You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Sebastian Van Sande <se...@vansande.org> on 2009/01/28 10:56:26 UTC
Reload keystore file
Hi,
I have a problem with Axis2.
At my project, we have an Microsoft Exchange 2007, and some other project
has created an API to interact with this Exchange server with the help of
Axis2.
This other project uses a Websphere server to manage a keystore to do basic
authentication over SSL.
My application on the otherhand runs as a standalone application, and I have
to manage the keystore myself.
Now, I managed to use this keystore to calling the Exchange 2007 Web
services over SSL, and it works great.
But, as you probably know, certificates expire ... and they have to get
renewed.
So, I managed to create something a 'KeyStoreManager' that will fetch the
new certificates from the Exchange server and put it in the keystore file.
And this works great as well .. *IF* I restart my application.
When my application modifies the keystore file, it looks like Axis2 is using
some caching mechanism. Because when I make the web service call again
(after inserting the new certificate in my keystore), it can't authenticate
because it cached the keystore file in memory.
To specify the keystore to Axis2, I use this code:
System.setProperty("javax.net.ssl.trustStore",
"/path/to/keystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword",
"thisisnottherealpassword");
To extract the new certificate and add it to my keystore, I use code based
on the one you can find at
http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
The problem is: when the keystore file is updated with the new certificate,
axis2 doesn't seem to know about it because it uses a cached version of the
keystore file.
So my question is: how can I clear this axis2 keystore cache in some way so
axis2 will be forced to read the keystore file again?
Thank you for your help,
Kind regards,
Sebastian
Re: Reload keystore file
Posted by Sebastian Van Sande <se...@vansande.org>.
Nandana,
Thanks again for your reply. How can I do trust validation? Can you give me
some code example to make it more clear?
Kind regards,
Sebastian
On Thu, Jan 29, 2009 at 3:04 PM, Nandana Mihindukulasooriya <
nandana.cse@gmail.com> wrote:
> I just looked at the javadocs of the AuthSSLProtocolSocketFactory and it's
> default implementation doing the correct thing.
>
> "AuthSSLProtocolSocketFactory will enable server authentication when
> supplied with KeyStore truststore file containg one or several trusted
> certificates. The client secure socket will reject the connection during the
> SSL session handshake if the target HTTPS server attempts to authenticate
> itself with a non-trusted certificate.
> AuthSSLProtocolSocketFactory will enable client authentication when
> supplied with KeyStore keystore file containg a private key/public
> certificate pair. The client secure socket will use the private key to
> authenticate itself to the target HTTPS server during the SSL session
> handshake if requested to do so by the server. The target HTTPS server will
> in its turn verify the certificate presented by the client in order to
> establish client's authenticity."
>
> What I meant by a trust validation is we should check whether the
> certificate we received was signed with a certificate which is in our trust
> chain. Else how can you be sure that you got the legitimate certificate.
> Living the intranet may make you little safer, but still I think it is
> better to do a trust validation.
>
> thanks,
> nandana
>
> On Thu, Jan 29, 2009 at 6:52 PM, Sebastian Van Sande <
> sebastian@vansande.org> wrote:
>
>> I don't think so, I iterate over the certificate chain of the trustManager
>> and put each certificate in the keystore.
>>
>> How do I do a trust validation? And why should I need it? This is an
>> intranet application and the service url (which also provides the
>> certificates) basically stays the same.
>>
>> Kind regards,
>> Sebastian
>> coul
>>
>>
>> On Thu, Jan 29, 2009 at 2:16 PM, Nandana Mihindukulasooriya <
>> nandana.cse@gmail.com> wrote:
>>
>>> Great. BTW, do you do a trust validation on the received certificate ?
>>>
>>> thanks,
>>> nandana
>>>
>>>
>>> On Thu, Jan 29, 2009 at 6:29 PM, Sebastian Van Sande <
>>> sebastian@vansande.org> wrote:
>>>
>>>> Thanks a lot, Nandana, injecting a custom socket factory to axis2 did
>>>> the job!
>>>>
>>>> This is what I did:
>>>> - I created a custom socket factory, based on the one you can find at
>>>> http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup
>>>> - I added a method in this custom socket factory to reset the
>>>> sslContext. This will result in reloading the keystore.
>>>>
>>>> The whole flow works now as following when a certificate should get
>>>> renewed in the keystore:
>>>> - The application calls a method which will call a method on a stub
>>>> - The stub method throws an exception which is catched ...
>>>> - In this catch block I try to do an SSL handshake with the keystore.
>>>> - If the SSL handshake fails, I start an update method on a keystore
>>>> manager ..
>>>> - this update method will extract all the certificates from the service
>>>> and put them in the keystore file
>>>> - then, it will re-init the sslcontext in the custom socket factory
>>>> - the flow returns to the catch block in the original called method
>>>> which will call 1 more time the method on the stub with the same parameters.
>>>> If it fails again, it will throw an exception to the caller ...
>>>>
>>>> The result is taht no operator action is needed to update the keystore
>>>> manually with new certificates and/or restart the application. Everything
>>>> goes automatically!
>>>>
>>>> Thanks again!
>>>>
>>>> Kind regards,
>>>> Sebastian
>>>>
>>>>
>>>> On Thu, Jan 29, 2009 at 11:57 AM, Nandana Mihindukulasooriya <
>>>> nandana.cse@gmail.com> wrote:
>>>>
>>>>>
>>>>> ... will Axis2 detect this and use my custom Protocol and MySSLSocketFactory?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> You need to set the a property in the options [1].
>>>>>
>>>>> thanks,
>>>>> nandana
>>>>>
>>>>> [1] - http://wso2.org/library/1646
>>>>>
>>>>>
>>>>>
>>>>>> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL
>>>>>> Socket Factory to make use of my keystore and force reloading.
>>>>>>
>>>>>> Thanks again for your help.
>>>>>>
>>>>>> Kind regards,
>>>>>> Sebastian
>>>>>>
>>>>>>
>>>>>> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya <
>>>>>> nandana.cse@gmail.com> wrote:
>>>>>>
>>>>>>> I assume you use Axis2 as a web service client. I think better
>>>>>>> solution for you would be to use a custom SSL Socket factory to handle your
>>>>>>> scenario. You can find more information on how to implement and use a custom
>>>>>>> SSL Socket factory here [1]. You can also raise the question in commons http
>>>>>>> client list too.
>>>>>>>
>>>>>>> thanks,
>>>>>>> nandana
>>>>>>>
>>>>>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html
>>>>>>>
>>>>>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande <
>>>>>>> sebastian@vansande.org> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Thanks for your reply, Yves Marie!
>>>>>>>>
>>>>>>>> Unfortunately, restarting the application is something we don't want
>>>>>>>> since this application will run 24/7 in a production environment.
>>>>>>>>
>>>>>>>> I'm looking for a way to let Axis2 know to reload the keystore file,
>>>>>>>> at runtime without restarting my application.
>>>>>>>> I know *when* it has to reload the keystore file, I just don't know
>>>>>>>> *how* to do this in code.
>>>>>>>>
>>>>>>>> If anyone knows how to let Axis2 reload the keystore file, let me
>>>>>>>> know!
>>>>>>>>
>>>>>>>> Kind regards,
>>>>>>>> Sebastian
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <
>>>>>>>> yves-marie.daniel@capgemini.com> wrote:
>>>>>>>>
>>>>>>>>> Hi !
