You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Luis Rivera <lu...@hotmail.com> on 2006/11/22 03:21:21 UTC
Axis https/SSL Server Certificate Validation question
Dear axis users,
I googled my way up to this point, but now I have to ask about this. I am
sure it is being asked, but have not being able to find a way to do this,
unless I am misunderstanding something.
OK, I want to use https for encryption using only Server side
authentication. I managed to create a self signed certificate for tomcat,
installed in a keystore and set up the server.xml file with the right info.
This works great, now I can use https to browse the tomcat pages, axis
Validation and make sure that my own Services (based on axis 1.4) are
deployed.
My WSDL is rpc/literal. so I basically locate the Service using the right
URL (https://host:port/axis/services/MyService) and got a
SSLHandshakeException!!!
So, I figured the problem might be that since the browser usually prompts
the user to confirm if the certificate should be trusted, now my program was
not able to trust the certificate. Therefore, I basically added the
certificate to the client jre cacerts file and that solved the problem.
HOWEVER, I don't want my client to modify a file in its local hard disk if
possible. I want it to just ignore the fact that the Certificate is not in
the keystore and go on, just like I always say "yes" when the browser pop up
the dialog, since I am only caring for encryption at this point.
So, the question is:
HOW DO i MAKE THE CLIENT BYPASS THE CERTIFICATE VERIFICATION step in my
client?
I believe I have to use a TrustManager and a SSL context, but I am not sure
how to connect it to the axis Engine running under my client, which is the
one opening the context that matters for this and subsequent connections.
Thanks in advance, any tip will be appreciate,
--Luis R.
_________________________________________________________________
Talk now to your Hotmail contacts with Windows Live Messenger.
http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http://get.live.com/messenger/overview
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Axis https/SSL Server Certificate Validation question
Posted by cmanjarr <cm...@yahoo.com>.
Please note clarification of the error stack I'm reporting:
This stack correspond to axis2-kernel1.2-snapshot.jar (downloaded friday
morning EST Apr-13-2007 )
org.apache.axis2.AxisFault: unknown protocol: myhttps
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:221)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:452)
at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:330)
at
org.apache.axis2.description.OutInAxisOperationClient.execute(OutInAxisOperation.java:294)
Caused by: org.apache.axis2.AxisFault: unknown protocol: myhttps
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:308)
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:201)
... 12 more
Caused by: java.net.MalformedURLException: unknown protocol: myhttps
at java.net.URL.<init>(URL.java:574)
at java.net.URL.<init>(URL.java:464)
at java.net.URL.<init>(URL.java:413)
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:283)
... 13 more
The previous stack corresponds to axis2-kernel-1.1.1.jar
cmanjarr wrote:
>
> Hi all:
>
> I tested a custom SSL Socket Factory registered as "https" as per
> document: http://jakarta.apache.org/commons/httpclient/sslguide.html and
> worked pretty good.
> However when I register my custom SSL Socket Factory with another name
> like "myhttps", it does not work.
>
> 1) First the stable release has a bug (NullPointerException) which is
> documented here:
>
> http://www.mail-archive.com/axis-dev@ws.apache.org/msg25009.html
>
> So after downloading the lastest code from the nightly build repository
> with the fix for the NullPointerException bug, Axis2 thows another error:
>
> org.apache.axis2.AxisFault: Transport out has not been set
> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:439)
> at
> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:330)
> at
> org.apache.axis2.description.OutInAxisOperationClient.execute(OutInAxisOperation.java:294)
> ..... more lines pertaining to my client sub.......
>
> So I added a new transportSender to the axis2_default.xml file (in
> axis2-kernel-1.2-SNAPSHOT.jar)
> like this: (notice that I resused the existing CommonsHTTPTransportSender
> )
>
> <transportSender name="myhttps"
>
> class="org.apache.axis2.transport.http.CommonsHTTPTransportSender">
> <parameter name="PROTOCOL" locked="false">HTTP/1.1</parameter>
> <parameter name="Transfer-Encoding"
> locked="false">chunked</parameter>
> </transportSender>
>
>
> Then Axis reports another problem:
>
> org.apache.axis2.AxisFault: unknown protocol: myhttps
>
> at
> org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:221)
>
> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:452)
> at
> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:330)
> at
> org.apache.axis2.description.OutInAxisOperationClient.execute(OutInAxisOperation.java:294)
> ...... more lines....
>
> Caused by: org.apache.axis2.AxisFault: unknown protocol: myhttps
> at
> org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:308)
> at
> org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:201)
> ... 12 more
>
> Caused by: java.net.MalformedURLException: unknown protocol: myhttps
> at java.net.URL.<init>(URL.java:574)
> at java.net.URL.<init>(URL.java:464)
> at java.net.URL.<init>(URL.java:413)
> at
> org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:283)
> ... 13 more
>
> #==============================
>
>
> Am I missing anything here? or Axis2/HttpClient can not really work well
> with a custom protocol name other than valid URLs?
>
> I'd appreciate any comments on this one.
> thx,
>
> Carlos M.
>
>
> Note this is my client code:
>
> Protocol httpsProtocol =
> new Protocol("https",
> (ProtocolSocketFactory) new MYSSLProtocolSocketFactory(
> new URL("file:/tmp/keyStore.ks" ) , "keyStorePassword", new
> URL("file:/tmp/trustStore.ks" ), "trustStorePassword" ), 443 );
>
> //Protocol.registerProtocol("https", httpsProtocol); // works fine
> Protocol.registerProtocol("myhttps", httpsProtocol); // does not work
> !!
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --------------
>
>
> Xinjun Chen wrote:
>>
>> Axis2 uses HTTPClient, so you can overwrite the https protocol by
>> registering your own SSLSocketFactory.
>> Refer http://jakarta.apache.org/commons/httpclient/sslguide.html for
>> details.
>>
>> In your SSLSocketFactory, override the "private static TrustManager[]
>> createTrustManagers(final KeyStore keystore)" method.
>> And create your own X509TrustManager to trust all certs.
>>
>> Insert the following line in the Axis2 web services client code to
>> register
>> your own https protocol.
>> "Protocol.registerProtocol("https", new
>> Protocol("https",(ProtocolSocketFactory) yourOwnSSLSocketFactory,
>> port));"
>> And HTTPClient will use your own SSLSocketFactory.
