You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "McClure, Timothy J(IndSys, GE Interlogix)" <Ti...@ge.com> on 2003/09/08 17:00:38 UTC
Tomcat IBM JVM 1.4 and SSL truststores
I am trying to use client SSL sockets connections running underneath Tomcat on AIX with IBM JVM 1.4. I set the 'algorithm' key word in the server.xml file and this seems to work well for key store (server socket) connections. However I cannot get the trust store side to work appropriately, I always get an I/O exception on SunX509 algorithm. I notice in the code it appears that the "SunX509" is hard coded to the TrustStoreManager. How do I get it to use IbmX509? I set the trsutManagerType to IbmX509 through -D options but this also did not work.
Tim
Re: Tomcat IBM JVM 1.4 and SSL truststores
Posted by Bill Barker <wb...@wilshire.com>.
I've just checked in a patch to have the TrustStore algorithm to be the same
as the 'algorithm' (Tomcat 5 has a more general fix). It should appear in
4.1.28. If you need it sooner, you can download from the CVS.
"McClure, Timothy J(IndSys, GE Interlogix)" <Ti...@ge.com> wrote in
message
news:F0C893FC2E24F946A250F440BF21EA9904370841@FTWMLVEM01.e2k.ad.ge.com...
I am trying to use client SSL sockets connections running underneath Tomcat
on AIX with IBM JVM 1.4. I set the 'algorithm' key word in the server.xml
file and this seems to work well for key store (server socket) connections.
However I cannot get the trust store side to work appropriately, I always
get an I/O exception on SunX509 algorithm. I notice in the code it appears
that the "SunX509" is hard coded to the TrustStoreManager. How do I get it
to use IbmX509? I set the trsutManagerType to IbmX509 through -D options
but this also did not work.
Tim
Re: Tomcat IBM JVM 1.4 and SSL truststores
Posted by Bill Barker <wb...@wilshire.com>.
It's possible to configure PureTLS (which Tomcat supports) to support
un-trusted certs.
"Jerry Birchler" <jr...@comcast.net> wrote in message
news:NDBBLNCGLJEKFAGHDLIBKEKJFFAA.jrbirchler@comcast.net...
> I tried both the IBM and Sun packages. Unfortunately, neither handled
> expired or untrusted certificates. In my case, I did not care one way or
the
> other whether or not the certificate was "trusted" or not. By virtue of
> parsing or spidering a site, I was making a choice. Perhaps you have the
> same situation? If so, then this will work for you.
>
> I found the attached source on the internet somewhere, and I was able to
> successfully implement it in a core class to my html parsers and spiders.
> Here is the snippet of code that is found in that core class. The class
file
> you will need follows the snippet.
>
> import com.sun.net.ssl.HttpsURLConnection;
> //
> // it's important to use the javax flavors of these packages, the com.sun
> equivalents will not work
> //
> import javax.net.ssl.*;
> import javax.net.ssl.SSLSocketFactory;
>
> //
> // put this in you constructor...
> //
>
>
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
> w.protocol");
>
> //
> // ..... whatever code you want
> //
> if ( blnSSL )
> {
> try
> {
> java.security.Security.addProvider(new
> com.sun.net.ssl.internal.ssl.Provider());
> X509TrustManager oTrustMngr = new EnlistaTrustManager();
> TrustManager oEnlistaTrustManagers[] = {oTrustMngr};
> SSLContext ctx = SSLContext.getInstance("SSL");
> ctx.init(null, oEnlistaTrustManagers, null);
> SSLSocketFactory sslSocketFactory = ctx.getSocketFactory();
> HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
> }
> catch(Exception e)
> {
> e.printStackTrace();
> }
> objUC = (HttpsURLConnection)objURL.openConnection();
> }
> else
> {
> objUC = (HttpURLConnection)objURL.openConnection();
> }
>
>
> // use your own packge. this is the class called by the snippet above.
>
> package com.efn.cmn.uihelper.urlscraper;
>
> import javax.net.ssl.X509TrustManager;
> import java.security.cert.*;
>
> //EnlistaTrustManager implements X509TrustManager and you can have the
> following code to accept ANY certificate.
>
> public class EnlistaTrustManager implements X509TrustManager
> {
>
> EnlistaTrustManager()
> { // constructor
> // create/load keystore
> // No need to load the keystore because it will be validated on demand.
> }
>
> public void checkClientTrusted(X509Certificate chain[], String authType)
> throws CertificateException
> {
> return;
> }
>
> /**
> * This function is called when receiving information from the server.
> * Before accepting the info it checks that the certificates sent by the
> server
> * are valid according to this function.
> *
> * @throws CertificateException if the certificate does not meet this
peer's
> validation.
> */
> public void checkServerTrusted(X509Certificate oaChain[], String
> sAuthType) throws CertificateException
> {
> // special handling such as poping dialog boxes
>
> // Certificate is valid.