>>>>>>>>>
>>>>>>>>> With a Jonas application server and a mutual authentication with
>>>>>>>>> SSL, we find that we had to restart Jonas so it could see change the changes
>>>>>>>>> of path or content for keystores. It seems to be the same with tomcat, don't
>>>>>>>>> know if it Axis2 or the application server.
>>>>>>>>>
>>>>>>>>> Yves-Marie
>>>>>>>>>
>>>>>>>>> ------------------------------
>>>>>>>>> *De :* Sebastian Van Sande [mailto:sebastian@vansande.org]
>>>>>>>>> *Envoyé :* jeudi 29 janvier 2009 08:07
>>>>>>>>> *À :* axis-user@ws.apache.org
>>>>>>>>> *Objet :* Re: Reload keystore file
>>>>>>>>>
>>>>>>>>> Does anyone have a clue how I can refresh the keystore in axis2?
>>>>>>>>> Thank you.
>>>>>>>>>
>>>>>>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
>>>>>>>>> sebastian@vansande.org> wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I have a problem with Axis2.
>>>>>>>>>>
>>>>>>>>>> At my project, we have an Microsoft Exchange 2007, and some other
>>>>>>>>>> project has created an API to interact with this Exchange server with the
>>>>>>>>>> help of Axis2.
>>>>>>>>>> This other project uses a Websphere server to manage a keystore to
>>>>>>>>>> do basic authentication over SSL.
>>>>>>>>>> My application on the otherhand runs as a standalone application,
>>>>>>>>>> and I have to manage the keystore myself.
>>>>>>>>>>
>>>>>>>>>> Now, I managed to use this keystore to calling the Exchange 2007
>>>>>>>>>> Web services over SSL, and it works great.
>>>>>>>>>> But, as you probably know, certificates expire ... and they have
>>>>>>>>>> to get renewed.
>>>>>>>>>>
>>>>>>>>>> So, I managed to create something a 'KeyStoreManager' that will
>>>>>>>>>> fetch the new certificates from the Exchange server and put it in the
>>>>>>>>>> keystore file.
>>>>>>>>>> And this works great as well .. *IF* I restart my application.
>>>>>>>>>>
>>>>>>>>>> When my application modifies the keystore file, it looks like
>>>>>>>>>> Axis2 is using some caching mechanism. Because when I make the web service
>>>>>>>>>> call again (after inserting the new certificate in my keystore), it can't
>>>>>>>>>> authenticate because it cached the keystore file in memory.
>>>>>>>>>>
>>>>>>>>>> To specify the keystore to Axis2, I use this code:
>>>>>>>>>>
>>>>>>>>>> System.setProperty("javax.net.ssl.trustStore",
>>>>>>>>>> "/path/to/keystore.jks");
>>>>>>>>>> System.setProperty("javax.net.ssl.trustStorePassword",
>>>>>>>>>> "thisisnottherealpassword");
>>>>>>>>>>
>>>>>>>>>> To extract the new certificate and add it to my keystore, I use
>>>>>>>>>> code based on the one you can find at
>>>>>>>>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>>>>>>>>>>
>>>>>>>>>> The problem is: when the keystore file is updated with the new
>>>>>>>>>> certificate, axis2 doesn't seem to know about it because it uses a cached
>>>>>>>>>> version of the keystore file.
>>>>>>>>>>
>>>>>>>>>> So my question is: how can I clear this axis2 keystore cache in
>>>>>>>>>> some way so axis2 will be forced to read the keystore file again?
>>>>>>>>>>
>>>>>>>>>> Thank you for your help,
>>>>>>>>>>
>>>>>>>>>> Kind regards,
>>>>>>>>>> Sebastian
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is
>>>>>>>>> intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to
>>>>>>>>> read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message
>>>>>>>>> in error, please notify the sender immediately and delete all copies of this message.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Nandana Mihindukulasooriya
>>>>>>> WSO2 inc.
>>>>>>>
>>>>>>> http://nandana83.blogspot.com/
>>>>>>> http://www.wso2.org
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Nandana Mihindukulasooriya
>>> WSO2 inc.
>>>
>>> http://nandana83.blogspot.com/
>>> http://www.wso2.org
>>>
>>
>>
>
Re: Reload keystore file
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
I just looked at the javadocs of the AuthSSLProtocolSocketFactory and it's
default implementation doing the correct thing.
"AuthSSLProtocolSocketFactory will enable server authentication when
supplied with KeyStore truststore file containg one or several trusted
certificates. The client secure socket will reject the connection during the
SSL session handshake if the target HTTPS server attempts to authenticate
itself with a non-trusted certificate.
AuthSSLProtocolSocketFactory will enable client authentication when supplied
with KeyStore keystore file containg a private key/public certificate pair.
The client secure socket will use the private key to authenticate itself to
the target HTTPS server during the SSL session handshake if requested to do
so by the server. The target HTTPS server will in its turn verify the
certificate presented by the client in order to establish client's
authenticity."
What I meant by a trust validation is we should check whether the
certificate we received was signed with a certificate which is in our trust
chain. Else how can you be sure that you got the legitimate certificate.
Living the intranet may make you little safer, but still I think it is
better to do a trust validation.
thanks,
nandana
On Thu, Jan 29, 2009 at 6:52 PM, Sebastian Van Sande <sebastian@vansande.org
> wrote:
> I don't think so, I iterate over the certificate chain of the trustManager
> and put each certificate in the keystore.
>
> How do I do a trust validation? And why should I need it? This is an
> intranet application and the service url (which also provides the
> certificates) basically stays the same.
>
> Kind regards,
> Sebastian
> coul
>
> On Thu, Jan 29, 2009 at 2:16 PM, Nandana Mihindukulasooriya <
> nandana.cse@gmail.com> wrote:
>
>> Great. BTW, do you do a trust validation on the received certificate ?
>>
>> thanks,
>> nandana
>>
>>
>> On Thu, Jan 29, 2009 at 6:29 PM, Sebastian Van Sande <
>> sebastian@vansande.org> wrote:
>>
>>> Thanks a lot, Nandana, injecting a custom socket factory to axis2 did the
>>> job!
>>>
>>> This is what I did:
>>> - I created a custom socket factory, based on the one you can find at
>>> http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup
>>> - I added a method in this custom socket factory to reset the sslContext.
>>> This will result in reloading the keystore.
>>>
>>> The whole flow works now as following when a certificate should get
>>> renewed in the keystore:
>>> - The application calls a method which will call a method on a stub
>>> - The stub method throws an exception which is catched ...
>>> - In this catch block I try to do an SSL handshake with the keystore.
>>> - If the SSL handshake fails, I start an update method on a keystore
>>> manager ..
>>> - this update method will extract all the certificates from the service
>>> and put them in the keystore file
>>> - then, it will re-init the sslcontext in the custom socket factory
>>> - the flow returns to the catch block in the original called method which
>>> will call 1 more time the method on the stub with the same parameters. If it
>>> fails again, it will throw an exception to the caller ...
>>>
>>> The result is taht no operator action is needed to update the keystore
>>> manually with new certificates and/or restart the application. Everything
>>> goes automatically!
>>>
>>> Thanks again!
>>>
>>> Kind regards,
>>> Sebastian
>>>
>>>
>>> On Thu, Jan 29, 2009 at 11:57 AM, Nandana Mihindukulasooriya <
>>> nandana.cse@gmail.com> wrote:
>>>
>>>>
>>>> ... will Axis2 detect this and use my custom Protocol and MySSLSocketFactory?
>>>>>
>>>>>
>>>>>
>>>>>
>>>> You need to set the a property in the options [1].
