You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Shasta Willson <sh...@gmail.com> on 2009/06/23 17:34:04 UTC
SSL : setting up truststore (and keystore?)
I have an SSL secured web service to consume. It also uses a
usertoken/password in the SOAP header, which I'm doing with Rampart,
but I don't think that's relevant to my question.
I'd like to understand how to go from "have a certificate" to
trustStore (and/or KeyStore?) properly configured. Currently I get
this error, which a google search suggests is related to not having it
set up right:
org.apache.axis2.AxisFault: Unconnected sockets not implemented
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
Thank you,
- Shasta
Re: SSL : setting up truststore (and keystore?)
Posted by asheikh <as...@gmail.com>.
Thanks Dennis, I will try your suggestion and links
On Wed, Jun 24, 2009 at 11:08 AM, Dennis Sosnoski <dm...@sosnoski.com> wrote:
> I understand you're not opening the connection directly, but having it
> opened for you by the Axis2-generated stub, and admittedly my code doesn't
> help much directly in that situation.
>
> I'm not sure offhand how to make the server certificate authentication work
> in that situation, but I believe Axis2 is using the Commons HttpClient by
> default, and that appears to offer a way of using your own socket factory:
> http://hc.apache.org/httpclient-3.x/sslguide.html You should be able to
> use the Protocol.registerProtocol() approach outlined on that page (perhaps
> with "myhttps" rather than just "https" as the protocol, just to make sure
> your handling doesn't interfere with other requests - and see their link to
> http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java?view=markupfor an example).
>
> - Dennis
>
> --
> Dennis M. Sosnoski
> Java XML and Web Services
> Axis2 Training and Consulting
> http://www.sosnoski.com - http://www.sosnoski.co.nz
> Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
>
>
>
> asheikh wrote:
>
>> Dennis,
>>
>> Thanks for the code and suggestions.
>> "The app server should have some way of configuring SSL support, and even
>> though that configuration is going to be intended more for inbound
>> connections it might also have settings for outbound connections."
>>
>> yes, I have configures the application server and I could see the
>> certificates loaded from my custom key/trust store but still it complains no
>> trust certificate found.
>>
>> I am not sure why it is working first time when i deploy the war, and it
>> doesn't work after I restart the application server.
>>
>> but my concern is that I am using web service client stub/proxy(Axis2),
>> and I am providing the endpoint to the stub, my code does't handle
>> connections
>>
>> thanks again
>>
>>
>> On Wed, Jun 24, 2009 at 10:12 AM, Dennis Sosnoski <dms@sosnoski.com<mailto:
>> dms@sosnoski.com>> wrote:
>>
>> I'm surprised this works at all in an app server environment. The
>> app server should have some way of configuring SSL support, and
>> even though that configuration is going to be intended more for
>> inbound connections it might also have settings for outbound
>> connections.
>>
>> Aside from that, you can take direct control over the
>> authentication of the presented server certificate by implementing
>> your own TrustManager. Here's a method which illustrates this
>> approach, from an open source project I developed which needed to
>> work with custom certificate authorities for server SSL/TLS
>> certificates:
>> /**
>> * Open a connection to a server. If the connection type is
>> 'https' and a
>> * certificate authority keystore is supplied, that certificate
>> authority
>> * will be used when establishing the connection to the server.
>> *
>> * @param target destination URL (must use 'http' or 'https'
>> protocol)
>> * @param castore keystore containing certificate authority
>> certificate
>> * @return connection
>> * @throws IOException
>> * @throws NoSuchAlgorithmException
>> * @throws KeyManagementException
>> * @throws KeyStoreException
>> */
>> private HttpURLConnection openConnection(String target, KeyStore
>> castore)
>> throws IOException, NoSuchAlgorithmException,
>> KeyManagementException, KeyStoreException {
>> URL url = new URL(target);
>> HttpURLConnection conn =
>> (HttpURLConnection)url.openConnection();
>> if (castore != null &&
>> target.toLowerCase().startsWith("https:")) {
>> String alg = TrustManagerFactory.getDefaultAlgorithm();
>> SSLContext context = SSLContext.getInstance("TLS");
>> TrustManagerFactory tmfact0 =
>> TrustManagerFactory.getInstance(alg);
>> tmfact0.init((KeyStore)null);
>> final TrustManager[] managers0 = tmfact0.getTrustManagers();
>> TrustManagerFactory tmfact1 =
>> TrustManagerFactory.getInstance(alg);
>> tmfact1.init(castore);
>> final TrustManager[] managers1 = tmfact1.getTrustManagers();
>> TrustManager manager = new X509TrustManager() {
>> private X509TrustManager
>> getTM(TrustManager[] tms) {
>> for (int i = 0; i < tms.length; i++) {
>> TrustManager tm = tms[i];
>> if (tm instanceof X509TrustManager) {
>> return (X509TrustManager)tm;
>> }
>> }
>> return null;
>> }
>>
>> public void checkClientTrusted(X509Certificate[]
>> chain, String type) throws CertificateException {
>> X509TrustManager tm = getTM(managers0);
>> if (tm != null) {
>> tm.checkClientTrusted(chain, type);
>> }
>> }
>>
>> public void checkServerTrusted(X509Certificate[]
>> chain, String type) throws CertificateException {
>> X509TrustManager tm = getTM(managers0);
>> if (tm != null) {
>> try {
>> tm.checkServerTrusted(chain, type);
>> return;
>> } catch (CertificateException e) {
>> // deliberately empty
>> }
>> }
>> tm = getTM(managers1);
>> if (tm != null) {
>> try {
>> tm.checkServerTrusted(chain, type);
>> return;
>> } catch (CertificateException e) {
>> // deliberately empty
>> }
>> }
>> throw new CertificateException("Certificate
>> chain cannot be verified");
>> }
>>
>> public X509Certificate[] getAcceptedIssuers() {
>> X509TrustManager tm = getTM(managers0);
>> X509Certificate[] certs0 = s_emptyCertArray;
>> if (tm != null) {
>> certs0 = tm.getAcceptedIssuers();
>> }
>> tm = getTM(managers1);
>> X509Certificate[] certs1 = s_emptyCertArray;
>> if (tm != null) {
>> certs1 = tm.getAcceptedIssuers();
>> }
>> X509Certificate[] certs = new
>> X509Certificate[certs0.length+certs1.length];
>> System.arraycopy(certs0, 0, certs, 0,
>> certs0.length);
>> System.arraycopy(certs1, 0, certs,
>> certs0.length, certs1.length);
>> return certs;
>> }
>> };
>> context.init(null, new TrustManager[] { manager }, null);
>> SSLSocketFactory sockfactory = context.getSocketFactory();
>> ((HttpsURLConnection)conn).setSSLSocketFactory(sockfactory);
>> }
>> return conn;
>>
>> }
>>
>> - Dennis
>>
>> -- Dennis M. Sosnoski
>> Java XML and Web Services
>> Axis2 Training and Consulting
>> http://www.sosnoski.com - http://www.sosnoski.co.nz
>> Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
>>
>>
>> asheikh wrote:
>>
>> Hi,
>>
>> I have a strange problem with using SSL server. I have a war
>> application which has a jar that connects to a SSL web service.
