You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Jon Horsman <ho...@gmail.com> on 2007/06/04 21:42:05 UTC
Client connection options
Is there a way through the client connection options that you can tell
it to accept a self signed cert? I'm trying to run axis over HTTPS
and am running into the "unable to find valid certification path to
requested target" exception. I've done a lot of reading and
everything says that you should use keytool to import your cert into
$JAVA_HOME//lib/security/cacerts which works and solves my problem but
due to deployment issues this is very impractical for me. Anyways, it
would be much easier if it was possible to simply tell the client to
trust all certs.
Thanks for the help.
Jon.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Client connection options
Posted by Jon Horsman <ho...@gmail.com>.
> Anything else I have to do?
Hopefully someone else will chime in to help you as i'm not really
sure. I didn't actually create the cert i am using, it was created by
another group here at work. As mentioned, all i had to do was import
the cert and it worked, sorry i'm not more help.
Jon
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
RE: Client connection options
Posted by Raghu Upadhyayula <ru...@responsys.com>.
Hi Jon,
I've used these commands to create & import my server.crt file to
cacerts and executed my program, but I'm still getting the same
exception "unable to find valid certification path to requested target"
Anything else I have to do?
%JAVA_HOME%\bin\keytool -delete -alias tomcat -keypass changeit
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg
RSA
%JAVA_HOME%\bin\keytool -export -alias tomcat -keypass changeit -file
server.crt
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
-keystore %JAVA_HOME%/jre/lib/security/cacerts
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
Thanks
Raghu
-----Original Message-----
From: Jon Horsman [mailto:horshaq@gmail.com]
Sent: Monday, June 04, 2007 2:21 PM
To: axis-user@ws.apache.org
Subject: Re: Client connection options
On 6/4/07, Raghu Upadhyayula <ru...@responsys.com> wrote:
> Jon,
> I'm getting the "unable to find valid certification path to requested
target"
> exception when trying to access my web service using https
>
> From your email it looks like you were able to get this working and
you
> are looking for something else.
>
> Can you please let me know what changes should I be doing for this to
work?
Hey Raghu, figured i'd post back on the list since it can be searched
by someone later, hopefully that is ok with you...
Anyways, i can't comment on your actual program since i've still a new
with axis and have never tried to use SSL before. I can tell you how
i got mine working though.
Pretty much all i did was import my cert using keytool, as follows
$JAVA_HOME/bin/keytool -import -trustcacerts -alias "your_alias" -file
/path/to/server.crt -keystore $JAVA_HOME/lib/security/cacerts
This got rid of the "unable to find valid certification path to
requested target" exceptions and my webservice seems to work as
expected.
For my application though i can't be messing around with certs as it
will be a pain to deploy in the field, which is why i need to simply
tell axis to trust all certs.
Hope this helps.
Jon.
Re: Client connection options
Posted by Jon Horsman <ho...@gmail.com>.
> We started looking into this issue and have add support for a custom
> protocol factory in latest svn:
> http://www.mail-archive.com/axis-cvs@ws.apache.org/msg17172.html
Good news.
> We are yet to write a SunFakeTrustSocketFactory for use with Axis2.
> Any help would be welcome.
That would explain why i had such a hard time finding this :) Not
sure i'd be much help since i'm new to axis, i just got brought on to
do the https stuff at the last minute and look how long it took me to
figure that out, lol. Anyways, hopefully someone else will benefit
from this thread in the future and all is good.
Jon.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Client connection options
Posted by Davanum Srinivas <da...@gmail.com>.
Jon,
We started looking into this issue and have add support for a custom
protocol factory in latest svn:
http://www.mail-archive.com/axis-cvs@ws.apache.org/msg17172.html
We are yet to write a SunFakeTrustSocketFactory for use with Axis2.
Any help would be welcome.
thanks,
dims
On 6/5/07, Jon Horsman <ho...@gmail.com> wrote:
> > For my application though i can't be messing around with certs as it
> > will be a pain to deploy in the field, which is why i need to simply
> > tell axis to trust all certs.
>
> After spending all day yesterday looking I came across
>
> AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
>
> which seems like it should do what i want. It doesn't seem to be
> working with axis2 1.1.1 though. Some more looking and apparently
> this is only for axis1?
>
> I then found the following post
> http://saloon.javaranch.com/cgi-bin/ubb/ultimatebb.cgi?ubb=get_topic&f=51&t=004513
>
> which says that you can use the not-yet-commons-ssl-0.3.7.jar and a
> class called EasySSLProtocolSocketFactory. I'm just about to try to
> get this to work, but after reading the various warnings on
> http://juliusdavies.ca/commons-ssl/ about how its only alpha, etc, i'm
> wondering if it can be trusted? Is there another, better solution to
> this problem for axis2 1.1.1?