>>
>>
>> Regards,
>> Xinjun
>>
>>
>> On 11/23/06, xu cai <je...@gmail.com> wrote:
>>>
>>> Actually, you can use
>>> System.setProperty("javax.net.ss.trustStore", "your key store file
>>> location") .
>>> it can set truststore file path.
>>>
>>>
>>> On 11/23/06, Luis Rivera <lu...@hotmail.com> wrote:
>>> >
>>> >
>>> >
>>> > Thanks a lot Vicio and Magnus,
>>> >
>>> > I will try Vicio's suggestion first since I am using applets and
>>> writing
>>> > to
>>> > the client's hard disk might not be a viable option. However, I wonder
>>> > if
>>> > including a keystore in the jar file will do the trick. I am not sure
>>> if
>>> > a
>>> > keystore is also looked for in the classpath, but I guess I can try.
>>> >
>>> > Thanks again,
>>> > --Luis R.
>>> >
>>> > >From: <vi...@accenture.com>
>>> > >Reply-To: axis-user@ws.apache.org
>>> > >To: <ax...@ws.apache.org>
>>> > >Subject: RE: Axis https/SSL Server Certificate Validation question
>>> > >Date: Wed, 22 Nov 2006 12:53:12 +0100
>>> > >
>>> > >For avoiding certification validation, try to use the code:
>>> > >
>>> > >AxisProperties.setProperty("axis.socketSecureFactory","
>>> > org.apache.axis.c
>>> > >omponents.net.SunFakeTrustSocketFactory");
>>> > >
>>> > >it should solve your problem.
>>> > >
>>> > >
>>> > >Regards,
>>> > >Vicio.
>>> > >
>>> > >
>>> > >-----Original Message-----
>>> > >From: Magnus Bergman [mailto: magnus.bergman@voiceprovider.com]
>>> > >Sent: 22 novembre 2006 12.21
>>> > >To: axis-user@ws.apache.org
>>> > >Subject: Re: Axis https/SSL Server Certificate Validation question
>>> > >
>>> > >This is no axis problem, but anyway,
>>> > >i don't know how to bypass the certification verification.
>>> > >But a solution to your problem is:
>>> > >
>>> > >add the self signed server cert into a truststore file that you put
>>> in
>>> > >your client-jar file and configure your client-app to use your
>>> shipped
>>> > >trustore file? Something like this URL url =
>>> > >
>>> this.getClass().getClassLoader().getResource("truststore_in_jar");
>>> > >JarURLConnection conn = (JarURLConnection) url.openConnection();
>>> > JarFile
>>> > >jar = conn.getJarFile(); JarEntry entry =
>>> > >jar.getJarEntry("truststore_in_jar");
>>> > >InputStream is = jar.getInputStream (entry); File tmp =
>>> > >File.createTempFile("certs", ".cer"); tmp.deleteOnExit();
>>> > >FileOutputStream fos = new FileOutputStream(tmp); byte[] buffer = new
>>> > >byte[1024]; int bytes; while( (bytes = is.read(buffer)) > 0 )
>>> > > fos.write(buffer, 0, bytes);
>>> > >fos.close();
>>> > >is.close();
>>> > >url = tmp.toURL();
>>> > >System.out.println("setting truststore to: " + url.getPath());
>>> > >System.setProperty ("javax.net.ssl.trustStore",url.getPath());
>>> > >
>>> > >this will of course write a temporary truststore to your clients
>>> local
>>> > >hard disk, but it works...
>>> > >
>>> > >regards
>>> > >Magnus
>>> > >
>>> > >
>>> > >Luis Rivera wrote:
>>> > > >
>>> > > > Dear axis users,
>>> > > >
>>> > > > I googled my way up to this point, but now I have to ask about
>>> this.
>>> > I
>>> > >
>>> > > > am sure it is being asked, but have not being able to find a way
>>> to
>>> > do
>>> > >
>>> > > > this, unless I am misunderstanding something.
>>> > > >
>>> > > > OK, I want to use https for encryption using only Server side
>>> > > > authentication. I managed to create a self signed certificate for
>>> > > > tomcat, installed in a keystore and set up the server.xml file
>>> with
>>> > > > the right info. This works great, now I can use https to browse
>>> the
>>> > > > tomcat pages, axis Validation and make sure that my own Services
>>> > > > (based on axis
>>> > > > 1.4) are deployed.
>>> > > >
>>> > > > My WSDL is rpc/literal. so I basically locate the Service using
>>> the
>>> > > > right URL ( https://host:port/axis/services/MyService) and got a
>>> > > > SSLHandshakeException!!!
>>> > > >
>>> > > > So, I figured the problem might be that since the browser usually
>>> > > > prompts the user to confirm if the certificate should be trusted,
>>> > now
>>> > > > my program was not able to trust the certificate. Therefore, I
>>> > > > basically added the certificate to the client jre cacerts file and
>>> > > > that solved the problem.
>>> > > >
>>> > > > HOWEVER, I don't want my client to modify a file in its local hard
>>> > > > disk if possible. I want it to just ignore the fact that the
>>> > > > Certificate is not in the keystore and go on, just like I always
>>> say
>>> > > > "yes" when the browser pop up the dialog, since I am only caring
>>> for
>>> >
>>> > > > encryption at this point.
>>> > > >
>>> > > > So, the question is:
>>> > > >
>>> > > > HOW DO i MAKE THE CLIENT BYPASS THE CERTIFICATE VERIFICATION step
>>> in
>>> > > > my client?
>>> > > >
>>> > > > I believe I have to use a TrustManager and a SSL context, but I am
>>> > not
>>> > >
>>> > > > sure how to connect it to the axis Engine running under my client,
>>> > > > which is the one opening the context that matters for this and
>>> > > > subsequent connections.
>>> > > >
>>> > > > Thanks in advance, any tip will be appreciate,
>>> > > > --Luis R.
>>> > > >
>>> > > > _________________________________________________________________
>>> > > > Talk now to your Hotmail contacts with Windows Live Messenger.