>>
>> System.setProperty("javax.net.ssl.keyStore", url.getPath());
>> System.setProperty("jjavax.net.ssl.keyStoreType", "jks");
>> System.setProperty("javax.net.ssl.keyStorePassword",
>> "changeit");
>> System.setProperty("javax.net.ssl.trustStore",
>> url.getPath());
>> System.setProperty("javax.net.ssl.trustStoreType", "jks");
>> System.setProperty("javax.net.ssl.trustStorePassword",
>> "changeit");
>>
>> First time, when I deploy the application on weblogic server
>> everything works, but after restarting the application server
>> then I get "no trust certificate found"
>>
>> any idea please
>>
>> thanks
>>
>> On Wed, Jun 24, 2009 at 7:19 AM, Dennis Sosnoski
>> <dms@sosnoski.com <ma...@sosnoski.com>
>> <mailto:dms@sosnoski.com <ma...@sosnoski.com>>> wrote:
>>
>> Hi Shasta,
>>
>> I've never had any problems setting the client truststore using
>> the javax.net.ssl.truststore property, so I suspect
>> something is
>> wrong with your actual truststore/keystore files. You might
>> want
>> to check what's actually in the stores using a tool such as
>> http://portecle.sourceforge.net/
>>
>> For convenience, you can also set the value of these properties
>> using JVM parameters rather than in your client code, using
>> this
>> type of format: -Djavax.net.ssl.trustStore=path
>>
>> If you do a search on javax.net.ssl.truststore you'll find many
>> articles and discussions of the topic. The Tomcat documentation
>> also has a good discussion of configuring SSL for the server,
>> though I don't think that includes anything on a Java client
>> configuration.
>>
>> - Dennis
>>
>> -- Dennis M. Sosnoski
>> Java XML and Web Services
>> Axis2 Training and Consulting
>> http://www.sosnoski.com - http://www.sosnoski.co.nz
>> Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
>>
>>
>>
>>
>> Shasta Willson wrote:
>>
>> Thought I'd reply to my own message with some
>> information that
>> might be useful:
>>
>> despite using keytool
>> (
>> http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html)
>> to
>> install the certificate, and various combinations of these
>> properties
>> to theoretically point to it (where keyStore and
>> trustStorePass are
>> paths to generated files):
>>
>>
>> System.setProperty("javax.net.ssl.keyStore",keyStore);
>>
>> System.setProperty("javax.net.ssl.keyStorePassword",
>> keyPass);
>> System.setProperty("javax.net.ssl.trustStore",
>> trustStore);
>>
>> System.setProperty("javax.net.ssl.trustStorePassword",
>> trustStorePass);
>>
>>
>> I never did get it to work that way. (I eventually
>> built an
>> SSLTest.java that JUST connected so I could eliminate other
>> configuration issues, but even in that simplified context I
>> couldn't
>> get it working.)
>>
>> What finally worked for me (for the SSLTest program) was to
>> put the
>> certificate into the normal java location and over-write
>> cacerts. I
>> could do that since noone else is using Java on this server
>> and this
>> is the first time I've needed to place a certificate.
>> i.e. I
>> wasn't
>> going to break something else in the process.
>>
>> I found this very useful tool during my research :
>>
>> http://dreamingthings.blogspot.com/2006/12/no-more-unable-to-find-valid.html
>>
>> I could have avoided three days waiting for the
>> service-owner
>> to send
>> a certificate, had I known about it.
>>
>> Hope that helps someone else save time.
>>
>> - Shasta
>>
>> On Tue, Jun 23, 2009 at 8:34 AM, Shasta
>> Willson<shastaw@gmail.com <ma...@gmail.com>
>> <mailto:shastaw@gmail.com <ma...@gmail.com>>> wrote:
>> I have an SSL secured web service to
>> consume. It
>> also uses a
>> usertoken/password in the SOAP header, which I'm doing
>> with Rampart,
>> but I don't think that's relevant to my question.
>>
>> I'd like to understand how to go from "have a
>> certificate" to
>> trustStore (and/or KeyStore?) properly configured.
>> Currently I get
>> this error, which a google search suggests is
>> related to
>> not having it
>> set up right:
>>
>> org.apache.axis2.AxisFault: Unconnected sockets not
>> implemented
>> at
>>
>> org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
>>
>> Thank you,
>>
>> - Shasta
>>
>>
>>
>>
>>
Re: SSL : setting up truststore (and keystore?)
Posted by Dennis Sosnoski <dm...@sosnoski.com>.