>>>>
>>>> thanks,
>>>> nandana
>>>>
>>>> [1] - http://wso2.org/library/1646
>>>>
>>>>
>>>>
>>>>> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL
>>>>> Socket Factory to make use of my keystore and force reloading.
>>>>>
>>>>> Thanks again for your help.
>>>>>
>>>>> Kind regards,
>>>>> Sebastian
>>>>>
>>>>>
>>>>> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya <
>>>>> nandana.cse@gmail.com> wrote:
>>>>>
>>>>>> I assume you use Axis2 as a web service client. I think better
>>>>>> solution for you would be to use a custom SSL Socket factory to handle your
>>>>>> scenario. You can find more information on how to implement and use a custom
>>>>>> SSL Socket factory here [1]. You can also raise the question in commons http
>>>>>> client list too.
>>>>>>
>>>>>> thanks,
>>>>>> nandana
>>>>>>
>>>>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html
>>>>>>
>>>>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande <
>>>>>> sebastian@vansande.org> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Thanks for your reply, Yves Marie!
>>>>>>>
>>>>>>> Unfortunately, restarting the application is something we don't want
>>>>>>> since this application will run 24/7 in a production environment.
>>>>>>>
>>>>>>> I'm looking for a way to let Axis2 know to reload the keystore file,
>>>>>>> at runtime without restarting my application.
>>>>>>> I know *when* it has to reload the keystore file, I just don't know
>>>>>>> *how* to do this in code.
>>>>>>>
>>>>>>> If anyone knows how to let Axis2 reload the keystore file, let me
>>>>>>> know!
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Sebastian
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <
>>>>>>> yves-marie.daniel@capgemini.com> wrote:
>>>>>>>
>>>>>>>> Hi !
>>>>>>>>
>>>>>>>> With a Jonas application server and a mutual authentication with
>>>>>>>> SSL, we find that we had to restart Jonas so it could see change the changes
>>>>>>>> of path or content for keystores. It seems to be the same with tomcat, don't
>>>>>>>> know if it Axis2 or the application server.
>>>>>>>>
>>>>>>>> Yves-Marie
>>>>>>>>
>>>>>>>> ------------------------------
>>>>>>>> *De :* Sebastian Van Sande [mailto:sebastian@vansande.org]
>>>>>>>> *Envoyé :* jeudi 29 janvier 2009 08:07
>>>>>>>> *À :* axis-user@ws.apache.org
>>>>>>>> *Objet :* Re: Reload keystore file
>>>>>>>>
>>>>>>>> Does anyone have a clue how I can refresh the keystore in axis2?
>>>>>>>> Thank you.
>>>>>>>>
>>>>>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
>>>>>>>> sebastian@vansande.org> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I have a problem with Axis2.
>>>>>>>>>
>>>>>>>>> At my project, we have an Microsoft Exchange 2007, and some other
>>>>>>>>> project has created an API to interact with this Exchange server with the
>>>>>>>>> help of Axis2.
>>>>>>>>> This other project uses a Websphere server to manage a keystore to
>>>>>>>>> do basic authentication over SSL.
>>>>>>>>> My application on the otherhand runs as a standalone application,
>>>>>>>>> and I have to manage the keystore myself.
>>>>>>>>>
>>>>>>>>> Now, I managed to use this keystore to calling the Exchange 2007
>>>>>>>>> Web services over SSL, and it works great.
>>>>>>>>> But, as you probably know, certificates expire ... and they have to
>>>>>>>>> get renewed.
>>>>>>>>>
>>>>>>>>> So, I managed to create something a 'KeyStoreManager' that will
>>>>>>>>> fetch the new certificates from the Exchange server and put it in the
>>>>>>>>> keystore file.
>>>>>>>>> And this works great as well .. *IF* I restart my application.
>>>>>>>>>
>>>>>>>>> When my application modifies the keystore file, it looks like Axis2
>>>>>>>>> is using some caching mechanism. Because when I make the web service call
>>>>>>>>> again (after inserting the new certificate in my keystore), it can't
>>>>>>>>> authenticate because it cached the keystore file in memory.
>>>>>>>>>
>>>>>>>>> To specify the keystore to Axis2, I use this code:
>>>>>>>>>
>>>>>>>>> System.setProperty("javax.net.ssl.trustStore",
>>>>>>>>> "/path/to/keystore.jks");
>>>>>>>>> System.setProperty("javax.net.ssl.trustStorePassword",
>>>>>>>>> "thisisnottherealpassword");
>>>>>>>>>
>>>>>>>>> To extract the new certificate and add it to my keystore, I use
>>>>>>>>> code based on the one you can find at
>>>>>>>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>>>>>>>>>
>>>>>>>>> The problem is: when the keystore file is updated with the new
>>>>>>>>> certificate, axis2 doesn't seem to know about it because it uses a cached
>>>>>>>>> version of the keystore file.
>>>>>>>>>
>>>>>>>>> So my question is: how can I clear this axis2 keystore cache in
>>>>>>>>> some way so axis2 will be forced to read the keystore file again?
>>>>>>>>>
>>>>>>>>> Thank you for your help,
>>>>>>>>>
>>>>>>>>> Kind regards,
>>>>>>>>> Sebastian
>>>>>>>>
>>>>>>>>
>>>>>>>> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is
>>>>>>>> intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to
>>>>>>>> read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message
>>>>>>>> in error, please notify the sender immediately and delete all copies of this message.
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Nandana Mihindukulasooriya
>>>>>> WSO2 inc.
>>>>>>
>>>>>> http://nandana83.blogspot.com/
>>>>>> http://www.wso2.org
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>>
>> --
>> Nandana Mihindukulasooriya
>> WSO2 inc.
>>
>> http://nandana83.blogspot.com/
>> http://www.wso2.org
>>
>
>
Re: Reload keystore file
Posted by Andreas Veithen <an...@gmail.com>.
If you blindly pull certificates from the server and don't need trust
validation, why do you need a keystore then?
Andreas
On Thu, Jan 29, 2009 at 14:22, Sebastian Van Sande
<se...@vansande.org> wrote:
> I don't think so, I iterate over the certificate chain of the trustManager
> and put each certificate in the keystore.
>
> How do I do a trust validation? And why should I need it? This is an
> intranet application and the service url (which also provides the
> certificates) basically stays the same.
>
> Kind regards,
> Sebastian
>
> On Thu, Jan 29, 2009 at 2:16 PM, Nandana Mihindukulasooriya
> <na...@gmail.com> wrote:
>>
>> Great. BTW, do you do a trust validation on the received certificate ?
>>
>> thanks,
>> nandana
>>
>> On Thu, Jan 29, 2009 at 6:29 PM, Sebastian Van Sande
>> <se...@vansande.org> wrote:
>>>
>>> Thanks a lot, Nandana, injecting a custom socket factory to axis2 did the
>>> job!
>>>
>>> This is what I did:
>>> - I created a custom socket factory, based on the one you can find at
>>> http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup
>>> - I added a method in this custom socket factory to reset the sslContext.
>>> This will result in reloading the keystore.
>>>
>>> The whole flow works now as following when a certificate should get
>>> renewed in the keystore:
>>> - The application calls a method which will call a method on a stub
>>> - The stub method throws an exception which is catched ...
>>> - In this catch block I try to do an SSL handshake with the keystore.
>>> - If the SSL handshake fails, I start an update method on a keystore
>>> manager ..
>>> - this update method will extract all the certificates from the service
>>> and put them in the keystore file
>>> - then, it will re-init the sslcontext in the custom socket factory
>>> - the flow returns to the catch block in the original called method which
>>> will call 1 more time the method on the stub with the same parameters. If it
>>> fails again, it will throw an exception to the caller ...
