 
You need to specify the keystore in conf\server.xml.  I assume that you've
set up the SSL connector.  Do a search on the string "keystoreFile" and set
the value to the correct keystore.

- Original Message - 
From: "Ert" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 05, 2003 5:10 PM
Subject: Debugging outbound SSL communications?


I'm using a poorly-supported external service that interacts over SSL.
I can connect fine to their production environment, but their developer
environment apparently uses a less-well-known certifying authority, and
when I try to use it I am thwarted:

> javax.net.ssl.SSLException: Connection has been shutdown:
> javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: Could not find trusted
> certificate
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.d(DashoA6275)
> at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
> at
> sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:406)
> at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:446)
> at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
> at java.io.InputStreamReader.read(InputStreamReader.java:167)

The vendor informs me that I merely need to add the appropriate key:

> The Equifax Key is not in Java by default. You need to add it.
> Example:
>
> 1) cd $JAVA_HOME/jre/lib/security/cacerts
>
> 2) copy the GeoTrust root from here:
>
> http://www.geotrust.com/resources/roots/
> Equifax_Secure_Certificate_Authority.cer
> to the file geotrustroot.cer in this directory
>
> 3) Run this command:
> keytool -import -trustcacerts -alias geotrustroot -keystore cacerts
> -file geotrustroot.cer -storepass changeit

I've imported this key to every keystore I can find or think of on my
Mac OS X system (keytool's default one,
/Library/Java/Home/lib/security/cacerts, ~/.keystore, ~root/.keystore)
and I continue to get the same error.

So now I'm trying to figure out if a default Tomcat 4.1.24 install uses
its own keystore.  If not I'm hoping to find some way I can figure out
what key the SSL connection is being presented with, and what keystore
it's attempting to find a matching key in.  I don't know if I just have
the wrong certificate, or if I've put it in the wrong place.

Any thoughts from the gallery?

- Ert



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Debugging outbound SSL communications?

2003-09-05 Thread Ert 
I'm using a poorly-supported external service that interacts over SSL.   
I can connect fine to their production environment, but their developer  
environment apparently uses a less-well-known certifying authority, and  
when I try to use it I am thwarted:

javax.net.ssl.SSLException: Connection has been shutdown:  
javax.net.ssl.SSLHandshakeException:  
java.security.cert.CertificateException: Could not find trusted  
certificate
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.d(DashoA6275)
	at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
	at  
sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:406)
	at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:446)
	at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
	at java.io.InputStreamReader.read(InputStreamReader.java:167)
The vendor informs me that I merely need to add the appropriate key:

The Equifax Key is not in Java by default. You need to add it.   
Example:

1) cd $JAVA_HOME/jre/lib/security/cacerts

2) copy the GeoTrust root from here:
     
http://www.geotrust.com/resources/roots/ 
Equifax_Secure_Certificate_Authority.cer
to the file geotrustroot.cer in this directory

3) Run this command:
keytool -import -trustcacerts -alias geotrustroot -keystore cacerts  
-file geotrustroot.cer -storepass changeit
I've imported this key to every keystore I can find or think of on my  
Mac OS X system (keytool's default one,  
/Library/Java/Home/lib/security/cacerts, ~/.keystore, ~root/.keystore)  
and I continue to get the same error.

So now I'm trying to figure out if a default Tomcat 4.1.24 install uses  
its own keystore.  If not I'm hoping to find some way I can figure out  
what key the SSL connection is being presented with, and what keystore  
it's attempting to find a matching key in.  I don't know if I just have  
the wrong certificate, or if I've put it in the wrong place.

Any thoughts from the gallery?

- Ert