I understand you're not opening the connection directly, but having it
opened for you by the Axis2-generated stub, and admittedly my code
doesn't help much directly in that situation.
I'm not sure offhand how to make the server certificate authentication
work in that situation, but I believe Axis2 is using the Commons
HttpClient by default, and that appears to offer a way of using your own
socket factory: http://hc.apache.org/httpclient-3.x/sslguide.html You
should be able to use the Protocol.registerProtocol() approach outlined
on that page (perhaps with "myhttps" rather than just "https" as the
protocol, just to make sure your handling doesn't interfere with other
requests - and see their link to
http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java?view=markup
for an example).
- Dennis
--
Dennis M. Sosnoski
Java XML and Web Services
Axis2 Training and Consulting
http://www.sosnoski.com - http://www.sosnoski.co.nz
Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
asheikh wrote:
> Dennis,
>
> Thanks for the code and suggestions.
> "The app server should have some way of configuring SSL support, and
> even though that configuration is going to be intended more for
> inbound connections it might also have settings for outbound connections."
>
> yes, I have configures the application server and I could see the
> certificates loaded from my custom key/trust store but still it
> complains no trust certificate found.
>
> I am not sure why it is working first time when i deploy the war, and
> it doesn't work after I restart the application server.
>
> but my concern is that I am using web service client
> stub/proxy(Axis2), and I am providing the endpoint to the stub, my
> code does't handle connections
>
> thanks again
>
>
> On Wed, Jun 24, 2009 at 10:12 AM, Dennis Sosnoski <dms@sosnoski.com
> <ma...@sosnoski.com>> wrote:
>
> I'm surprised this works at all in an app server environment. The
> app server should have some way of configuring SSL support, and
> even though that configuration is going to be intended more for
> inbound connections it might also have settings for outbound
> connections.
>
> Aside from that, you can take direct control over the
> authentication of the presented server certificate by implementing
> your own TrustManager. Here's a method which illustrates this
> approach, from an open source project I developed which needed to
> work with custom certificate authorities for server SSL/TLS
> certificates:
> /**
> * Open a connection to a server. If the connection type is
> 'https' and a
> * certificate authority keystore is supplied, that certificate
> authority
> * will be used when establishing the connection to the server.
> *
> * @param target destination URL (must use 'http' or 'https'
> protocol)
> * @param castore keystore containing certificate authority
> certificate
> * @return connection
> * @throws IOException
> * @throws NoSuchAlgorithmException
> * @throws KeyManagementException
> * @throws KeyStoreException
> */
> private HttpURLConnection openConnection(String target, KeyStore
> castore)
> throws IOException, NoSuchAlgorithmException,
> KeyManagementException, KeyStoreException {
> URL url = new URL(target);
> HttpURLConnection conn =
> (HttpURLConnection)url.openConnection();
> if (castore != null &&
> target.toLowerCase().startsWith("https:")) {
> String alg = TrustManagerFactory.getDefaultAlgorithm();
> SSLContext context = SSLContext.getInstance("TLS");
> TrustManagerFactory tmfact0 =
> TrustManagerFactory.getInstance(alg);
> tmfact0.init((KeyStore)null);
> final TrustManager[] managers0 = tmfact0.getTrustManagers();
> TrustManagerFactory tmfact1 =
> TrustManagerFactory.getInstance(alg);
> tmfact1.init(castore);
> final TrustManager[] managers1 = tmfact1.getTrustManagers();
> TrustManager manager = new X509TrustManager() {
> private X509TrustManager
> getTM(TrustManager[] tms) {
> for (int i = 0; i < tms.length; i++) {
> TrustManager tm = tms[i];
> if (tm instanceof X509TrustManager) {
> return (X509TrustManager)tm;
> }
> }
> return null;
> }
>
> public void checkClientTrusted(X509Certificate[]
> chain, String type) throws CertificateException {
> X509TrustManager tm = getTM(managers0);
> if (tm != null) {
> tm.checkClientTrusted(chain, type);
> }
> }
>
> public void checkServerTrusted(X509Certificate[]
> chain, String type) throws CertificateException {
> X509TrustManager tm = getTM(managers0);
> if (tm != null) {
> try {
> tm.checkServerTrusted(chain, type);
> return;
> } catch (CertificateException e) {
> // deliberately empty
> }
> }
> tm = getTM(managers1);
> if (tm != null) {
> try {
> tm.checkServerTrusted(chain, type);
> return;
> } catch (CertificateException e) {
> // deliberately empty
> }
> }
> throw new CertificateException("Certificate
> chain cannot be verified");
> }
>
> public X509Certificate[] getAcceptedIssuers() {
> X509TrustManager tm = getTM(managers0);
> X509Certificate[] certs0 = s_emptyCertArray;
> if (tm != null) {
> certs0 = tm.getAcceptedIssuers();
> }
> tm = getTM(managers1);
> X509Certificate[] certs1 = s_emptyCertArray;
> if (tm != null) {
> certs1 = tm.getAcceptedIssuers();
> }
> X509Certificate[] certs = new
> X509Certificate[certs0.length+certs1.length];
> System.arraycopy(certs0, 0, certs, 0,
> certs0.length);
> System.arraycopy(certs1, 0, certs,
> certs0.length, certs1.length);
> return certs;
> }
> };
> context.init(null, new TrustManager[] { manager }, null);
> SSLSocketFactory sockfactory = context.getSocketFactory();
> ((HttpsURLConnection)conn).setSSLSocketFactory(sockfactory);
> }
> return conn;
>
> }
>
> - Dennis
>
> --
> Dennis M. Sosnoski
> Java XML and Web Services
> Axis2 Training and Consulting
> http://www.sosnoski.com - http://www.sosnoski.co.nz
> Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
>
>
> asheikh wrote:
>
> Hi,
>
> I have a strange problem with using SSL server. I have a war
> application which has a jar that connects to a SSL web service.