>>>
>>> The result is taht no operator action is needed to update the keystore
>>> manually with new certificates and/or restart the application. Everything
>>> goes automatically!
>>>
>>> Thanks again!
>>>
>>> Kind regards,
>>> Sebastian
>>>
>>> On Thu, Jan 29, 2009 at 11:57 AM, Nandana Mihindukulasooriya
>>> <na...@gmail.com> wrote:
>>>>
>>>>> ... will Axis2 detect this and use my custom Protocol and
>>>>> MySSLSocketFactory?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> You need to set the a property in the options [1].
>>>>
>>>> thanks,
>>>> nandana
>>>>
>>>> [1] - http://wso2.org/library/1646
>>>>
>>>>
>>>>>
>>>>> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL
>>>>> Socket Factory to make use of my keystore and force reloading.
>>>>>
>>>>> Thanks again for your help.
>>>>>
>>>>> Kind regards,
>>>>> Sebastian
>>>>>
>>>>> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya
>>>>> <na...@gmail.com> wrote:
>>>>>>
>>>>>> I assume you use Axis2 as a web service client. I think better
>>>>>> solution for you would be to use a custom SSL Socket factory to handle your
>>>>>> scenario. You can find more information on how to implement and use a custom
>>>>>> SSL Socket factory here [1]. You can also raise the question in commons http
>>>>>> client list too.
>>>>>>
>>>>>> thanks,
>>>>>> nandana
>>>>>>
>>>>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html
>>>>>>
>>>>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande
>>>>>> <se...@vansande.org> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Thanks for your reply, Yves Marie!
>>>>>>>
>>>>>>> Unfortunately, restarting the application is something we don't want
>>>>>>> since this application will run 24/7 in a production environment.
>>>>>>>
>>>>>>> I'm looking for a way to let Axis2 know to reload the keystore file,
>>>>>>> at runtime without restarting my application.
>>>>>>> I know *when* it has to reload the keystore file, I just don't know
>>>>>>> *how* to do this in code.
>>>>>>>
>>>>>>> If anyone knows how to let Axis2 reload the keystore file, let me
>>>>>>> know!
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Sebastian
>>>>>>>
>>>>>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie
>>>>>>> <yv...@capgemini.com> wrote:
>>>>>>>>
>>>>>>>> Hi !
>>>>>>>>
>>>>>>>> With a Jonas application server and a mutual authentication with
>>>>>>>> SSL, we find that we had to restart Jonas so it could see change the changes
>>>>>>>> of path or content for keystores. It seems to be the same with tomcat, don't
>>>>>>>> know if it Axis2 or the application server.
>>>>>>>>
>>>>>>>> Yves-Marie
>>>>>>>> ________________________________
>>>>>>>> De : Sebastian Van Sande [mailto:sebastian@vansande.org]
>>>>>>>> Envoyé : jeudi 29 janvier 2009 08:07
>>>>>>>> À : axis-user@ws.apache.org
>>>>>>>> Objet : Re: Reload keystore file
>>>>>>>>
>>>>>>>> Does anyone have a clue how I can refresh the keystore in axis2?
>>>>>>>> Thank you.
>>>>>>>>
>>>>>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande
>>>>>>>> <se...@vansande.org> wrote:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I have a problem with Axis2.
>>>>>>>>>
>>>>>>>>> At my project, we have an Microsoft Exchange 2007, and some other
>>>>>>>>> project has created an API to interact with this Exchange server with the
>>>>>>>>> help of Axis2.
>>>>>>>>> This other project uses a Websphere server to manage a keystore to
>>>>>>>>> do basic authentication over SSL.
>>>>>>>>> My application on the otherhand runs as a standalone application,
>>>>>>>>> and I have to manage the keystore myself.
>>>>>>>>>
>>>>>>>>> Now, I managed to use this keystore to calling the Exchange 2007
>>>>>>>>> Web services over SSL, and it works great.
>>>>>>>>> But, as you probably know, certificates expire ... and they have to
>>>>>>>>> get renewed.
>>>>>>>>>
>>>>>>>>> So, I managed to create something a 'KeyStoreManager' that will
>>>>>>>>> fetch the new certificates from the Exchange server and put it in the
>>>>>>>>> keystore file.
>>>>>>>>> And this works great as well .. *IF* I restart my application.
>>>>>>>>>
>>>>>>>>> When my application modifies the keystore file, it looks like Axis2
>>>>>>>>> is using some caching mechanism. Because when I make the web service call
>>>>>>>>> again (after inserting the new certificate in my keystore), it can't
>>>>>>>>> authenticate because it cached the keystore file in memory.
>>>>>>>>>
>>>>>>>>> To specify the keystore to Axis2, I use this code:
>>>>>>>>>
>>>>>>>>> System.setProperty("javax.net.ssl.trustStore",
>>>>>>>>> "/path/to/keystore.jks");
>>>>>>>>> System.setProperty("javax.net.ssl.trustStorePassword",
>>>>>>>>> "thisisnottherealpassword");
>>>>>>>>>
>>>>>>>>> To extract the new certificate and add it to my keystore, I use
>>>>>>>>> code based on the one you can find at
>>>>>>>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>>>>>>>>>
>>>>>>>>> The problem is: when the keystore file is updated with the new
>>>>>>>>> certificate, axis2 doesn't seem to know about it because it uses a cached
>>>>>>>>> version of the keystore file.
>>>>>>>>>
>>>>>>>>> So my question is: how can I clear this axis2 keystore cache in
>>>>>>>>> some way so axis2 will be forced to read the keystore file again?
>>>>>>>>>
>>>>>>>>> Thank you for your help,
>>>>>>>>>
>>>>>>>>> Kind regards,
>>>>>>>>> Sebastian
>>>>>>>>
>>>>>>>> This message contains information that may be privileged or
>>>>>>>> confidential and is the property of the Capgemini Group. It is
>>>>>>>> intended only for the person to whom it is addressed. If you are not
>>>>>>>> the intended recipient, you are not authorized to
>>>>>>>> read, print, retain, copy, disseminate, distribute, or use this
>>>>>>>> message or any part thereof. If you receive this message
>>>>>>>> in error, please notify the sender immediately and delete all copies
>>>>>>>> of this message.
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Nandana Mihindukulasooriya
>>>>>> WSO2 inc.
>>>>>>
>>>>>> http://nandana83.blogspot.com/
>>>>>> http://www.wso2.org
>>>>>
>>>>
>>>
>>
>>
>>
>> --
>> Nandana Mihindukulasooriya
>> WSO2 inc.
>>
>> http://nandana83.blogspot.com/
>> http://www.wso2.org
>
>
Re: Reload keystore file
Posted by Sebastian Van Sande <se...@vansande.org>.
I don't think so, I iterate over the certificate chain of the trustManager
and put each certificate in the keystore.
How do I do a trust validation? And why should I need it? This is an
intranet application and the service url (which also provides the
certificates) basically stays the same.
Kind regards,
Sebastian
On Thu, Jan 29, 2009 at 2:16 PM, Nandana Mihindukulasooriya <
nandana.cse@gmail.com> wrote:
> Great. BTW, do you do a trust validation on the received certificate ?
>
> thanks,
> nandana
>
>
> On Thu, Jan 29, 2009 at 6:29 PM, Sebastian Van Sande <
> sebastian@vansande.org> wrote:
>
>> Thanks a lot, Nandana, injecting a custom socket factory to axis2 did the
>> job!