> return;
> }
>
> /**
> * Returns the valid or accepted issuers. Currently this function
returns
> one empty
> * certificate. The validation is done in checkServerTrusted function.
> */
>
> public X509Certificate[] getAcceptedIssuers() {
> return new X509Certificate[0];
> }
>
> public boolean isServerTrusted(X509Certificate oaChain[], String
> sAuthType) throws CertificateException
> {
> return true;
> }
> }
>
> -----Original Message-----
> From: McClure, Timothy J(IndSys, GE Interlogix)
> [mailto:Tim.McClure@ge.com]
> Sent: Monday, September 08, 2003 10:01 AM
> To: Tomcat Users List; McClure, Timothy J(IndSys, GE Interlogix)
> Subject: Tomcat IBM JVM 1.4 and SSL truststores
>
>
> I am trying to use client SSL sockets connections running underneath
Tomcat
> on AIX with IBM JVM 1.4. I set the 'algorithm' key word in the server.xml
> file and this seems to work well for key store (server socket)
connections.
> However I cannot get the trust store side to work appropriately, I always
> get an I/O exception on SunX509 algorithm. I notice in the code it
appears
> that the "SunX509" is hard coded to the TrustStoreManager. How do I get
it
> to use IbmX509? I set the trsutManagerType to IbmX509 through -D options
> but this also did not work.
>
> Tim
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Tomcat IBM JVM 1.4 and SSL truststores
Posted by Jerry Birchler <jr...@comcast.net>.
I tried both the IBM and Sun packages. Unfortunately, neither handled
expired or untrusted certificates. In my case, I did not care one way or the
other whether or not the certificate was "trusted" or not. By virtue of
parsing or spidering a site, I was making a choice. Perhaps you have the
same situation? If so, then this will work for you.
I found the attached source on the internet somewhere, and I was able to
successfully implement it in a core class to my html parsers and spiders.
Here is the snippet of code that is found in that core class. The class file
you will need follows the snippet.
import com.sun.net.ssl.HttpsURLConnection;
//
// it's important to use the javax flavors of these packages, the com.sun
equivalents will not work
//
import javax.net.ssl.*;
import javax.net.ssl.SSLSocketFactory;
//
// put this in you constructor...
//
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
w.protocol");
//
// ..... whatever code you want
//
if ( blnSSL )
{
try
{
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
X509TrustManager oTrustMngr = new EnlistaTrustManager();
TrustManager oEnlistaTrustManagers[] = {oTrustMngr};
SSLContext ctx = SSLContext.getInstance("SSL");
ctx.init(null, oEnlistaTrustManagers, null);
SSLSocketFactory sslSocketFactory = ctx.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
}
catch(Exception e)
{
e.printStackTrace();
}
objUC = (HttpsURLConnection)objURL.openConnection();
}
else
{
objUC = (HttpURLConnection)objURL.openConnection();
}
// use your own packge. this is the class called by the snippet above.
package com.efn.cmn.uihelper.urlscraper;
import javax.net.ssl.X509TrustManager;
import java.security.cert.*;
//EnlistaTrustManager implements X509TrustManager and you can have the
following code to accept ANY certificate.
public class EnlistaTrustManager implements X509TrustManager
{
EnlistaTrustManager()
{ // constructor
// create/load keystore
// No need to load the keystore because it will be validated on demand.
}
public void checkClientTrusted(X509Certificate chain[], String authType)
throws CertificateException
{
return;
}
/**
* This function is called when receiving information from the server.
* Before accepting the info it checks that the certificates sent by the
server
* are valid according to this function.
*
* @throws CertificateException if the certificate does not meet this peer's
validation.
*/
public void checkServerTrusted(X509Certificate oaChain[], String
sAuthType) throws CertificateException
{
// special handling such as poping dialog boxes
// Certificate is valid.
return;
}
/**
* Returns the valid or accepted issuers. Currently this function returns
one empty
* certificate. The validation is done in checkServerTrusted function.
*/
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
public boolean isServerTrusted(X509Certificate oaChain[], String
sAuthType) throws CertificateException
{
return true;
}
}
-----Original Message-----
From: McClure, Timothy J(IndSys, GE Interlogix)
[mailto:Tim.McClure@ge.com]
Sent: Monday, September 08, 2003 10:01 AM
To: Tomcat Users List; McClure, Timothy J(IndSys, GE Interlogix)
Subject: Tomcat IBM JVM 1.4 and SSL truststores
I am trying to use client SSL sockets connections running underneath Tomcat
on AIX with IBM JVM 1.4. I set the 'algorithm' key word in the server.xml
file and this seems to work well for key store (server socket) connections.
However I cannot get the trust store side to work appropriately, I always
get an I/O exception on SunX509 algorithm. I notice in the code it appears
that the "SunX509" is hard coded to the TrustStoreManager. How do I get it
to use IbmX509? I set the trsutManagerType to IbmX509 through -D options
but this also did not work.
Tim
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org