>
> System.setProperty("javax.net.ssl.keyStore", url.getPath());
> System.setProperty("jjavax.net.ssl.keyStoreType", "jks");
> System.setProperty("javax.net.ssl.keyStorePassword",
> "changeit");
> System.setProperty("javax.net.ssl.trustStore",
> url.getPath());
> System.setProperty("javax.net.ssl.trustStoreType", "jks");
> System.setProperty("javax.net.ssl.trustStorePassword",
> "changeit");
>
> First time, when I deploy the application on weblogic server
> everything works, but after restarting the application server
> then I get "no trust certificate found"
>
> any idea please
>
> thanks
>
> On Wed, Jun 24, 2009 at 7:19 AM, Dennis Sosnoski
> <dms@sosnoski.com <ma...@sosnoski.com>
> <mailto:dms@sosnoski.com <ma...@sosnoski.com>>> wrote:
>
> Hi Shasta,
>
> I've never had any problems setting the client truststore using
> the javax.net.ssl.truststore property, so I suspect
> something is
> wrong with your actual truststore/keystore files. You might
> want
> to check what's actually in the stores using a tool such as
> http://portecle.sourceforge.net/
>
> For convenience, you can also set the value of these properties
> using JVM parameters rather than in your client code, using
> this
> type of format: -Djavax.net.ssl.trustStore=path
>
> If you do a search on javax.net.ssl.truststore you'll find many
> articles and discussions of the topic. The Tomcat documentation
> also has a good discussion of configuring SSL for the server,
> though I don't think that includes anything on a Java client
> configuration.
>
> - Dennis
>
> -- Dennis M. Sosnoski
> Java XML and Web Services
> Axis2 Training and Consulting
> http://www.sosnoski.com - http://www.sosnoski.co.nz
> Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
>
>
>
>
> Shasta Willson wrote:
>
> Thought I'd reply to my own message with some
> information that
> might be useful:
>
> despite using keytool
>
> (http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html)
> to
> install the certificate, and various combinations of these
> properties
> to theoretically point to it (where keyStore and
> trustStorePass are
> paths to generated files):
>
>
> System.setProperty("javax.net.ssl.keyStore",keyStore);
>
> System.setProperty("javax.net.ssl.keyStorePassword",
> keyPass);
> System.setProperty("javax.net.ssl.trustStore",
> trustStore);
>
> System.setProperty("javax.net.ssl.trustStorePassword",
> trustStorePass);
>
>
> I never did get it to work that way. (I eventually
> built an
> SSLTest.java that JUST connected so I could eliminate other
> configuration issues, but even in that simplified context I
> couldn't
> get it working.)
>
> What finally worked for me (for the SSLTest program) was to
> put the
> certificate into the normal java location and over-write
> cacerts. I
> could do that since noone else is using Java on this server
> and this
> is the first time I've needed to place a certificate.
> i.e. I
> wasn't
> going to break something else in the process.
>
> I found this very useful tool during my research :
>
> http://dreamingthings.blogspot.com/2006/12/no-more-unable-to-find-valid.html
>
> I could have avoided three days waiting for the
> service-owner
> to send
> a certificate, had I known about it.
>
> Hope that helps someone else save time.
>
> - Shasta
>
> On Tue, Jun 23, 2009 at 8:34 AM, Shasta
> Willson<shastaw@gmail.com <ma...@gmail.com>
> <mailto:shastaw@gmail.com <ma...@gmail.com>>> wrote:
>
> I have an SSL secured web service to consume. It
> also uses a
> usertoken/password in the SOAP header, which I'm doing
> with Rampart,
> but I don't think that's relevant to my question.
>
> I'd like to understand how to go from "have a
> certificate" to
> trustStore (and/or KeyStore?) properly configured.
> Currently I get
> this error, which a google search suggests is
> related to
> not having it
> set up right:
>
> org.apache.axis2.AxisFault: Unconnected sockets not
> implemented
> at
>
> org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
>
> Thank you,
>
> - Shasta
>
>
>
>
>
>
Re: SSL : setting up truststore (and keystore?)
Posted by asheikh <as...@gmail.com>.
Dennis,
Thanks for the code and suggestions.
"The app server should have some way of configuring SSL support, and even
though that configuration is going to be intended more for inbound
connections it might also have settings for outbound connections."
yes, I have configures the application server and I could see the
certificates loaded from my custom key/trust store but still it complains no
trust certificate found.
I am not sure why it is working first time when i deploy the war, and it
doesn't work after I restart the application server.
but my concern is that I am using web service client stub/proxy(Axis2), and
I am providing the endpoint to the stub, my code does't handle connections
thanks again
On Wed, Jun 24, 2009 at 10:12 AM, Dennis Sosnoski <dm...@sosnoski.com> wrote:
> I'm surprised this works at all in an app server environment. The app
> server should have some way of configuring SSL support, and even though that
> configuration is going to be intended more for inbound connections it might
> also have settings for outbound connections.
>
> Aside from that, you can take direct control over the authentication of the
> presented server certificate by implementing your own TrustManager. Here's a
> method which illustrates this approach, from an open source project I
> developed which needed to work with custom certificate authorities for
> server SSL/TLS certificates:
> /**
> * Open a connection to a server. If the connection type is 'https' and a
> * certificate authority keystore is supplied, that certificate authority
> * will be used when establishing the connection to the server.