>
> Thanks,
>
> Jon
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
--
Davanum Srinivas :: http://davanum.wordpress.com
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Client connection options
Posted by Jon Horsman <ho...@gmail.com>.
> http://saloon.javaranch.com/cgi-bin/ubb/ultimatebb.cgi?ubb=get_topic&f=51&t=004513
Just to follow up, i think the information in this post seems to work,
i still have a lot more testing to do.
Protocol.unregisterProtocol("https");
Protocol.registerProtocol("https", new Protocol("https", new
EasySSLProtocolSocketFactory(), 443));
Jon.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Client connection options
Posted by Jon Horsman <ho...@gmail.com>.
> For my application though i can't be messing around with certs as it
> will be a pain to deploy in the field, which is why i need to simply
> tell axis to trust all certs.
After spending all day yesterday looking I came across
AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
which seems like it should do what i want. It doesn't seem to be
working with axis2 1.1.1 though. Some more looking and apparently
this is only for axis1?
I then found the following post
http://saloon.javaranch.com/cgi-bin/ubb/ultimatebb.cgi?ubb=get_topic&f=51&t=004513
which says that you can use the not-yet-commons-ssl-0.3.7.jar and a
class called EasySSLProtocolSocketFactory. I'm just about to try to
get this to work, but after reading the various warnings on
http://juliusdavies.ca/commons-ssl/ about how its only alpha, etc, i'm
wondering if it can be trusted? Is there another, better solution to
this problem for axis2 1.1.1?
Thanks,
Jon
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Client connection options
Posted by Jon Horsman <ho...@gmail.com>.
On 6/4/07, Raghu Upadhyayula <ru...@responsys.com> wrote:
> Jon,
> I'm getting the "unable to find valid certification path to requested target"
> exception when trying to access my web service using https
>
> From your email it looks like you were able to get this working and you
> are looking for something else.
>
> Can you please let me know what changes should I be doing for this to work?
Hey Raghu, figured i'd post back on the list since it can be searched
by someone later, hopefully that is ok with you...
Anyways, i can't comment on your actual program since i've still a new
with axis and have never tried to use SSL before. I can tell you how
i got mine working though.
Pretty much all i did was import my cert using keytool, as follows
$JAVA_HOME/bin/keytool -import -trustcacerts -alias "your_alias" -file
/path/to/server.crt -keystore $JAVA_HOME/lib/security/cacerts
This got rid of the "unable to find valid certification path to
requested target" exceptions and my webservice seems to work as
expected.
For my application though i can't be messing around with certs as it
will be a pain to deploy in the field, which is why i need to simply
tell axis to trust all certs.
Hope this helps.
Jon.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Client connection options
Posted by Jon Horsman <ho...@gmail.com>.
> 1.. If the file <java-home>/lib/security/cacerts
> exists, that file is used.
> 2.. If the javax.net.ssl.trustStore system property was not specified,
> then if the file
> <java-home>/lib/security/jssecacerts
> exists, that file is used...
> http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html
Yup, knew that already and got that to work earlier today but what i'm
looking for is a way to just tell axis to trust all certs without
having to modify either of the files you mention. I was option there
would be something that you could set in your client connection
options, or something similar. I need all info to be sent over ssl
but i don't care about host authentication.
Jon
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Client connection options
Posted by Martin Gainty <mg...@hotmail.com>.
1.. If the file <java-home>/lib/security/cacerts
exists, that file is used.
2.. If the javax.net.ssl.trustStore system property was not specified,
then if the file
<java-home>/lib/security/jssecacerts
exists, that file is used...
http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html
HTH
Martin
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed. If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy. Thank you.
----- Original Message -----
From: "Jon Horsman" <ho...@gmail.com>
To: <ax...@ws.apache.org>
Sent: Monday, June 04, 2007 3:42 PM
Subject: Client connection options
> Is there a way through the client connection options that you can tell
> it to accept a self signed cert? I'm trying to run axis over HTTPS
> and am running into the "unable to find valid certification path to
> requested target" exception. I've done a lot of reading and
> everything says that you should use keytool to import your cert into
> $JAVA_HOME//lib/security/cacerts which works and solves my problem but
> due to deployment issues this is very impractical for me. Anyways, it
> would be much easier if it was possible to simply tell the client to
> trust all certs.
>
> Thanks for the help.
>
> Jon.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org