>>> > > >
>>> http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http
>>> >
>>> > > > ://get.live.com/messenger/overview
>>> > > >
>>> > > >
>>> > > >
>>> > > >
>>> > ---------------------------------------------------------------------
>>> > > > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>>> > > > For additional commands, e-mail: axis-user-help@ws.apache.org
>>> > > >
>>> > >
>>> > >--
>>> > >------------------------------------
>>> > >Magnus Bergman
>>> > >www.voiceprovider.se
>>> > >Mobile +46(0)733 63 42 08
>>> > >Office +46(0)8 525 080 08
>>> > >Fax +46(0)8 456 96 61
>>> > >Slottsbacken 6
>>> > >111 30 Stockholm
>>> > >------------------------------------
>>> > >
>>> > >---------------------------------------------------------------------
>>> > >To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>>> > >For additional commands, e-mail: axis-user-help@ws.apache.org
>>> > >
>>> > >
>>> > >
>>> > >This message is for the designated recipient only and may contain
>>> > >privileged, proprietary, or otherwise private information. If you
>>> have
>>> > >received it in error, please notify the sender immediately and delete
>>> > the
>>> > >original. Any other use of the email by you is prohibited.
>>> > >
>>> > >---------------------------------------------------------------------
>>> > >To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>>> > >For additional commands, e-mail: axis-user-help@ws.apache.org
>>> > >
>>> >
>>> > _________________________________________________________________
>>> > MSN Shopping has everything on your holiday list. Get expert picks by
>>> > style,
>>> > age, and price. Try it!
>>> >
>>> http://shopping.msn.com/content/shp/?ctId=8000,ptnrid=176,ptnrdata=200601&tcode=wlmtagline
>>> >
>>> >
>>> >
>>> > ---------------------------------------------------------------------
>>> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>>> > For additional commands, e-mail: axis-user-help@ws.apache.org
>>> >
>>> >
>>>
>>>
>>> --
>>> - xucai
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Axis-https-SSL-Server-Certificate-Validation-question-tf2683112.html#a10024596
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Axis https/SSL Server Certificate Validation question
Posted by cmanjarr <cm...@yahoo.com>.
Hi all:
I tested a custom SSL Socket Factory registered as "https" as per document:
http://jakarta.apache.org/commons/httpclient/sslguide.html and worked pretty
good.
However when I register my custom SSL Socket Factory with another name like
"myhttps", it does not work.
1) First the stable release has a bug (NullPointerException) which is
documented here:
http://www.mail-archive.com/axis-dev@ws.apache.org/msg25009.html
So after downloading the lastest code from the nightly build repository with
the fix for the NullPointerException bug, Axis2 thows another error:
org.apache.axis2.AxisFault: Transport out has not been set
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:439)
at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:330)
at
org.apache.axis2.description.OutInAxisOperationClient.execute(OutInAxisOperation.java:294)
..... more lines pertaining to my client sub.......
So I added a new transportSender to the axis2_default.xml file (in
axis2-kernel-1.2-SNAPSHOT.jar)
like this: (notice that I resused the existing CommonsHTTPTransportSender )
<transportSender name="myhttps"
class="org.apache.axis2.transport.http.CommonsHTTPTransportSender">
<parameter name="PROTOCOL" locked="false">HTTP/1.1</parameter>
<parameter name="Transfer-Encoding"
locked="false">chunked</parameter>
</transportSender>
Then Axis reports another problem:
org.apache.axis2.AxisFault: unknown protocol: myhttps
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:221)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:452)
at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:330)
at
org.apache.axis2.description.OutInAxisOperationClient.execute(OutInAxisOperation.java:294)
...... more lines....
Caused by: org.apache.axis2.AxisFault: unknown protocol: myhttps
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:308)
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:201)
... 12 more
Caused by: java.net.MalformedURLException: unknown protocol: myhttps
at java.net.URL.<init>(URL.java:574)
at java.net.URL.<init>(URL.java:464)
at java.net.URL.<init>(URL.java:413)
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:283)
... 13 more
#==============================
Am I missing anything here? or Axis2/HttpClient can not really work well
with a custom protocol name other than valid URLs?
I'd appreciate any comments on this one.
thx,
Carlos M.
Note this is my client code:
Protocol httpsProtocol =
new Protocol("https",
(ProtocolSocketFactory) new MYSSLProtocolSocketFactory(
new URL("file:/tmp/keyStore.ks" ) , "keyStorePassword", new
URL("file:/tmp/trustStore.ks" ), "trustStorePassword" ), 443 );
//Protocol.registerProtocol("https", httpsProtocol); // works fine
Protocol.registerProtocol("myhttps", httpsProtocol); // does not work !!
--------------
Xinjun Chen wrote:
>
> Axis2 uses HTTPClient, so you can overwrite the https protocol by
> registering your own SSLSocketFactory.
> Refer http://jakarta.apache.org/commons/httpclient/sslguide.html for
> details.
>
> In your SSLSocketFactory, override the "private static TrustManager[]
> createTrustManagers(final KeyStore keystore)" method.
> And create your own X509TrustManager to trust all certs.
>
> Insert the following line in the Axis2 web services client code to
> register
> your own https protocol.
> "Protocol.registerProtocol("https", new
> Protocol("https",(ProtocolSocketFactory) yourOwnSSLSocketFactory, port));"
> And HTTPClient will use your own SSLSocketFactory.
>
>
> Regards,
> Xinjun
>
>
> On 11/23/06, xu cai <je...@gmail.com> wrote:
>>
>> Actually, you can use
>> System.setProperty("javax.net.ss.trustStore", "your key store file
>> location") .
>> it can set truststore file path.
>>
>>
>> On 11/23/06, Luis Rivera <lu...@hotmail.com> wrote:
>> >
>> >
>> >
>> > Thanks a lot Vicio and Magnus,
>> >
>> > I will try Vicio's suggestion first since I am using applets and
>> writing
>> > to
>> > the client's hard disk might not be a viable option. However, I wonder
>> > if
>> > including a keystore in the jar file will do the trick. I am not sure
>> if
>> > a
>> > keystore is also looked for in the classpath, but I guess I can try.
>> >
>> > Thanks again,
>> > --Luis R.