> *
> * @param target destination URL (must use 'http' or 'https' protocol)
> * @param castore keystore containing certificate authority certificate
> * @return connection
> * @throws IOException
> * @throws NoSuchAlgorithmException
> * @throws KeyManagementException
> * @throws KeyStoreException
> */
> private HttpURLConnection openConnection(String target, KeyStore castore)
> throws IOException, NoSuchAlgorithmException, KeyManagementException,
> KeyStoreException {
> URL url = new URL(target);
> HttpURLConnection conn = (HttpURLConnection)url.openConnection();
> if (castore != null && target.toLowerCase().startsWith("https:")) {
> String alg = TrustManagerFactory.getDefaultAlgorithm();
> SSLContext context = SSLContext.getInstance("TLS");
> TrustManagerFactory tmfact0 =
> TrustManagerFactory.getInstance(alg);
> tmfact0.init((KeyStore)null);
> final TrustManager[] managers0 = tmfact0.getTrustManagers();
> TrustManagerFactory tmfact1 =
> TrustManagerFactory.getInstance(alg);
> tmfact1.init(castore);
> final TrustManager[] managers1 = tmfact1.getTrustManagers();
> TrustManager manager = new X509TrustManager() {
> private X509TrustManager getTM(TrustManager[]
> tms) {
> for (int i = 0; i < tms.length; i++) {
> TrustManager tm = tms[i];
> if (tm instanceof X509TrustManager) {
> return (X509TrustManager)tm;
> }
> }
> return null;
> }
>
> public void checkClientTrusted(X509Certificate[] chain,
> String type) throws CertificateException {
> X509TrustManager tm = getTM(managers0);
> if (tm != null) {
> tm.checkClientTrusted(chain, type);
> }
> }
>
> public void checkServerTrusted(X509Certificate[] chain,
> String type) throws CertificateException {
> X509TrustManager tm = getTM(managers0);
> if (tm != null) {
> try {
> tm.checkServerTrusted(chain, type);
> return;
> } catch (CertificateException e) {
> // deliberately empty
> }
> }
> tm = getTM(managers1);
> if (tm != null) {
> try {
> tm.checkServerTrusted(chain, type);
> return;
> } catch (CertificateException e) {
> // deliberately empty
> }
> }
> throw new CertificateException("Certificate chain cannot
> be verified");
> }
>
> public X509Certificate[] getAcceptedIssuers() {
> X509TrustManager tm = getTM(managers0);
> X509Certificate[] certs0 = s_emptyCertArray;
> if (tm != null) {
> certs0 = tm.getAcceptedIssuers();
> }
> tm = getTM(managers1);
> X509Certificate[] certs1 = s_emptyCertArray;
> if (tm != null) {
> certs1 = tm.getAcceptedIssuers();
> }
> X509Certificate[] certs = new
> X509Certificate[certs0.length+certs1.length];
> System.arraycopy(certs0, 0, certs, 0, certs0.length);
> System.arraycopy(certs1, 0, certs, certs0.length,
> certs1.length);
> return certs;
> }
> };
> context.init(null, new TrustManager[] { manager }, null);
> SSLSocketFactory sockfactory = context.getSocketFactory();
> ((HttpsURLConnection)conn).setSSLSocketFactory(sockfactory);
> }
> return conn;
> }
>
> - Dennis
>
> --
> Dennis M. Sosnoski
> Java XML and Web Services
> Axis2 Training and Consulting
> http://www.sosnoski.com - http://www.sosnoski.co.nz
> Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
>
>
> asheikh wrote:
>
>> Hi,
>>
>> I have a strange problem with using SSL server. I have a war application
>> which has a jar that connects to a SSL web service.
>>
>> System.setProperty("javax.net.ssl.keyStore", url.getPath());
>> System.setProperty("jjavax.net.ssl.keyStoreType", "jks");
>> System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
>> System.setProperty("javax.net.ssl.trustStore", url.getPath());
>> System.setProperty("javax.net.ssl.trustStoreType", "jks");
>> System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
>>
>> First time, when I deploy the application on weblogic server everything
>> works, but after restarting the application server then I get "no trust
>> certificate found"
>>
>> any idea please
>>
>> thanks
>>
>> On Wed, Jun 24, 2009 at 7:19 AM, Dennis Sosnoski <dms@sosnoski.com<mailto:
>> dms@sosnoski.com>> wrote:
>>
>> Hi Shasta,
>>
>> I've never had any problems setting the client truststore using
>> the javax.net.ssl.truststore property, so I suspect something is
>> wrong with your actual truststore/keystore files. You might want
>> to check what's actually in the stores using a tool such as
>> http://portecle.sourceforge.net/
>>
>> For convenience, you can also set the value of these properties
>> using JVM parameters rather than in your client code, using this
>> type of format: -Djavax.net.ssl.trustStore=path
>>
>> If you do a search on javax.net.ssl.truststore you'll find many
>> articles and discussions of the topic. The Tomcat documentation
>> also has a good discussion of configuring SSL for the server,
>> though I don't think that includes anything on a Java client
>> configuration.
>>
>> - Dennis
>>
>> -- Dennis M. Sosnoski
>> Java XML and Web Services
>> Axis2 Training and Consulting
>> http://www.sosnoski.com - http://www.sosnoski.co.nz
>> Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
>>
>>
>>
>>
>> Shasta Willson wrote:
>>
>> Thought I'd reply to my own message with some information that
>> might be useful:
>>
>> despite using keytool
>> (http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html
>> )
>> to
>> install the certificate, and various combinations of these
>> properties
>> to theoretically point to it (where keyStore and
>> trustStorePass are
>> paths to generated files):
>>
>> System.setProperty("javax.net.ssl.keyStore",keyStore);
>> System.setProperty("javax.net.ssl.keyStorePassword",
>> keyPass);
>> System.setProperty("javax.net.ssl.trustStore",
>> trustStore);
>> System.setProperty("javax.net.ssl.trustStorePassword",
>> trustStorePass);
>>
>>
>> I never did get it to work that way. (I eventually built an
>> SSLTest.java that JUST connected so I could eliminate other
>> configuration issues, but even in that simplified context I
>> couldn't
>> get it working.)