>>
>> This is what I did:
>> - I created a custom socket factory, based on the one you can find at
>> http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup
>> - I added a method in this custom socket factory to reset the sslContext.
>> This will result in reloading the keystore.
>>
>> The whole flow works now as following when a certificate should get
>> renewed in the keystore:
>> - The application calls a method which will call a method on a stub
>> - The stub method throws an exception which is catched ...
>> - In this catch block I try to do an SSL handshake with the keystore.
>> - If the SSL handshake fails, I start an update method on a keystore
>> manager ..
>> - this update method will extract all the certificates from the service
>> and put them in the keystore file
>> - then, it will re-init the sslcontext in the custom socket factory
>> - the flow returns to the catch block in the original called method which
>> will call 1 more time the method on the stub with the same parameters. If it
>> fails again, it will throw an exception to the caller ...
>>
>> The result is taht no operator action is needed to update the keystore
>> manually with new certificates and/or restart the application. Everything
>> goes automatically!
>>
>> Thanks again!
>>
>> Kind regards,
>> Sebastian
>>
>>
>> On Thu, Jan 29, 2009 at 11:57 AM, Nandana Mihindukulasooriya <
>> nandana.cse@gmail.com> wrote:
>>
>>>
>>> ... will Axis2 detect this and use my custom Protocol and MySSLSocketFactory?
>>>>
>>>>
>>>>
>>> You need to set the a property in the options [1].
>>>
>>> thanks,
>>> nandana
>>>
>>> [1] - http://wso2.org/library/1646
>>>
>>>
>>>
>>>> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL
>>>> Socket Factory to make use of my keystore and force reloading.
>>>>
>>>> Thanks again for your help.
>>>>
>>>> Kind regards,
>>>> Sebastian
>>>>
>>>>
>>>> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya <
>>>> nandana.cse@gmail.com> wrote:
>>>>
>>>>> I assume you use Axis2 as a web service client. I think better solution
>>>>> for you would be to use a custom SSL Socket factory to handle your scenario.
>>>>> You can find more information on how to implement and use a custom SSL
>>>>> Socket factory here [1]. You can also raise the question in commons http
>>>>> client list too.
>>>>>
>>>>> thanks,
>>>>> nandana
>>>>>
>>>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html
>>>>>
>>>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande <
>>>>> sebastian@vansande.org> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Thanks for your reply, Yves Marie!
>>>>>>
>>>>>> Unfortunately, restarting the application is something we don't want
>>>>>> since this application will run 24/7 in a production environment.
>>>>>>
>>>>>> I'm looking for a way to let Axis2 know to reload the keystore file,
>>>>>> at runtime without restarting my application.
>>>>>> I know *when* it has to reload the keystore file, I just don't know
>>>>>> *how* to do this in code.
>>>>>>
>>>>>> If anyone knows how to let Axis2 reload the keystore file, let me
>>>>>> know!
>>>>>>
>>>>>> Kind regards,
>>>>>> Sebastian
>>>>>>
>>>>>>
>>>>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <
>>>>>> yves-marie.daniel@capgemini.com> wrote:
>>>>>>
>>>>>>> Hi !
>>>>>>>
>>>>>>> With a Jonas application server and a mutual authentication with SSL,
>>>>>>> we find that we had to restart Jonas so it could see change the changes of
>>>>>>> path or content for keystores. It seems to be the same with tomcat, don't
>>>>>>> know if it Axis2 or the application server.
>>>>>>>
>>>>>>> Yves-Marie
>>>>>>>
>>>>>>> ------------------------------
>>>>>>> *De :* Sebastian Van Sande [mailto:sebastian@vansande.org]
>>>>>>> *Envoyé :* jeudi 29 janvier 2009 08:07
>>>>>>> *À :* axis-user@ws.apache.org
>>>>>>> *Objet :* Re: Reload keystore file
>>>>>>>
>>>>>>> Does anyone have a clue how I can refresh the keystore in axis2?
>>>>>>> Thank you.
>>>>>>>
>>>>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
>>>>>>> sebastian@vansande.org> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I have a problem with Axis2.
>>>>>>>>
>>>>>>>> At my project, we have an Microsoft Exchange 2007, and some other
>>>>>>>> project has created an API to interact with this Exchange server with the
>>>>>>>> help of Axis2.
>>>>>>>> This other project uses a Websphere server to manage a keystore to
>>>>>>>> do basic authentication over SSL.
>>>>>>>> My application on the otherhand runs as a standalone application,
>>>>>>>> and I have to manage the keystore myself.
>>>>>>>>
>>>>>>>> Now, I managed to use this keystore to calling the Exchange 2007 Web
>>>>>>>> services over SSL, and it works great.
>>>>>>>> But, as you probably know, certificates expire ... and they have to
>>>>>>>> get renewed.
>>>>>>>>
>>>>>>>> So, I managed to create something a 'KeyStoreManager' that will
>>>>>>>> fetch the new certificates from the Exchange server and put it in the
>>>>>>>> keystore file.
>>>>>>>> And this works great as well .. *IF* I restart my application.
>>>>>>>>
>>>>>>>> When my application modifies the keystore file, it looks like Axis2
>>>>>>>> is using some caching mechanism. Because when I make the web service call
>>>>>>>> again (after inserting the new certificate in my keystore), it can't
>>>>>>>> authenticate because it cached the keystore file in memory.
>>>>>>>>
>>>>>>>> To specify the keystore to Axis2, I use this code:
>>>>>>>>
>>>>>>>> System.setProperty("javax.net.ssl.trustStore",
>>>>>>>> "/path/to/keystore.jks");
>>>>>>>> System.setProperty("javax.net.ssl.trustStorePassword",
>>>>>>>> "thisisnottherealpassword");
>>>>>>>>
>>>>>>>> To extract the new certificate and add it to my keystore, I use code
>>>>>>>> based on the one you can find at
>>>>>>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>>>>>>>>
>>>>>>>> The problem is: when the keystore file is updated with the new
>>>>>>>> certificate, axis2 doesn't seem to know about it because it uses a cached
>>>>>>>> version of the keystore file.
>>>>>>>>
>>>>>>>> So my question is: how can I clear this axis2 keystore cache in some
>>>>>>>> way so axis2 will be forced to read the keystore file again?
>>>>>>>>
>>>>>>>> Thank you for your help,
>>>>>>>>
>>>>>>>> Kind regards,
>>>>>>>> Sebastian
>>>>>>>
>>>>>>>
>>>>>>> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is
>>>>>>> intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to
>>>>>>> read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message
>>>>>>> in error, please notify the sender immediately and delete all copies of this message.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Nandana Mihindukulasooriya
>>>>> WSO2 inc.
>>>>>
>>>>> http://nandana83.blogspot.com/
>>>>> http://www.wso2.org
>>>>>
>>>>
>>>>
>>>
>>
>
>
> --
> Nandana Mihindukulasooriya
> WSO2 inc.
>
> http://nandana83.blogspot.com/
> http://www.wso2.org
>
Re: Reload keystore file
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Great. BTW, do you do a trust validation on the received certificate ?
thanks,
nandana
On Thu, Jan 29, 2009 at 6:29 PM, Sebastian Van Sande <sebastian@vansande.org
> wrote:
> Thanks a lot, Nandana, injecting a custom socket factory to axis2 did the
> job!
>
> This is what I did:
> - I created a custom socket factory, based on the one you can find at
> http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup
> - I added a method in this custom socket factory to reset the sslContext.
> This will result in reloading the keystore.
