You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by Bob Lannoy <bo...@gmail.com> on 2012/04/03 16:20:07 UTC
Re: SSL
Hi,
I found a way to specify the keystore to the app.
I didn't do this in console but in my own app based on how console
does the connection.
I case this might be handy in the future:
* spring ws security has a keystorefactory bean so I used that, but
it's also possible to write it yourself
I put two params in configuration.properties (ssltruststore and
ssltruststorepass)
this is used in the spring config:
<bean id="trustStore"
class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
<property name="password" value="${ssltruststorepass}"/>
<property name="location" value="file:${ssltruststore}"/>
</bean>
(the advantage of a custom bean would be the possibility to encrypt
the password)
And then in the connection code (assuming I already have the
requestFactory object)
you need to set the truststore.
if (requestFactory.getHttpClient().getConnectionManager().getSchemeRegistry().getScheme("https")!=null){
trustStore=(KeyStore) applicationContext.getBean("trustStore");
try{
SSLSocketFactory sslSocketFactory=new SSLSocketFactory(trustStore);
requestFactory.getHttpClient().getConnectionManager().getSchemeRegistry().register(new
Scheme("https",443,sslSocketFactory));
}
catch (Exception e)
{
...
}
The port number in the scheme doesn't seem to matter.
I think this might also be a first step into two way ssl
regards
Bob
On 30 March 2012 14:59, Fabio Martelli <fa...@gmail.com> wrote:
>
> Il giorno 30/mar/2012, alle ore 14.55, Bob Lannoy ha scritto:
>
>> Hi,
>>
>> I think the connector element is to connect to the webapp, it's not to
>> specify the truststore that a webapp can use to connect to another
>> server
>
> Ops, you are right. The only chance you have is to use the default jvm truststore (probably $JAVA_HOME/jre/lib/security/cacerts).
> Sorry for the misunderstanding.
>
> Regards,
> F.
>
>>
>> Bob
>>
>> On 30 March 2012 14:53, Fabio Martelli <fa...@gmail.com> wrote:
>>>
>>> Il giorno 30/mar/2012, alle ore 14.49, Bob Lannoy ha scritto:
>>>
>>>> Hi Fabio,
>>>>
>>>> what do you mean by "configure your tomcat container with syncope
>>>> console deployed inside in order to use the new truststore."
>>>> I guess this is what I did by specifying de JAVA_OPTS on startup of tomcat?
>>>
>>> You can modify your server.xml in order to add truststore file and password inside the right "Connector" element.
>>>
>>> F.
>>>
>>>>
>>>> Bob
>>>>
>>>> On 30 March 2012 14:18, Fabio Martelli <fa...@gmail.com> wrote:
>>>>>
>>>>> Il giorno 30/mar/2012, alle ore 09.50, Bob Lannoy ha scritto:
>>>>>
>>>>>> Hi Francesco,
>>>>>>
>>>>>> indeed it works ;)
>>>>>> I did it on a Tomcat 6 instance.
>>>>>> * enabled SSL for core
>>>>>> * referenced the truststore for console through JVM params
>>>>>> -Djavax.net.ssl.trustStore="...mykeystore.jks"
>>>>>> -Djavax.net.ssl.trustStorePassword="mykeystore"
>>>>>> * put the right params in configuration.properties (https, hostname as
>>>>>> in certificate)
>>>>>> I'll be happy to put up a wiki page for that.
>>>>>> There's one thing I didn't like and that's I have to pass the
>>>>>> truststore params to the VM in command line.
>>>>>> Perhaps there's a way to specify the truststore in the configuration somewhere?
>>>>>
>>>>> Hi Bob,
>>>>> you can configure your tomcat container with syncope console deployed inside in order to use the new truststore.
>>>>> Alternatively you can add CA certificate in the default jvm truststore.
>>>>>
>>>>> Regards,
>>>>> F.
>>>>>
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Bob
>>>>>>
>>>>>> 2012/3/29 Francesco Chicchiriccò <il...@apache.org>:
>>>>>>> On 29/03/2012 09:25, Bob Lannoy wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> with the remark about the use of MD5, I thought of something else.
>>>>>>>> If I'm not mistaken the connection between console and core is over plain HTTP.
>>>>>>>> Do you plan supporting SSL connections between both? I put core behind
>>>>>>>> SSL but then the console didn't connect.
>>>>>>>> I saw in the trunk that in the configuration properties for the
>>>>>>>> console the protocol (scheme) option has been split out so maybe
>>>>>>>> you're already planning this?
>>>>>>>
>>>>>>> Hi Bob,
>>>>>>> there is nothing, in principle, that will obstacle core webapp to be
>>>>>>> available in HTTPS only (and hence the console to connect via HTTPS to
>>>>>>> the core): only, be sure to overcome usual issues arising when using
>>>>>>> self-signed certificates in Java: here is a brief checklist I would suggest:
>>>>>>>
>>>>>>> 1. put the servlet container with core webapp deployed inside in HTTPS
>>>>>>> 2. add the certificate of the CA you have used to sign the certificate
>>>>>>> for the step above in a trustore
>>>>>>> 3. reference the trustore above when launching the servlet container
>>>>>>> with console webapp deployed inside
>>>>>>>
>>>>>>> This should work: please, let us know whether you succeed.
>>>>>>> It could also be the case to add a page on our wiki about this.
>>>>>>>
>>>>>>> Regards.
>>>>>>>
>>>>>>> --
>>>>>>> Francesco Chicchiriccò
>>>>>>>
>>>>>>> Apache Cocoon PMC and Apache Syncope PPMC Member
>>>>>>> http://people.apache.org/~ilgrosso/
>>>>>>>
>>>>>
>>>
>