>>
>> What finally worked for me (for the SSLTest program) was to
>> put the
>> certificate into the normal java location and over-write
>> cacerts. I
>> could do that since noone else is using Java on this server
>> and this
>> is the first time I've needed to place a certificate. i.e. I
>> wasn't
>> going to break something else in the process.
>>
>> I found this very useful tool during my research :
>>
>> http://dreamingthings.blogspot.com/2006/12/no-more-unable-to-find-valid.html
>>
>> I could have avoided three days waiting for the service-owner
>> to send
>> a certificate, had I known about it.
>>
>> Hope that helps someone else save time.
>>
>> - Shasta
>>
>> On Tue, Jun 23, 2009 at 8:34 AM, Shasta
>> Willson<shastaw@gmail.com <ma...@gmail.com>> wrote:
>>
>> I have an SSL secured web service to consume. It also uses a
>> usertoken/password in the SOAP header, which I'm doing
>> with Rampart,
>> but I don't think that's relevant to my question.
>>
>> I'd like to understand how to go from "have a certificate" to
>> trustStore (and/or KeyStore?) properly configured.
>> Currently I get
>> this error, which a google search suggests is related to
>> not having it
>> set up right:
>>
>> org.apache.axis2.AxisFault: Unconnected sockets not
>> implemented
>> at
>> org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
>>
>> Thank you,
>>
>> - Shasta
>>
>>
>>
>>
>>
>
Re: SSL : setting up truststore (and keystore?)
Posted by Dennis Sosnoski <dm...@sosnoski.com>.
I'm surprised this works at all in an app server environment. The app
server should have some way of configuring SSL support, and even though
that configuration is going to be intended more for inbound connections
it might also have settings for outbound connections.
Aside from that, you can take direct control over the authentication of
the presented server certificate by implementing your own TrustManager.
Here's a method which illustrates this approach, from an open source
project I developed which needed to work with custom certificate
authorities for server SSL/TLS certificates:
/**
* Open a connection to a server. If the connection type is 'https'
and a
* certificate authority keystore is supplied, that certificate
authority
* will be used when establishing the connection to the server.
*
* @param target destination URL (must use 'http' or 'https' protocol)
* @param castore keystore containing certificate authority certificate
* @return connection
* @throws IOException
* @throws NoSuchAlgorithmException
* @throws KeyManagementException
* @throws KeyStoreException
*/
private HttpURLConnection openConnection(String target, KeyStore
castore)
throws IOException, NoSuchAlgorithmException,
KeyManagementException, KeyStoreException {
URL url = new URL(target);
HttpURLConnection conn = (HttpURLConnection)url.openConnection();
if (castore != null && target.toLowerCase().startsWith("https:")) {
String alg = TrustManagerFactory.getDefaultAlgorithm();
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmfact0 =
TrustManagerFactory.getInstance(alg);
tmfact0.init((KeyStore)null);
final TrustManager[] managers0 = tmfact0.getTrustManagers();
TrustManagerFactory tmfact1 =
TrustManagerFactory.getInstance(alg);
tmfact1.init(castore);
final TrustManager[] managers1 = tmfact1.getTrustManagers();
TrustManager manager = new X509TrustManager() {
private X509TrustManager getTM(TrustManager[] tms) {
for (int i = 0; i < tms.length; i++) {
TrustManager tm = tms[i];
if (tm instanceof X509TrustManager) {
return (X509TrustManager)tm;
}
}
return null;
}
public void checkClientTrusted(X509Certificate[] chain,
String type) throws CertificateException {
X509TrustManager tm = getTM(managers0);
if (tm != null) {
tm.checkClientTrusted(chain, type);
}
}
public void checkServerTrusted(X509Certificate[] chain,
String type) throws CertificateException {
X509TrustManager tm = getTM(managers0);
if (tm != null) {
try {
tm.checkServerTrusted(chain, type);
return;
} catch (CertificateException e) {
// deliberately empty
}
}
tm = getTM(managers1);
if (tm != null) {
try {
tm.checkServerTrusted(chain, type);
return;
} catch (CertificateException e) {
// deliberately empty
}
}
throw new CertificateException("Certificate chain
cannot be verified");
}
public X509Certificate[] getAcceptedIssuers() {
X509TrustManager tm = getTM(managers0);
X509Certificate[] certs0 = s_emptyCertArray;
if (tm != null) {
certs0 = tm.getAcceptedIssuers();
}
tm = getTM(managers1);
X509Certificate[] certs1 = s_emptyCertArray;
if (tm != null) {
certs1 = tm.getAcceptedIssuers();
}
X509Certificate[] certs = new
X509Certificate[certs0.length+certs1.length];
System.arraycopy(certs0, 0, certs, 0, certs0.length);
System.arraycopy(certs1, 0, certs, certs0.length,
certs1.length);
return certs;
}
};
context.init(null, new TrustManager[] { manager }, null);
SSLSocketFactory sockfactory = context.getSocketFactory();
((HttpsURLConnection)conn).setSSLSocketFactory(sockfactory);
}
return conn;
}
- Dennis
--
Dennis M. Sosnoski
Java XML and Web Services
Axis2 Training and Consulting
http://www.sosnoski.com - http://www.sosnoski.co.nz
Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
asheikh wrote:
> Hi,
>
> I have a strange problem with using SSL server. I have a war
> application which has a jar that connects to a SSL web service.