>
> The whole flow works now as following when a certificate should get renewed
> in the keystore:
> - The application calls a method which will call a method on a stub
> - The stub method throws an exception which is catched ...
> - In this catch block I try to do an SSL handshake with the keystore.
> - If the SSL handshake fails, I start an update method on a keystore
> manager ..
> - this update method will extract all the certificates from the service and
> put them in the keystore file
> - then, it will re-init the sslcontext in the custom socket factory
> - the flow returns to the catch block in the original called method which
> will call 1 more time the method on the stub with the same parameters. If it
> fails again, it will throw an exception to the caller ...
>
> The result is taht no operator action is needed to update the keystore
> manually with new certificates and/or restart the application. Everything
> goes automatically!
>
> Thanks again!
>
> Kind regards,
> Sebastian
>
>
> On Thu, Jan 29, 2009 at 11:57 AM, Nandana Mihindukulasooriya <
> nandana.cse@gmail.com> wrote:
>
>>
>> ... will Axis2 detect this and use my custom Protocol and MySSLSocketFactory?
>>>
>>>
>> You need to set the a property in the options [1].
>>
>> thanks,
>> nandana
>>
>> [1] - http://wso2.org/library/1646
>>
>>
>>
>>> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL Socket
>>> Factory to make use of my keystore and force reloading.
>>>
>>> Thanks again for your help.
>>>
>>> Kind regards,
>>> Sebastian
>>>
>>>
>>> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya <
>>> nandana.cse@gmail.com> wrote:
>>>
>>>> I assume you use Axis2 as a web service client. I think better solution
>>>> for you would be to use a custom SSL Socket factory to handle your scenario.
>>>> You can find more information on how to implement and use a custom SSL
>>>> Socket factory here [1]. You can also raise the question in commons http
>>>> client list too.
>>>>
>>>> thanks,
>>>> nandana
>>>>
>>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html
>>>>
>>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande <
>>>> sebastian@vansande.org> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Thanks for your reply, Yves Marie!
>>>>>
>>>>> Unfortunately, restarting the application is something we don't want
>>>>> since this application will run 24/7 in a production environment.
>>>>>
>>>>> I'm looking for a way to let Axis2 know to reload the keystore file, at
>>>>> runtime without restarting my application.
>>>>> I know *when* it has to reload the keystore file, I just don't know
>>>>> *how* to do this in code.
>>>>>
>>>>> If anyone knows how to let Axis2 reload the keystore file, let me know!
>>>>>
>>>>> Kind regards,
>>>>> Sebastian
>>>>>
>>>>>
>>>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <
>>>>> yves-marie.daniel@capgemini.com> wrote:
>>>>>
>>>>>> Hi !
>>>>>>
>>>>>> With a Jonas application server and a mutual authentication with SSL,
>>>>>> we find that we had to restart Jonas so it could see change the changes of
>>>>>> path or content for keystores. It seems to be the same with tomcat, don't
>>>>>> know if it Axis2 or the application server.
>>>>>>
>>>>>> Yves-Marie
>>>>>>
>>>>>> ------------------------------
>>>>>> *De :* Sebastian Van Sande [mailto:sebastian@vansande.org]
>>>>>> *Envoyé :* jeudi 29 janvier 2009 08:07
>>>>>> *À :* axis-user@ws.apache.org
>>>>>> *Objet :* Re: Reload keystore file
>>>>>>
>>>>>> Does anyone have a clue how I can refresh the keystore in axis2?
>>>>>> Thank you.
>>>>>>
>>>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
>>>>>> sebastian@vansande.org> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have a problem with Axis2.
>>>>>>>
>>>>>>> At my project, we have an Microsoft Exchange 2007, and some other
>>>>>>> project has created an API to interact with this Exchange server with the
>>>>>>> help of Axis2.
>>>>>>> This other project uses a Websphere server to manage a keystore to do
>>>>>>> basic authentication over SSL.
>>>>>>> My application on the otherhand runs as a standalone application, and
>>>>>>> I have to manage the keystore myself.
>>>>>>>
>>>>>>> Now, I managed to use this keystore to calling the Exchange 2007 Web
>>>>>>> services over SSL, and it works great.
>>>>>>> But, as you probably know, certificates expire ... and they have to
>>>>>>> get renewed.
>>>>>>>
>>>>>>> So, I managed to create something a 'KeyStoreManager' that will fetch
>>>>>>> the new certificates from the Exchange server and put it in the keystore
>>>>>>> file.
>>>>>>> And this works great as well .. *IF* I restart my application.
>>>>>>>
>>>>>>> When my application modifies the keystore file, it looks like Axis2
>>>>>>> is using some caching mechanism. Because when I make the web service call
>>>>>>> again (after inserting the new certificate in my keystore), it can't
>>>>>>> authenticate because it cached the keystore file in memory.
>>>>>>>
>>>>>>> To specify the keystore to Axis2, I use this code:
>>>>>>>
>>>>>>> System.setProperty("javax.net.ssl.trustStore",
>>>>>>> "/path/to/keystore.jks");
>>>>>>> System.setProperty("javax.net.ssl.trustStorePassword",
>>>>>>> "thisisnottherealpassword");
>>>>>>>
>>>>>>> To extract the new certificate and add it to my keystore, I use code
>>>>>>> based on the one you can find at
>>>>>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>>>>>>>
>>>>>>> The problem is: when the keystore file is updated with the new
>>>>>>> certificate, axis2 doesn't seem to know about it because it uses a cached
>>>>>>> version of the keystore file.
>>>>>>>
>>>>>>> So my question is: how can I clear this axis2 keystore cache in some
>>>>>>> way so axis2 will be forced to read the keystore file again?
>>>>>>>
>>>>>>> Thank you for your help,
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Sebastian
>>>>>>
>>>>>>
>>>>>> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is
>>>>>> intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to
>>>>>> read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message
>>>>>> in error, please notify the sender immediately and delete all copies of this message.
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Nandana Mihindukulasooriya
>>>> WSO2 inc.
>>>>
>>>> http://nandana83.blogspot.com/
>>>> http://www.wso2.org
>>>>
>>>
>>>
>>
>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
http://www.wso2.org
Re: Reload keystore file
Posted by Sebastian Van Sande <se...@vansande.org>.
Thanks a lot, Nandana, injecting a custom socket factory to axis2 did the
job!
This is what I did:
- I created a custom socket factory, based on the one you can find at
http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup
- I added a method in this custom socket factory to reset the sslContext.
This will result in reloading the keystore.
The whole flow works now as following when a certificate should get renewed
in the keystore:
- The application calls a method which will call a method on a stub
- The stub method throws an exception which is catched ...
- In this catch block I try to do an SSL handshake with the keystore.
- If the SSL handshake fails, I start an update method on a keystore manager
..
- this update method will extract all the certificates from the service and
put them in the keystore file
- then, it will re-init the sslcontext in the custom socket factory
- the flow returns to the catch block in the original called method which
will call 1 more time the method on the stub with the same parameters. If it
fails again, it will throw an exception to the caller ...
The result is taht no operator action is needed to update the keystore
manually with new certificates and/or restart the application. Everything
goes automatically!
Thanks again!
Kind regards,
Sebastian
On Thu, Jan 29, 2009 at 11:57 AM, Nandana Mihindukulasooriya <
nandana.cse@gmail.com> wrote:
>
> ... will Axis2 detect this and use my custom Protocol and MySSLSocketFactory?
>>
>>
> You need to set the a property in the options [1].
>
> thanks,
> nandana
>
> [1] - http://wso2.org/library/1646
>
>
>
>> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL Socket
>> Factory to make use of my keystore and force reloading.