>> >
>> > >From: <vi...@accenture.com>
>> > >Reply-To: axis-user@ws.apache.org
>> > >To: <ax...@ws.apache.org>
>> > >Subject: RE: Axis https/SSL Server Certificate Validation question
>> > >Date: Wed, 22 Nov 2006 12:53:12 +0100
>> > >
>> > >For avoiding certification validation, try to use the code:
>> > >
>> > >AxisProperties.setProperty("axis.socketSecureFactory","
>> > org.apache.axis.c
>> > >omponents.net.SunFakeTrustSocketFactory");
>> > >
>> > >it should solve your problem.
>> > >
>> > >
>> > >Regards,
>> > >Vicio.
>> > >
>> > >
>> > >-----Original Message-----
>> > >From: Magnus Bergman [mailto: magnus.bergman@voiceprovider.com]
>> > >Sent: 22 novembre 2006 12.21
>> > >To: axis-user@ws.apache.org
>> > >Subject: Re: Axis https/SSL Server Certificate Validation question
>> > >
>> > >This is no axis problem, but anyway,
>> > >i don't know how to bypass the certification verification.
>> > >But a solution to your problem is:
>> > >
>> > >add the self signed server cert into a truststore file that you put in
>> > >your client-jar file and configure your client-app to use your shipped
>> > >trustore file? Something like this URL url =
>> > > this.getClass().getClassLoader().getResource("truststore_in_jar");
>> > >JarURLConnection conn = (JarURLConnection) url.openConnection();
>> > JarFile
>> > >jar = conn.getJarFile(); JarEntry entry =
>> > >jar.getJarEntry("truststore_in_jar");
>> > >InputStream is = jar.getInputStream (entry); File tmp =
>> > >File.createTempFile("certs", ".cer"); tmp.deleteOnExit();
>> > >FileOutputStream fos = new FileOutputStream(tmp); byte[] buffer = new
>> > >byte[1024]; int bytes; while( (bytes = is.read(buffer)) > 0 )
>> > > fos.write(buffer, 0, bytes);
>> > >fos.close();
>> > >is.close();
>> > >url = tmp.toURL();
>> > >System.out.println("setting truststore to: " + url.getPath());
>> > >System.setProperty ("javax.net.ssl.trustStore",url.getPath());
>> > >
>> > >this will of course write a temporary truststore to your clients local
>> > >hard disk, but it works...
>> > >
>> > >regards
>> > >Magnus
>> > >
>> > >
>> > >Luis Rivera wrote:
>> > > >
>> > > > Dear axis users,
>> > > >
>> > > > I googled my way up to this point, but now I have to ask about
>> this.
>> > I
>> > >
>> > > > am sure it is being asked, but have not being able to find a way to
>> > do
>> > >
>> > > > this, unless I am misunderstanding something.
>> > > >
>> > > > OK, I want to use https for encryption using only Server side
>> > > > authentication. I managed to create a self signed certificate for
>> > > > tomcat, installed in a keystore and set up the server.xml file with
>> > > > the right info. This works great, now I can use https to browse the
>> > > > tomcat pages, axis Validation and make sure that my own Services
>> > > > (based on axis
>> > > > 1.4) are deployed.
>> > > >
>> > > > My WSDL is rpc/literal. so I basically locate the Service using the
>> > > > right URL ( https://host:port/axis/services/MyService) and got a
>> > > > SSLHandshakeException!!!
>> > > >
>> > > > So, I figured the problem might be that since the browser usually
>> > > > prompts the user to confirm if the certificate should be trusted,
>> > now
>> > > > my program was not able to trust the certificate. Therefore, I
>> > > > basically added the certificate to the client jre cacerts file and
>> > > > that solved the problem.
>> > > >
>> > > > HOWEVER, I don't want my client to modify a file in its local hard
>> > > > disk if possible. I want it to just ignore the fact that the
>> > > > Certificate is not in the keystore and go on, just like I always
>> say
>> > > > "yes" when the browser pop up the dialog, since I am only caring
>> for
>> >
>> > > > encryption at this point.
>> > > >
>> > > > So, the question is:
>> > > >
>> > > > HOW DO i MAKE THE CLIENT BYPASS THE CERTIFICATE VERIFICATION step
>> in
>> > > > my client?
>> > > >
>> > > > I believe I have to use a TrustManager and a SSL context, but I am
>> > not
>> > >
>> > > > sure how to connect it to the axis Engine running under my client,
>> > > > which is the one opening the context that matters for this and
>> > > > subsequent connections.
>> > > >
>> > > > Thanks in advance, any tip will be appreciate,
>> > > > --Luis R.
>> > > >
>> > > > _________________________________________________________________
>> > > > Talk now to your Hotmail contacts with Windows Live Messenger.
>> > > >
>> http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http
>> >
>> > > > ://get.live.com/messenger/overview
>> > > >
>> > > >
>> > > >
>> > > >
>> > ---------------------------------------------------------------------
>> > > > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> > > > For additional commands, e-mail: axis-user-help@ws.apache.org
>> > > >
>> > >
>> > >--
>> > >------------------------------------
>> > >Magnus Bergman
>> > >www.voiceprovider.se
>> > >Mobile +46(0)733 63 42 08
>> > >Office +46(0)8 525 080 08
>> > >Fax +46(0)8 456 96 61
>> > >Slottsbacken 6
>> > >111 30 Stockholm
>> > >------------------------------------
>> > >
>> > >---------------------------------------------------------------------
>> > >To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> > >For additional commands, e-mail: axis-user-help@ws.apache.org
>> > >
>> > >
>> > >
>> > >This message is for the designated recipient only and may contain
>> > >privileged, proprietary, or otherwise private information. If you
>> have
>> > >received it in error, please notify the sender immediately and delete
>> > the
>> > >original. Any other use of the email by you is prohibited.
>> > >
>> > >---------------------------------------------------------------------
>> > >To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> > >For additional commands, e-mail: axis-user-help@ws.apache.org
>> > >
>> >
>> > _________________________________________________________________
>> > MSN Shopping has everything on your holiday list. Get expert picks by
>> > style,
>> > age, and price. Try it!
>> >
>> http://shopping.msn.com/content/shp/?ctId=8000,ptnrid=176,ptnrdata=200601&tcode=wlmtagline
>> >
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> > For additional commands, e-mail: axis-user-help@ws.apache.org
>> >
>> >
>>
>>
>> --
>> - xucai
>
>
--
View this message in context: http://www.nabble.com/Axis-https-SSL-Server-Certificate-Validation-question-tf2683112.html#a10024008
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Axis https/SSL Server Certificate Validation question
Posted by Xinjun Chen <xj...@gmail.com>.