>
> System.setProperty("javax.net.ssl.keyStore", url.getPath());
> System.setProperty("jjavax.net.ssl.keyStoreType", "jks");
> System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
> System.setProperty("javax.net.ssl.trustStore", url.getPath());
> System.setProperty("javax.net.ssl.trustStoreType", "jks");
> System.setProperty("javax.net.ssl.trustStorePassword",
> "changeit");
>
> First time, when I deploy the application on weblogic server
> everything works, but after restarting the application server then I
> get "no trust certificate found"
>
> any idea please
>
> thanks
>
> On Wed, Jun 24, 2009 at 7:19 AM, Dennis Sosnoski <dms@sosnoski.com
> <ma...@sosnoski.com>> wrote:
>
> Hi Shasta,
>
> I've never had any problems setting the client truststore using
> the javax.net.ssl.truststore property, so I suspect something is
> wrong with your actual truststore/keystore files. You might want
> to check what's actually in the stores using a tool such as
> http://portecle.sourceforge.net/
>
> For convenience, you can also set the value of these properties
> using JVM parameters rather than in your client code, using this
> type of format: -Djavax.net.ssl.trustStore=path
>
> If you do a search on javax.net.ssl.truststore you'll find many
> articles and discussions of the topic. The Tomcat documentation
> also has a good discussion of configuring SSL for the server,
> though I don't think that includes anything on a Java client
> configuration.
>
> - Dennis
>
> --
> Dennis M. Sosnoski
> Java XML and Web Services
> Axis2 Training and Consulting
> http://www.sosnoski.com - http://www.sosnoski.co.nz
> Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
>
>
>
>
> Shasta Willson wrote:
>
> Thought I'd reply to my own message with some information that
> might be useful:
>
> despite using keytool
> (http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html)
> to
> install the certificate, and various combinations of these
> properties
> to theoretically point to it (where keyStore and
> trustStorePass are
> paths to generated files):
>
> System.setProperty("javax.net.ssl.keyStore",keyStore);
> System.setProperty("javax.net.ssl.keyStorePassword",
> keyPass);
> System.setProperty("javax.net.ssl.trustStore",
> trustStore);
> System.setProperty("javax.net.ssl.trustStorePassword",
> trustStorePass);
>
>
> I never did get it to work that way. (I eventually built an
> SSLTest.java that JUST connected so I could eliminate other
> configuration issues, but even in that simplified context I
> couldn't
> get it working.)
>
> What finally worked for me (for the SSLTest program) was to
> put the
> certificate into the normal java location and over-write
> cacerts. I
> could do that since noone else is using Java on this server
> and this
> is the first time I've needed to place a certificate. i.e. I
> wasn't
> going to break something else in the process.
>
> I found this very useful tool during my research :
> http://dreamingthings.blogspot.com/2006/12/no-more-unable-to-find-valid.html
>
> I could have avoided three days waiting for the service-owner
> to send
> a certificate, had I known about it.
>
> Hope that helps someone else save time.
>
> - Shasta
>
> On Tue, Jun 23, 2009 at 8:34 AM, Shasta
> Willson<shastaw@gmail.com <ma...@gmail.com>> wrote:
>
>
> I have an SSL secured web service to consume. It also uses a
> usertoken/password in the SOAP header, which I'm doing
> with Rampart,
> but I don't think that's relevant to my question.
>
> I'd like to understand how to go from "have a certificate" to
> trustStore (and/or KeyStore?) properly configured.
> Currently I get
> this error, which a google search suggests is related to
> not having it
> set up right:
>
> org.apache.axis2.AxisFault: Unconnected sockets not
> implemented
> at
> org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
>
> Thank you,
>
> - Shasta
>
>
>
>
>
>
Re: SSL : setting up truststore (and keystore?)
Posted by asheikh <as...@gmail.com>.
Hi,
I have a strange problem with using SSL server. I have a war application
which has a jar that connects to a SSL web service.
System.setProperty("javax.net.ssl.keyStore", url.getPath());
System.setProperty("jjavax.net.ssl.keyStoreType", "jks");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.trustStore", url.getPath());
System.setProperty("javax.net.ssl.trustStoreType", "jks");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
First time, when I deploy the application on weblogic server everything
works, but after restarting the application server then I get "no trust
certificate found"
any idea please
thanks
On Wed, Jun 24, 2009 at 7:19 AM, Dennis Sosnoski <dm...@sosnoski.com> wrote:
> Hi Shasta,
>
> I've never had any problems setting the client truststore using the
> javax.net.ssl.truststore property, so I suspect something is wrong with your
> actual truststore/keystore files. You might want to check what's actually in
> the stores using a tool such as http://portecle.sourceforge.net/
>
> For convenience, you can also set the value of these properties using JVM
> parameters rather than in your client code, using this type of format:
> -Djavax.net.ssl.trustStore=path
>
> If you do a search on javax.net.ssl.truststore you'll find many articles
> and discussions of the topic. The Tomcat documentation also has a good
> discussion of configuring SSL for the server, though I don't think that
> includes anything on a Java client configuration.
>
> - Dennis
>
> --
> Dennis M. Sosnoski
> Java XML and Web Services
> Axis2 Training and Consulting
> http://www.sosnoski.com - http://www.sosnoski.co.nz
> Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
>
>
>
>
> Shasta Willson wrote:
>
>> Thought I'd reply to my own message with some information that might be
>> useful:
>>
>> despite using keytool
>> (http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html) to
>> install the certificate, and various combinations of these properties
>> to theoretically point to it (where keyStore and trustStorePass are
>> paths to generated files):
>>
>> System.setProperty("javax.net.ssl.keyStore",keyStore);
>> System.setProperty("javax.net.ssl.keyStorePassword", keyPass);
>> System.setProperty("javax.net.ssl.trustStore", trustStore);
>> System.setProperty("javax.net.ssl.trustStorePassword",
>> trustStorePass);
>>
>>
>> I never did get it to work that way. (I eventually built an
>> SSLTest.java that JUST connected so I could eliminate other
>> configuration issues, but even in that simplified context I couldn't
>> get it working.)
>>
>> What finally worked for me (for the SSLTest program) was to put the
>> certificate into the normal java location and over-write cacerts. I
>> could do that since noone else is using Java on this server and this
>> is the first time I've needed to place a certificate. i.e. I wasn't
>> going to break something else in the process.