>>
>> Thanks again for your help.
>>
>> Kind regards,
>> Sebastian
>>
>>
>> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya <
>> nandana.cse@gmail.com> wrote:
>>
>>> I assume you use Axis2 as a web service client. I think better solution
>>> for you would be to use a custom SSL Socket factory to handle your scenario.
>>> You can find more information on how to implement and use a custom SSL
>>> Socket factory here [1]. You can also raise the question in commons http
>>> client list too.
>>>
>>> thanks,
>>> nandana
>>>
>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html
>>>
>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande <
>>> sebastian@vansande.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> Thanks for your reply, Yves Marie!
>>>>
>>>> Unfortunately, restarting the application is something we don't want
>>>> since this application will run 24/7 in a production environment.
>>>>
>>>> I'm looking for a way to let Axis2 know to reload the keystore file, at
>>>> runtime without restarting my application.
>>>> I know *when* it has to reload the keystore file, I just don't know
>>>> *how* to do this in code.
>>>>
>>>> If anyone knows how to let Axis2 reload the keystore file, let me know!
>>>>
>>>> Kind regards,
>>>> Sebastian
>>>>
>>>>
>>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <
>>>> yves-marie.daniel@capgemini.com> wrote:
>>>>
>>>>> Hi !
>>>>>
>>>>> With a Jonas application server and a mutual authentication with SSL,
>>>>> we find that we had to restart Jonas so it could see change the changes of
>>>>> path or content for keystores. It seems to be the same with tomcat, don't
>>>>> know if it Axis2 or the application server.
>>>>>
>>>>> Yves-Marie
>>>>>
>>>>> ------------------------------
>>>>> *De :* Sebastian Van Sande [mailto:sebastian@vansande.org]
>>>>> *Envoyé :* jeudi 29 janvier 2009 08:07
>>>>> *À :* axis-user@ws.apache.org
>>>>> *Objet :* Re: Reload keystore file
>>>>>
>>>>> Does anyone have a clue how I can refresh the keystore in axis2?
>>>>> Thank you.
>>>>>
>>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
>>>>> sebastian@vansande.org> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have a problem with Axis2.
>>>>>>
>>>>>> At my project, we have an Microsoft Exchange 2007, and some other
>>>>>> project has created an API to interact with this Exchange server with the
>>>>>> help of Axis2.
>>>>>> This other project uses a Websphere server to manage a keystore to do
>>>>>> basic authentication over SSL.
>>>>>> My application on the otherhand runs as a standalone application, and
>>>>>> I have to manage the keystore myself.
>>>>>>
>>>>>> Now, I managed to use this keystore to calling the Exchange 2007 Web
>>>>>> services over SSL, and it works great.
>>>>>> But, as you probably know, certificates expire ... and they have to
>>>>>> get renewed.
>>>>>>
>>>>>> So, I managed to create something a 'KeyStoreManager' that will fetch
>>>>>> the new certificates from the Exchange server and put it in the keystore
>>>>>> file.
>>>>>> And this works great as well .. *IF* I restart my application.
>>>>>>
>>>>>> When my application modifies the keystore file, it looks like Axis2 is
>>>>>> using some caching mechanism. Because when I make the web service call again
>>>>>> (after inserting the new certificate in my keystore), it can't authenticate
>>>>>> because it cached the keystore file in memory.
>>>>>>
>>>>>> To specify the keystore to Axis2, I use this code:
>>>>>>
>>>>>> System.setProperty("javax.net.ssl.trustStore",
>>>>>> "/path/to/keystore.jks");
>>>>>> System.setProperty("javax.net.ssl.trustStorePassword",
>>>>>> "thisisnottherealpassword");
>>>>>>
>>>>>> To extract the new certificate and add it to my keystore, I use code
>>>>>> based on the one you can find at
>>>>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>>>>>>
>>>>>> The problem is: when the keystore file is updated with the new
>>>>>> certificate, axis2 doesn't seem to know about it because it uses a cached
>>>>>> version of the keystore file.
>>>>>>
>>>>>> So my question is: how can I clear this axis2 keystore cache in some
>>>>>> way so axis2 will be forced to read the keystore file again?
>>>>>>
>>>>>> Thank you for your help,
>>>>>>
>>>>>> Kind regards,
>>>>>> Sebastian
>>>>>
>>>>>
>>>>> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is
>>>>> intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to
>>>>> read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message
>>>>> in error, please notify the sender immediately and delete all copies of this message.
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Nandana Mihindukulasooriya
>>> WSO2 inc.
>>>
>>> http://nandana83.blogspot.com/
>>> http://www.wso2.org
>>>
>>
>>
>
Re: Reload keystore file
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
> ... will Axis2 detect this and use my custom Protocol and MySSLSocketFactory?
>
>
You need to set the a property in the options [1].
thanks,
nandana
[1] - http://wso2.org/library/1646
> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL Socket
> Factory to make use of my keystore and force reloading.
>
> Thanks again for your help.
>
> Kind regards,
> Sebastian
>
>
> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya <
> nandana.cse@gmail.com> wrote:
>
>> I assume you use Axis2 as a web service client. I think better solution
>> for you would be to use a custom SSL Socket factory to handle your scenario.
>> You can find more information on how to implement and use a custom SSL
>> Socket factory here [1]. You can also raise the question in commons http
>> client list too.
>>
>> thanks,
>> nandana
>>
>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html
>>
>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande <
>> sebastian@vansande.org> wrote:
>>
>>> Hi,
>>>
>>> Thanks for your reply, Yves Marie!
>>>
>>> Unfortunately, restarting the application is something we don't want
>>> since this application will run 24/7 in a production environment.
>>>
>>> I'm looking for a way to let Axis2 know to reload the keystore file, at
>>> runtime without restarting my application.
>>> I know *when* it has to reload the keystore file, I just don't know *how*
>>> to do this in code.
>>>
>>> If anyone knows how to let Axis2 reload the keystore file, let me know!
>>>
>>> Kind regards,
>>> Sebastian
>>>
>>>
>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <
>>> yves-marie.daniel@capgemini.com> wrote:
>>>
>>>> Hi !
>>>>
>>>> With a Jonas application server and a mutual authentication with SSL, we
>>>> find that we had to restart Jonas so it could see change the changes of path
>>>> or content for keystores. It seems to be the same with tomcat, don't know if
>>>> it Axis2 or the application server.
>>>>
>>>> Yves-Marie
>>>>
>>>> ------------------------------
>>>> *De :* Sebastian Van Sande [mailto:sebastian@vansande.org]
>>>> *Envoyé :* jeudi 29 janvier 2009 08:07
>>>> *À :* axis-user@ws.apache.org
>>>> *Objet :* Re: Reload keystore file
>>>>
>>>> Does anyone have a clue how I can refresh the keystore in axis2?
>>>> Thank you.
>>>>
>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
>>>> sebastian@vansande.org> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have a problem with Axis2.
>>>>>
>>>>> At my project, we have an Microsoft Exchange 2007, and some other
>>>>> project has created an API to interact with this Exchange server with the
>>>>> help of Axis2.
>>>>> This other project uses a Websphere server to manage a keystore to do
>>>>> basic authentication over SSL.
>>>>> My application on the otherhand runs as a standalone application, and I
>>>>> have to manage the keystore myself.
>>>>>
>>>>> Now, I managed to use this keystore to calling the Exchange 2007 Web
>>>>> services over SSL, and it works great.
>>>>> But, as you probably know, certificates expire ... and they have to get
>>>>> renewed.