Axis2 uses HTTPClient, so you can overwrite the https protocol by
registering your own SSLSocketFactory.
Refer http://jakarta.apache.org/commons/httpclient/sslguide.html for
details.
In your SSLSocketFactory, override the "private static TrustManager[]
createTrustManagers(final KeyStore keystore)" method.
And create your own X509TrustManager to trust all certs.
Insert the following line in the Axis2 web services client code to register
your own https protocol.
"Protocol.registerProtocol("https", new
Protocol("https",(ProtocolSocketFactory) yourOwnSSLSocketFactory, port));"
And HTTPClient will use your own SSLSocketFactory.
Regards,
Xinjun
On 11/23/06, xu cai <je...@gmail.com> wrote:
>
> Actually, you can use
> System.setProperty("javax.net.ss.trustStore", "your key store file
> location") .
> it can set truststore file path.
>
>
> On 11/23/06, Luis Rivera <lu...@hotmail.com> wrote:
> >
> >
> >
> > Thanks a lot Vicio and Magnus,
> >
> > I will try Vicio's suggestion first since I am using applets and writing
> > to
> > the client's hard disk might not be a viable option. However, I wonder
> > if
> > including a keystore in the jar file will do the trick. I am not sure if
> > a
> > keystore is also looked for in the classpath, but I guess I can try.
> >
> > Thanks again,
> > --Luis R.
> >
> > >From: <vi...@accenture.com>
> > >Reply-To: axis-user@ws.apache.org
> > >To: <ax...@ws.apache.org>
> > >Subject: RE: Axis https/SSL Server Certificate Validation question
> > >Date: Wed, 22 Nov 2006 12:53:12 +0100
> > >
> > >For avoiding certification validation, try to use the code:
> > >
> > >AxisProperties.setProperty("axis.socketSecureFactory","
> > org.apache.axis.c
> > >omponents.net.SunFakeTrustSocketFactory");
> > >
> > >it should solve your problem.
> > >
> > >
> > >Regards,
> > >Vicio.
> > >
> > >
> > >-----Original Message-----
> > >From: Magnus Bergman [mailto: magnus.bergman@voiceprovider.com]
> > >Sent: 22 novembre 2006 12.21
> > >To: axis-user@ws.apache.org
> > >Subject: Re: Axis https/SSL Server Certificate Validation question
> > >
> > >This is no axis problem, but anyway,
> > >i don't know how to bypass the certification verification.
> > >But a solution to your problem is:
> > >
> > >add the self signed server cert into a truststore file that you put in
> > >your client-jar file and configure your client-app to use your shipped
> > >trustore file? Something like this URL url =
> > > this.getClass().getClassLoader().getResource("truststore_in_jar");
> > >JarURLConnection conn = (JarURLConnection) url.openConnection();
> > JarFile
> > >jar = conn.getJarFile(); JarEntry entry =
> > >jar.getJarEntry("truststore_in_jar");
> > >InputStream is = jar.getInputStream (entry); File tmp =
> > >File.createTempFile("certs", ".cer"); tmp.deleteOnExit();
> > >FileOutputStream fos = new FileOutputStream(tmp); byte[] buffer = new
> > >byte[1024]; int bytes; while( (bytes = is.read(buffer)) > 0 )
> > > fos.write(buffer, 0, bytes);
> > >fos.close();
> > >is.close();
> > >url = tmp.toURL();
> > >System.out.println("setting truststore to: " + url.getPath());
> > >System.setProperty ("javax.net.ssl.trustStore",url.getPath());
> > >
> > >this will of course write a temporary truststore to your clients local
> > >hard disk, but it works...
> > >
> > >regards
> > >Magnus
> > >
> > >
> > >Luis Rivera wrote:
> > > >
> > > > Dear axis users,
> > > >
> > > > I googled my way up to this point, but now I have to ask about this.
> > I
> > >
> > > > am sure it is being asked, but have not being able to find a way to
> > do
> > >
> > > > this, unless I am misunderstanding something.
> > > >
> > > > OK, I want to use https for encryption using only Server side
> > > > authentication. I managed to create a self signed certificate for
> > > > tomcat, installed in a keystore and set up the server.xml file with
> > > > the right info. This works great, now I can use https to browse the
> > > > tomcat pages, axis Validation and make sure that my own Services
> > > > (based on axis
> > > > 1.4) are deployed.
> > > >
> > > > My WSDL is rpc/literal. so I basically locate the Service using the
> > > > right URL ( https://host:port/axis/services/MyService) and got a
> > > > SSLHandshakeException!!!
> > > >
> > > > So, I figured the problem might be that since the browser usually
> > > > prompts the user to confirm if the certificate should be trusted,
> > now
> > > > my program was not able to trust the certificate. Therefore, I
> > > > basically added the certificate to the client jre cacerts file and
> > > > that solved the problem.
> > > >
> > > > HOWEVER, I don't want my client to modify a file in its local hard
> > > > disk if possible. I want it to just ignore the fact that the
> > > > Certificate is not in the keystore and go on, just like I always say
> > > > "yes" when the browser pop up the dialog, since I am only caring for
> >
> > > > encryption at this point.
> > > >
> > > > So, the question is:
> > > >
> > > > HOW DO i MAKE THE CLIENT BYPASS THE CERTIFICATE VERIFICATION step in
> > > > my client?
> > > >
> > > > I believe I have to use a TrustManager and a SSL context, but I am
> > not
> > >
> > > > sure how to connect it to the axis Engine running under my client,
> > > > which is the one opening the context that matters for this and
> > > > subsequent connections.
> > > >
> > > > Thanks in advance, any tip will be appreciate,
> > > > --Luis R.
> > > >
> > > > _________________________________________________________________
> > > > Talk now to your Hotmail contacts with Windows Live Messenger.