>>
>> I found this very useful tool during my research :
>>
>> http://dreamingthings.blogspot.com/2006/12/no-more-unable-to-find-valid.html
>>
>> I could have avoided three days waiting for the service-owner to send
>> a certificate, had I known about it.
>>
>> Hope that helps someone else save time.
>>
>> - Shasta
>>
>> On Tue, Jun 23, 2009 at 8:34 AM, Shasta Willson<sh...@gmail.com> wrote:
>>
>>
>>> I have an SSL secured web service to consume. It also uses a
>>> usertoken/password in the SOAP header, which I'm doing with Rampart,
>>> but I don't think that's relevant to my question.
>>>
>>> I'd like to understand how to go from "have a certificate" to
>>> trustStore (and/or KeyStore?) properly configured. Currently I get
>>> this error, which a google search suggests is related to not having it
>>> set up right:
>>>
>>> org.apache.axis2.AxisFault: Unconnected sockets not implemented
>>> at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
>>>
>>> Thank you,
>>>
>>> - Shasta
>>>
>>>
>>>
>>
>>
>>
>
Re: SSL : setting up truststore (and keystore?)
Posted by Dennis Sosnoski <dm...@sosnoski.com>.
Hi Shasta,
I've never had any problems setting the client truststore using the
javax.net.ssl.truststore property, so I suspect something is wrong with
your actual truststore/keystore files. You might want to check what's
actually in the stores using a tool such as http://portecle.sourceforge.net/
For convenience, you can also set the value of these properties using
JVM parameters rather than in your client code, using this type of
format: -Djavax.net.ssl.trustStore=path
If you do a search on javax.net.ssl.truststore you'll find many articles
and discussions of the topic. The Tomcat documentation also has a good
discussion of configuring SSL for the server, though I don't think that
includes anything on a Java client configuration.
- Dennis
--
Dennis M. Sosnoski
Java XML and Web Services
Axis2 Training and Consulting
http://www.sosnoski.com - http://www.sosnoski.co.nz
Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
Shasta Willson wrote:
> Thought I'd reply to my own message with some information that might be useful:
>
> despite using keytool
> (http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html) to
> install the certificate, and various combinations of these properties
> to theoretically point to it (where keyStore and trustStorePass are
> paths to generated files):
>
> System.setProperty("javax.net.ssl.keyStore",keyStore);
> System.setProperty("javax.net.ssl.keyStorePassword", keyPass);
> System.setProperty("javax.net.ssl.trustStore", trustStore);
> System.setProperty("javax.net.ssl.trustStorePassword",
> trustStorePass);
>
>
> I never did get it to work that way. (I eventually built an
> SSLTest.java that JUST connected so I could eliminate other
> configuration issues, but even in that simplified context I couldn't
> get it working.)
>
> What finally worked for me (for the SSLTest program) was to put the
> certificate into the normal java location and over-write cacerts. I
> could do that since noone else is using Java on this server and this
> is the first time I've needed to place a certificate. i.e. I wasn't
> going to break something else in the process.
>
> I found this very useful tool during my research :
> http://dreamingthings.blogspot.com/2006/12/no-more-unable-to-find-valid.html
>
> I could have avoided three days waiting for the service-owner to send
> a certificate, had I known about it.
>
> Hope that helps someone else save time.
>
> - Shasta
>
> On Tue, Jun 23, 2009 at 8:34 AM, Shasta Willson<sh...@gmail.com> wrote:
>
>> I have an SSL secured web service to consume. It also uses a
>> usertoken/password in the SOAP header, which I'm doing with Rampart,
>> but I don't think that's relevant to my question.
>>
>> I'd like to understand how to go from "have a certificate" to
>> trustStore (and/or KeyStore?) properly configured. Currently I get
>> this error, which a google search suggests is related to not having it
>> set up right:
>>
>> org.apache.axis2.AxisFault: Unconnected sockets not implemented
>> at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
>>
>> Thank you,
>>
>> - Shasta
>>
>>
>
>
Re: SSL : setting up truststore (and keystore?)
Posted by Shasta Willson <sh...@gmail.com>.
Thought I'd reply to my own message with some information that might be useful:
despite using keytool
(http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html) to
install the certificate, and various combinations of these properties
to theoretically point to it (where keyStore and trustStorePass are
paths to generated files):
System.setProperty("javax.net.ssl.keyStore",keyStore);
System.setProperty("javax.net.ssl.keyStorePassword", keyPass);
System.setProperty("javax.net.ssl.trustStore", trustStore);
System.setProperty("javax.net.ssl.trustStorePassword",
trustStorePass);
I never did get it to work that way. (I eventually built an
SSLTest.java that JUST connected so I could eliminate other
configuration issues, but even in that simplified context I couldn't
get it working.)
What finally worked for me (for the SSLTest program) was to put the
certificate into the normal java location and over-write cacerts. I
could do that since noone else is using Java on this server and this
is the first time I've needed to place a certificate. i.e. I wasn't
going to break something else in the process.
I found this very useful tool during my research :
http://dreamingthings.blogspot.com/2006/12/no-more-unable-to-find-valid.html
I could have avoided three days waiting for the service-owner to send
a certificate, had I known about it.
Hope that helps someone else save time.
- Shasta
On Tue, Jun 23, 2009 at 8:34 AM, Shasta Willson<sh...@gmail.com> wrote:
> I have an SSL secured web service to consume. It also uses a
> usertoken/password in the SOAP header, which I'm doing with Rampart,
> but I don't think that's relevant to my question.
>
> I'd like to understand how to go from "have a certificate" to
> trustStore (and/or KeyStore?) properly configured. Currently I get
> this error, which a google search suggests is related to not having it
> set up right:
>
> org.apache.axis2.AxisFault: Unconnected sockets not implemented
> at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
>
> Thank you,
>
> - Shasta
>