You can see if your certificate is located in the cacerts file by using the
following command:
keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
Putting your certificates in here is not recommended (see the keytool
documentation)
Another thing you could do is set your default trust manager, by executing
your client with
the system property javax.net.ssl.trustStore set to /root/.keystore
and set javax.net.ssl.trustStorePassword to changeit.
(java -Djavax.net.ssl.trustStore=/root/.keystore
-Djavax.net.ssl.trustStorePassword=changeit ...)
Alternatively, you can do this within your code:
{
Keystore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("/root/.keystore"), "changeit");
TrustManagerFactory tmFactory =
TrustManagerFactory.getInstance("RSA");
SSLContext ctx = SSLContext.getInstance("SSL");
ctx.init(null, tmFactory.getTrustManagers(), null);
SSLSocketFactory socketFactory = ctx.getSocketFactory();
HttpsUrlConnection.setDefaultSSLSocketFactory(socketFactory);
}
You can now create HttpsUrlConnections to talk to your SSL server (via the
URL.openConnection method)
The SSL handshake should authenticate using the certificates in your
/root/.keystore file.
See the JDK1.4 javadoc, (or JSSE) for more information
One other thing that may help is setting javax.net.debug=all inside tomcat,
export CATALINA_OPTS="-Djavax.net.debug=all"
before restarting tomcat. This will give you a lot of debugging information
for SSL which could be useful.
Hope this helps,
Andy
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:Monte.Gardner@;asu.edu]
Sent: 22 October 2002 20:48
To: Tomcat Users List
Subject: Re: SSL Servlet Client
OK, I think I've got to where I understand the problem more clearly
then i did yesterday. Here it is. When I followed the tomcat ssl how to
and typed
keytool -genkey -alias tomcat -keyalg RSA
it created a keystore file called /root/.keystore in which a key aliased
by 'tomcat' was stored. This key is what tomcat uses to present a
certificate
to any client that requests an SSL session.
Now what I want to do is create a Java Client that will connect to Tomcat
via SSL and communicate with one of it's servlets. When Tomcat receives
the request, it sends it's 'tomcat' certificate. However, when the Java
client receives that certificate, it looks in a list of certificates found
in
$JAVA_HOME/jre/lib/security/cacerts
and doesn't find a certificate that matches the one it receives, so it
throws an exception:
javax.net.ssl.SSLHandshakeException: Received fatal alert:
certificate_unknown
So, what I need to do is put a copy of the Tomcat certificate in the cacerts
file. So I tried using a combination of keytool -import / -export to copy
the certificate over. It seemed like I was succesfull in doing so, but
when I rebooted tomcat and ran the webpage again, I got the same
exception. Have I misunderstood the problem or the key management
process somehow?
here is the console output from when I tried to copy the certificate:
[root@rho /root]# keytool -export -alias tomcat -file cert.cer -keystore
.keysto re
Enter keystore password: changeit
Certificate stored in file <cert.cer>
[root@rho /root]# keytool -import -alias tomcat -file cert.cer -keystore
$DOCUTRAK/tomcat
Enter keystore password: changeit
Owner: CN=rho.abstrax.nan, OU=Abstrax, O=Abstrax, L=Mesz, ST=AZ, C=US
Issuer: CN=rho.abstrax.nan, OU=Abstrax, O=Abstrax, L=Mesz, ST=AZ, C=US
Serial number: 3db5698b
Valid from: Tue Oct 22 08:06:51 MST 2002 until: Mon Jan 20 08:06:51 MST 2003
Certificate fingerprints:
MD5: 84:A4:4B:0D:F9:AE:2B:D2:4D:DD:84:0C:8F:D7:DD:EC
SHA1: 67:AF:81:96:98:3F:0B:B3:84:BF:73:62:2A:45:05:C5:19:9C:F8:F1
Trust this certificate? [no]: y
Certificate was added to keystore
--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@;jakarta.apache.org>
--
To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