> > > > http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http
> >
> > > > ://get.live.com/messenger/overview
> > > >
> > > >
> > > >
> > > >
> > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > > For additional commands, e-mail: axis-user-help@ws.apache.org
> > > >
> > >
> > >--
> > >------------------------------------
> > >Magnus Bergman
> > >www.voiceprovider.se
> > >Mobile +46(0)733 63 42 08
> > >Office +46(0)8 525 080 08
> > >Fax +46(0)8 456 96 61
> > >Slottsbacken 6
> > >111 30 Stockholm
> > >------------------------------------
> > >
> > >---------------------------------------------------------------------
> > >To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > >For additional commands, e-mail: axis-user-help@ws.apache.org
> > >
> > >
> > >
> > >This message is for the designated recipient only and may contain
> > >privileged, proprietary, or otherwise private information. If you have
> > >received it in error, please notify the sender immediately and delete
> > the
> > >original. Any other use of the email by you is prohibited.
> > >
> > >---------------------------------------------------------------------
> > >To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > >For additional commands, e-mail: axis-user-help@ws.apache.org
> > >
> >
> > _________________________________________________________________
> > MSN Shopping has everything on your holiday list. Get expert picks by
> > style,
> > age, and price. Try it!
> > http://shopping.msn.com/content/shp/?ctId=8000,ptnrid=176,ptnrdata=200601&tcode=wlmtagline
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
>
>
> --
> - xucai
Re: Axis https/SSL Server Certificate Validation question
Posted by xu cai <je...@gmail.com>.
Actually, you can use
System.setProperty("javax.net.ss.trustStore", "your key store file
location") .
it can set truststore file path.
On 11/23/06, Luis Rivera <lu...@hotmail.com> wrote:
>
>
>
> Thanks a lot Vicio and Magnus,
>
> I will try Vicio's suggestion first since I am using applets and writing
> to
> the client's hard disk might not be a viable option. However, I wonder if
> including a keystore in the jar file will do the trick. I am not sure if a
> keystore is also looked for in the classpath, but I guess I can try.
>
> Thanks again,
> --Luis R.
>
> >From: <vi...@accenture.com>
> >Reply-To: axis-user@ws.apache.org
> >To: <ax...@ws.apache.org>
> >Subject: RE: Axis https/SSL Server Certificate Validation question
> >Date: Wed, 22 Nov 2006 12:53:12 +0100
> >
> >For avoiding certification validation, try to use the code:
> >
> >AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.c
> >omponents.net.SunFakeTrustSocketFactory");
> >
> >it should solve your problem.
> >
> >
> >Regards,
> >Vicio.
> >
> >
> >-----Original Message-----
> >From: Magnus Bergman [mailto:magnus.bergman@voiceprovider.com]
> >Sent: 22 novembre 2006 12.21
> >To: axis-user@ws.apache.org
> >Subject: Re: Axis https/SSL Server Certificate Validation question
> >
> >This is no axis problem, but anyway,
> >i don't know how to bypass the certification verification.
> >But a solution to your problem is:
> >
> >add the self signed server cert into a truststore file that you put in
> >your client-jar file and configure your client-app to use your shipped
> >trustore file? Something like this URL url =
> > this.getClass().getClassLoader().getResource("truststore_in_jar");
> >JarURLConnection conn = (JarURLConnection) url.openConnection(); JarFile
> >jar = conn.getJarFile(); JarEntry entry =
> >jar.getJarEntry("truststore_in_jar");
> >InputStream is = jar.getInputStream(entry); File tmp =
> >File.createTempFile("certs", ".cer"); tmp.deleteOnExit();
> >FileOutputStream fos = new FileOutputStream(tmp); byte[] buffer = new
> >byte[1024]; int bytes; while( (bytes = is.read(buffer)) > 0 )
> > fos.write(buffer, 0, bytes);
> >fos.close();
> >is.close();
> >url = tmp.toURL();
> >System.out.println("setting truststore to: " + url.getPath());
> >System.setProperty("javax.net.ssl.trustStore",url.getPath());
> >
> >this will of course write a temporary truststore to your clients local
> >hard disk, but it works...
> >
> >regards
> >Magnus
> >
> >
> >Luis Rivera wrote:
> > >
> > > Dear axis users,
> > >
> > > I googled my way up to this point, but now I have to ask about this. I
> >
> > > am sure it is being asked, but have not being able to find a way to do
> >
> > > this, unless I am misunderstanding something.
> > >
> > > OK, I want to use https for encryption using only Server side
> > > authentication. I managed to create a self signed certificate for
> > > tomcat, installed in a keystore and set up the server.xml file with
> > > the right info. This works great, now I can use https to browse the
> > > tomcat pages, axis Validation and make sure that my own Services
> > > (based on axis
> > > 1.4) are deployed.
> > >
> > > My WSDL is rpc/literal. so I basically locate the Service using the
> > > right URL (https://host:port/axis/services/MyService) and got a
> > > SSLHandshakeException!!!
> > >
> > > So, I figured the problem might be that since the browser usually
> > > prompts the user to confirm if the certificate should be trusted, now
> > > my program was not able to trust the certificate. Therefore, I
> > > basically added the certificate to the client jre cacerts file and
> > > that solved the problem.
> > >
> > > HOWEVER, I don't want my client to modify a file in its local hard
> > > disk if possible. I want it to just ignore the fact that the
> > > Certificate is not in the keystore and go on, just like I always say
> > > "yes" when the browser pop up the dialog, since I am only caring for
> > > encryption at this point.
> > >
> > > So, the question is:
> > >
> > > HOW DO i MAKE THE CLIENT BYPASS THE CERTIFICATE VERIFICATION step in
> > > my client?
> > >
> > > I believe I have to use a TrustManager and a SSL context, but I am not
> >
> > > sure how to connect it to the axis Engine running under my client,
> > > which is the one opening the context that matters for this and
> > > subsequent connections.
> > >
> > > Thanks in advance, any tip will be appreciate,
> > > --Luis R.
> > >
> > > _________________________________________________________________
> > > Talk now to your Hotmail contacts with Windows Live Messenger.
> > > http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http
> > > ://get.live.com/messenger/overview
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: axis-user-help@ws.apache.org
> > >
> >
> >--
> >------------------------------------
> >Magnus Bergman
> >www.voiceprovider.se
> >Mobile +46(0)733 63 42 08
> >Office +46(0)8 525 080 08
> >Fax +46(0)8 456 96 61
> >Slottsbacken 6
> >111 30 Stockholm
> >------------------------------------
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> >For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
> >
> >This message is for the designated recipient only and may contain
> >privileged, proprietary, or otherwise private information. If you have
> >received it in error, please notify the sender immediately and delete the
> >original. Any other use of the email by you is prohibited.
