Hasnt anyone ever tried connecting to two different sites using SSL using
different keystore files for each of them?
Any help would be greatly appreciated!
Many Thanks,
Vaughn
--------------------------------------------------------------------------------
I am trying to interract with an external UDDI server for discovery (with its
own keystore) and then, subsequently, with the JBoss server (using its
keystore). The interraction with the UDDI server comes off without a hitch.
When I try creating and using an InitialContext (using the second JBoss
keystore) is where the problem comes in. Simply changing the
"javax.net.ssl.trustStore" property back and forth does not help.
Finally I tried this route:
private SSLContext getSSLContext(String keyStoreName, String password) throws
Exception
{
InputStream in = new FileInputStream(keyStoreName);
char[] passwordChars = password.toCharArray();
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(in, passwordChars);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, passwordChars);
SSLContext context = SSLContext.getInstance("TLS");
context.init(kmf.getKeyManagers(), null, null);
Arrays.fill(passwordChars, (char)'x');
return context;
}
and added this:
sslContext = this.getSSLContext(myProp, "mycrypticpassword");
...
to my context settings:
contextSettings.put(Context.SECURITY_CREDENTIALS, sslContext);
...
initial = new InitialContext(contextSettings);
I read that this would then cause the truststore specified for the ssl context
to be used when I interracted with the server.
This did not work.
I printed out the verbose SSL logging and the frustrating part is that all
seems well:
Keystore type: JKS Keystore size: 1 Keystore provider: SUN (DSA key/parameter
generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates;
JKS keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection
CertStores)
Alias: tomcat
Cert type: X.509
adding as trusted cert:
Subject: CN=JBI Crew, OU=Generic JBI Platform SSL Key, O=Any JBI Platform, C=US
Issuer: CN=JBI Crew, OU=Generic JBI Platform SSL Key, O=Any JBI Platform, C=US
Algorithm: RSA; Serial number: 0x3eb01348
Valid from Wed Apr 30 14:17:44 EDT 2003 until Thu Jun 23 10:57:12 EDT 2044
NUM TRUST MANAGERS: 1
trigger seeding of SecureRandom
done seeding SecureRandom
SSLContext: Protocol: TLS Protocol: TLS Provider Info: Sun JSSE
provider(implements RSA Signatures, PKCS12, SunX509 key/trust factories, SSLv3,
TLSv1)
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1103215747 bytes = { 216, 101, 177, 237, 63, 248, 63, 18,
173, 3, 20, 150, 223, 12, 76, 27, 114, 118, 226, 131, 8, 12, 162, 170, 126,
214, 190, 35 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 769
*** ServerHello, TLSv1
RandomCookie: GMT: 1103215747 bytes = { 242, 209, 236, 103, 8, 124, 51, 48,
247, 70, 162, 215, 101, 49, 191, 107, 61, 85, 61, 35, 83, 34, 41, 100, 21, 252,
112, 9 }
Session ID: {66, 194, 189, 131, 216, 45, 94, 131, 31, 112, 29, 145, 89, 252,
233, 34, 55, 191, 86, 206, 129, 38, 10, 145, 212, 18, 132, 193, 5, 106, 121,
158}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=JBI Crew, OU=Generic JBI Platform SSL Key, O=Any JBI Platform, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
... 061
Validity: [From: Wed Apr 30 14:17:44 EDT 2003,
To: Thu Jun 23 10:57:12 EDT 2044]
Issuer: CN=JBI Crew, OU=Generic JBI Platform SSL Key, O=Any JBI Platform, C=US
SerialNumber: [ 3eb01348]
]
Algorithm: [MD5withRSA]
Signature:
... .h
]
***
UNTIL:
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
When I use the server keystore that we created for our JBoss server to
interract with native JUDDI and to interract with our sessions all is well AND
the SSL logging is identical other than RandomCookie and SessionID:
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1103208181 bytes = { 112, 147, 246, 112, 216, 61, 15, 64,
204, 84, 246, 7, 194, 171, 46, 211, 114, 209, 75, 3, 64, 154, 195, 176, 53,
100, 85, 209 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 769
*** ServerHello, TLSv1
RandomCookie: GMT: 1103208181 bytes = { 113, 249, 157, 217, 154, 121, 144, 35,
243, 195, 93, 80, 221, 4, 101, 94, 120, 104, 250, 250, 52, 248, 138, 10, 252,
147, 192, 222 }
Session ID: {66, 194, 159, 245, 33, 16, 83, 46, 222, 109, 149, 222, 143, 139,
8, 210, 7, 245, 21, 211, 62, 89, 46, 102, 63, 60, 135, 136, 27, 193, 48, 196}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=JBI Crew, OU=Generic JBI Platform SSL Key, O=Any JBI Platform, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
... 9b7177b4 60f72061
Validity: [From: Wed Apr 30 14:17:44 EDT 2003,
To: Thu Jun 23 10:57:12 EDT 2044]
Issuer: CN=JBI Crew, OU=Generic JBI Platform SSL Key, O=Any JBI Platform, C=US
SerialNumber: [ 3eb01348]
]
Algorithm: [MD5withRSA]
Signature:
... A.c"8.h
]
***
With the obvious exception that it works ;-) :
Found trusted certificate:
[
[
Version: V1
Subject: CN=JBI Crew, OU=Generic JBI Platform SSL Key, O=Any JBI Platform, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Any ideas as to what I am missing?
Many Thanks in advance,
Vaughn
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3883750#3883750
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3883750
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