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> >For additional commands, e-mail: axis-user-help@ws.apache.org
> >
>
> _________________________________________________________________
> MSN Shopping has everything on your holiday list. Get expert picks by
> style,
> age, and price. Try it!
>
> http://shopping.msn.com/content/shp/?ctId=8000,ptnrid=176,ptnrdata=200601&tcode=wlmtagline
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
--
- xucai
RE: Axis https/SSL Server Certificate Validation question
Posted by Luis Rivera <lu...@hotmail.com>.
Thanks a lot Vicio and Magnus,
I will try Vicio's suggestion first since I am using applets and writing to
the client's hard disk might not be a viable option. However, I wonder if
including a keystore in the jar file will do the trick. I am not sure if a
keystore is also looked for in the classpath, but I guess I can try.
Thanks again,
--Luis R.
>From: <vi...@accenture.com>
>Reply-To: axis-user@ws.apache.org
>To: <ax...@ws.apache.org>
>Subject: RE: Axis https/SSL Server Certificate Validation question
>Date: Wed, 22 Nov 2006 12:53:12 +0100
>
>For avoiding certification validation, try to use the code:
>
>AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.c
>omponents.net.SunFakeTrustSocketFactory");
>
>it should solve your problem.
>
>
>Regards,
>Vicio.
>
>
>-----Original Message-----
>From: Magnus Bergman [mailto:magnus.bergman@voiceprovider.com]
>Sent: 22 novembre 2006 12.21
>To: axis-user@ws.apache.org
>Subject: Re: Axis https/SSL Server Certificate Validation question
>
>This is no axis problem, but anyway,
>i don't know how to bypass the certification verification.
>But a solution to your problem is:
>
>add the self signed server cert into a truststore file that you put in
>your client-jar file and configure your client-app to use your shipped
>trustore file? Something like this URL url =
> this.getClass().getClassLoader().getResource("truststore_in_jar");
>JarURLConnection conn = (JarURLConnection) url.openConnection(); JarFile
>jar = conn.getJarFile(); JarEntry entry =
>jar.getJarEntry("truststore_in_jar");
>InputStream is = jar.getInputStream(entry); File tmp =
>File.createTempFile("certs", ".cer"); tmp.deleteOnExit();
>FileOutputStream fos = new FileOutputStream(tmp); byte[] buffer = new
>byte[1024]; int bytes; while( (bytes = is.read(buffer)) > 0 )
> fos.write(buffer, 0, bytes);
>fos.close();
>is.close();
>url = tmp.toURL();
>System.out.println("setting truststore to: " + url.getPath());
>System.setProperty("javax.net.ssl.trustStore",url.getPath());
>
>this will of course write a temporary truststore to your clients local
>hard disk, but it works...
>
>regards
>Magnus
>
>
>Luis Rivera wrote:
> >
> > Dear axis users,
> >
> > I googled my way up to this point, but now I have to ask about this. I
>
> > am sure it is being asked, but have not being able to find a way to do
>
> > this, unless I am misunderstanding something.
> >
> > OK, I want to use https for encryption using only Server side
> > authentication. I managed to create a self signed certificate for
> > tomcat, installed in a keystore and set up the server.xml file with
> > the right info. This works great, now I can use https to browse the
> > tomcat pages, axis Validation and make sure that my own Services
> > (based on axis
> > 1.4) are deployed.
> >
> > My WSDL is rpc/literal. so I basically locate the Service using the
> > right URL (https://host:port/axis/services/MyService) and got a
> > SSLHandshakeException!!!
> >
> > So, I figured the problem might be that since the browser usually
> > prompts the user to confirm if the certificate should be trusted, now
> > my program was not able to trust the certificate. Therefore, I
> > basically added the certificate to the client jre cacerts file and
> > that solved the problem.
> >
> > HOWEVER, I don't want my client to modify a file in its local hard
> > disk if possible. I want it to just ignore the fact that the
> > Certificate is not in the keystore and go on, just like I always say
> > "yes" when the browser pop up the dialog, since I am only caring for
> > encryption at this point.
> >
> > So, the question is:
> >
> > HOW DO i MAKE THE CLIENT BYPASS THE CERTIFICATE VERIFICATION step in
> > my client?
> >
> > I believe I have to use a TrustManager and a SSL context, but I am not
>
> > sure how to connect it to the axis Engine running under my client,
> > which is the one opening the context that matters for this and
> > subsequent connections.
> >
> > Thanks in advance, any tip will be appreciate,
> > --Luis R.
> >
> > _________________________________________________________________
> > Talk now to your Hotmail contacts with Windows Live Messenger.
> > http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http
> > ://get.live.com/messenger/overview
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
>
>--
>------------------------------------
>Magnus Bergman
>www.voiceprovider.se
>Mobile +46(0)733 63 42 08
>Office +46(0)8 525 080 08
>Fax +46(0)8 456 96 61
>Slottsbacken 6
>111 30 Stockholm
>------------------------------------
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
>
>This message is for the designated recipient only and may contain
>privileged, proprietary, or otherwise private information. If you have
>received it in error, please notify the sender immediately and delete the
>original. Any other use of the email by you is prohibited.
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>For additional commands, e-mail: axis-user-help@ws.apache.org
>
_________________________________________________________________
MSN Shopping has everything on your holiday list. Get expert picks by style,
age, and price. Try it!
http://shopping.msn.com/content/shp/?ctId=8000,ptnrid=176,ptnrdata=200601&tcode=wlmtagline
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
RE: Axis https/SSL Server Certificate Validation question
Posted by vi...@accenture.com.
For avoiding certification validation, try to use the code:
AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.c
omponents.net.SunFakeTrustSocketFactory");
it should solve your problem.
Regards,
Vicio.
-----Original Message-----
From: Magnus Bergman [mailto:magnus.bergman@voiceprovider.com]
Sent: 22 novembre 2006 12.21
To: axis-user@ws.apache.org
Subject: Re: Axis https/SSL Server Certificate Validation question
This is no axis problem, but anyway,
i don't know how to bypass the certification verification.
But a solution to your problem is:
add the self signed server cert into a truststore file that you put in
your client-jar file and configure your client-app to use your shipped
trustore file? Something like this URL url =
this.getClass().getClassLoader().getResource("truststore_in_jar");
JarURLConnection conn = (JarURLConnection) url.openConnection(); JarFile
jar = conn.getJarFile(); JarEntry entry =
jar.getJarEntry("truststore_in_jar");
InputStream is = jar.getInputStream(entry); File tmp =
File.createTempFile("certs", ".cer"); tmp.deleteOnExit();
FileOutputStream fos = new FileOutputStream(tmp); byte[] buffer = new
byte[1024]; int bytes; while( (bytes = is.read(buffer)) > 0 )
fos.write(buffer, 0, bytes);
fos.close();
is.close();
url = tmp.toURL();
System.out.println("setting truststore to: " + url.getPath());
System.setProperty("javax.net.ssl.trustStore",url.getPath());
this will of course write a temporary truststore to your clients local
hard disk, but it works...
regards
Magnus
Luis Rivera wrote:
>
> Dear axis users,
>
> I googled my way up to this point, but now I have to ask about this. I
> am sure it is being asked, but have not being able to find a way to do
> this, unless I am misunderstanding something.
>
> OK, I want to use https for encryption using only Server side
> authentication. I managed to create a self signed certificate for
> tomcat, installed in a keystore and set up the server.xml file with
> the right info. This works great, now I can use https to browse the
> tomcat pages, axis Validation and make sure that my own Services
> (based on axis
> 1.4) are deployed.
>
> My WSDL is rpc/literal. so I basically locate the Service using the
> right URL (https://host:port/axis/services/MyService) and got a
> SSLHandshakeException!!!
>
> So, I figured the problem might be that since the browser usually
> prompts the user to confirm if the certificate should be trusted, now
> my program was not able to trust the certificate. Therefore, I
> basically added the certificate to the client jre cacerts file and
> that solved the problem.
>
> HOWEVER, I don't want my client to modify a file in its local hard
> disk if possible. I want it to just ignore the fact that the
> Certificate is not in the keystore and go on, just like I always say
> "yes" when the browser pop up the dialog, since I am only caring for
> encryption at this point.
>
> So, the question is:
>
> HOW DO i MAKE THE CLIENT BYPASS THE CERTIFICATE VERIFICATION step in
> my client?
>
> I believe I have to use a TrustManager and a SSL context, but I am not
> sure how to connect it to the axis Engine running under my client,
> which is the one opening the context that matters for this and
> subsequent connections.
>
> Thanks in advance, any tip will be appreciate,
> --Luis R.
>
> _________________________________________________________________
> Talk now to your Hotmail contacts with Windows Live Messenger.
> http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http
> ://get.live.com/messenger/overview
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
--
------------------------------------
Magnus Bergman
www.voiceprovider.se
Mobile +46(0)733 63 42 08
Office +46(0)8 525 080 08
Fax +46(0)8 456 96 61
Slottsbacken 6
111 30 Stockholm
------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Axis https/SSL Server Certificate Validation question
Posted by Magnus Bergman <ma...@voiceprovider.com>.
This is no axis problem, but anyway,
i don't know how to bypass the certification verification.
But a solution to your problem is:
add the self signed server cert into a truststore file that you put in
your client-jar file and configure your client-app to use your shipped
trustore file? Something like this
URL url =
this.getClass().getClassLoader().getResource("truststore_in_jar");
JarURLConnection conn = (JarURLConnection) url.openConnection();
JarFile jar = conn.getJarFile();
JarEntry entry = jar.getJarEntry("truststore_in_jar");
InputStream is = jar.getInputStream(entry);
File tmp = File.createTempFile("certs", ".cer");
tmp.deleteOnExit();
FileOutputStream fos = new FileOutputStream(tmp);
byte[] buffer = new byte[1024];
int bytes;
while( (bytes = is.read(buffer)) > 0 )
fos.write(buffer, 0, bytes);
fos.close();
is.close();
url = tmp.toURL();
System.out.println("setting truststore to: " + url.getPath());
System.setProperty("javax.net.ssl.trustStore",url.getPath());
this will of course write a temporary truststore to your clients local
hard disk, but it works...
regards
Magnus
Luis Rivera wrote:
>
> Dear axis users,
>
> I googled my way up to this point, but now I have to ask about this. I
> am sure it is being asked, but have not being able to find a way to do
> this, unless I am misunderstanding something.
>
> OK, I want to use https for encryption using only Server side
> authentication. I managed to create a self signed certificate for
> tomcat, installed in a keystore and set up the server.xml file with the
> right info. This works great, now I can use https to browse the tomcat
> pages, axis Validation and make sure that my own Services (based on axis
> 1.4) are deployed.
>
> My WSDL is rpc/literal. so I basically locate the Service using the
> right URL (https://host:port/axis/services/MyService) and got a
> SSLHandshakeException!!!
>
> So, I figured the problem might be that since the browser usually
> prompts the user to confirm if the certificate should be trusted, now my
> program was not able to trust the certificate. Therefore, I basically
> added the certificate to the client jre cacerts file and that solved the
> problem.
>
> HOWEVER, I don't want my client to modify a file in its local hard disk
> if possible. I want it to just ignore the fact that the Certificate is
> not in the keystore and go on, just like I always say "yes" when the
> browser pop up the dialog, since I am only caring for encryption at this
> point.
>
> So, the question is:
>
> HOW DO i MAKE THE CLIENT BYPASS THE CERTIFICATE VERIFICATION step in my
> client?
>
> I believe I have to use a TrustManager and a SSL context, but I am not
> sure how to connect it to the axis Engine running under my client, which
> is the one opening the context that matters for this and subsequent
> connections.
>
> Thanks in advance, any tip will be appreciate,
> --Luis R.
>
> _________________________________________________________________
> Talk now to your Hotmail contacts with Windows Live Messenger.
> http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http://get.live.com/messenger/overview
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
--
------------------------------------
Magnus Bergman
www.voiceprovider.se
Mobile +46(0)733 63 42 08
Office +46(0)8 525 080 08
Fax +46(0)8 456 96 61
Slottsbacken 6
111 30 Stockholm
------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org