>>>>>
>>>>> So, I managed to create something a 'KeyStoreManager' that will fetch
>>>>> the new certificates from the Exchange server and put it in the keystore
>>>>> file.
>>>>> And this works great as well .. *IF* I restart my application.
>>>>>
>>>>> When my application modifies the keystore file, it looks like Axis2 is
>>>>> using some caching mechanism. Because when I make the web service call again
>>>>> (after inserting the new certificate in my keystore), it can't authenticate
>>>>> because it cached the keystore file in memory.
>>>>>
>>>>> To specify the keystore to Axis2, I use this code:
>>>>>
>>>>> System.setProperty("javax.net.ssl.trustStore",
>>>>> "/path/to/keystore.jks");
>>>>> System.setProperty("javax.net.ssl.trustStorePassword",
>>>>> "thisisnottherealpassword");
>>>>>
>>>>> To extract the new certificate and add it to my keystore, I use code
>>>>> based on the one you can find at
>>>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>>>>>
>>>>> The problem is: when the keystore file is updated with the new
>>>>> certificate, axis2 doesn't seem to know about it because it uses a cached
>>>>> version of the keystore file.
>>>>>
>>>>> So my question is: how can I clear this axis2 keystore cache in some
>>>>> way so axis2 will be forced to read the keystore file again?
>>>>>
>>>>> Thank you for your help,
>>>>>
>>>>> Kind regards,
>>>>> Sebastian
>>>>
>>>>
>>>> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is
>>>> intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to
>>>> read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message
>>>> in error, please notify the sender immediately and delete all copies of this message.
>>>>
>>>>
>>>
>>
>>
>> --
>> Nandana Mihindukulasooriya
>> WSO2 inc.
>>
>> http://nandana83.blogspot.com/
>> http://www.wso2.org
>>
>
>
Re: Reload keystore file
Posted by Sebastian Van Sande <se...@vansande.org>.
Hi Nandana,
Thanks for your reply. If I use a custom SSL Socket Factory for my 'custom
protocol' and use this as the SSL default protocol handler with this code:
Protocol.registerProtocol("https",
new Protocol("https", new MySSLSocketFactory(), 443));
... will Axis2 detect this and use my custom Protocol and
MySSLSocketFactory?
I see that I can use AuthSSLProtocolSocketFactory as my custom SSL Socket
Factory to make use of my keystore and force reloading.
Thanks again for your help.
Kind regards,
Sebastian
On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya <
nandana.cse@gmail.com> wrote:
> I assume you use Axis2 as a web service client. I think better solution for
> you would be to use a custom SSL Socket factory to handle your scenario. You
> can find more information on how to implement and use a custom SSL Socket
> factory here [1]. You can also raise the question in commons http client
> list too.
>
> thanks,
> nandana
>
> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html
>
> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande <
> sebastian@vansande.org> wrote:
>
>> Hi,
>>
>> Thanks for your reply, Yves Marie!
>>
>> Unfortunately, restarting the application is something we don't want since
>> this application will run 24/7 in a production environment.
>>
>> I'm looking for a way to let Axis2 know to reload the keystore file, at
>> runtime without restarting my application.
>> I know *when* it has to reload the keystore file, I just don't know *how*
>> to do this in code.
>>
>> If anyone knows how to let Axis2 reload the keystore file, let me know!
>>
>> Kind regards,
>> Sebastian
>>
>>
>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <
>> yves-marie.daniel@capgemini.com> wrote:
>>
>>> Hi !
>>>
>>> With a Jonas application server and a mutual authentication with SSL, we
>>> find that we had to restart Jonas so it could see change the changes of path
>>> or content for keystores. It seems to be the same with tomcat, don't know if
>>> it Axis2 or the application server.
>>>
>>> Yves-Marie
>>>
>>> ------------------------------
>>> *De :* Sebastian Van Sande [mailto:sebastian@vansande.org]
>>> *Envoyé :* jeudi 29 janvier 2009 08:07
>>> *À :* axis-user@ws.apache.org
>>> *Objet :* Re: Reload keystore file
>>>
>>> Does anyone have a clue how I can refresh the keystore in axis2?
>>> Thank you.
>>>
>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
>>> sebastian@vansande.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have a problem with Axis2.
>>>>
>>>> At my project, we have an Microsoft Exchange 2007, and some other
>>>> project has created an API to interact with this Exchange server with the
>>>> help of Axis2.
>>>> This other project uses a Websphere server to manage a keystore to do
>>>> basic authentication over SSL.
>>>> My application on the otherhand runs as a standalone application, and I
>>>> have to manage the keystore myself.
>>>>
>>>> Now, I managed to use this keystore to calling the Exchange 2007 Web
>>>> services over SSL, and it works great.
>>>> But, as you probably know, certificates expire ... and they have to get
>>>> renewed.
>>>>
>>>> So, I managed to create something a 'KeyStoreManager' that will fetch
>>>> the new certificates from the Exchange server and put it in the keystore
>>>> file.
>>>> And this works great as well .. *IF* I restart my application.
>>>>
>>>> When my application modifies the keystore file, it looks like Axis2 is
>>>> using some caching mechanism. Because when I make the web service call again
>>>> (after inserting the new certificate in my keystore), it can't authenticate
>>>> because it cached the keystore file in memory.
>>>>
>>>> To specify the keystore to Axis2, I use this code:
>>>>
>>>> System.setProperty("javax.net.ssl.trustStore",
>>>> "/path/to/keystore.jks");
>>>> System.setProperty("javax.net.ssl.trustStorePassword",
>>>> "thisisnottherealpassword");
>>>>
>>>> To extract the new certificate and add it to my keystore, I use code
>>>> based on the one you can find at
>>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>>>>
>>>> The problem is: when the keystore file is updated with the new
>>>> certificate, axis2 doesn't seem to know about it because it uses a cached
>>>> version of the keystore file.
>>>>
>>>> So my question is: how can I clear this axis2 keystore cache in some way
>>>> so axis2 will be forced to read the keystore file again?
>>>>
>>>> Thank you for your help,
>>>>
>>>> Kind regards,
>>>> Sebastian
>>>
>>>
>>> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is
>>> intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to
>>> read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message
>>> in error, please notify the sender immediately and delete all copies of this message.
>>>
>>>
>>
>
>
> --
> Nandana Mihindukulasooriya
> WSO2 inc.
>
> http://nandana83.blogspot.com/
> http://www.wso2.org
>
Re: Reload keystore file
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
I assume you use Axis2 as a web service client. I think better solution for
you would be to use a custom SSL Socket factory to handle your scenario. You
can find more information on how to implement and use a custom SSL Socket
factory here [1]. You can also raise the question in commons http client
list too.
thanks,
nandana
[1] - http://hc.apache.org/httpclient-3.x/sslguide.html
On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande <sebastian@vansande.org
> wrote:
> Hi,
>
> Thanks for your reply, Yves Marie!
>
> Unfortunately, restarting the application is something we don't want since
> this application will run 24/7 in a production environment.
>
> I'm looking for a way to let Axis2 know to reload the keystore file, at
> runtime without restarting my application.
> I know *when* it has to reload the keystore file, I just don't know *how*
> to do this in code.
>
> If anyone knows how to let Axis2 reload the keystore file, let me know!
>
> Kind regards,
> Sebastian
>
>
> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <
> yves-marie.daniel@capgemini.com> wrote:
>
>> Hi !
>>
>> With a Jonas application server and a mutual authentication with SSL, we
>> find that we had to restart Jonas so it could see change the changes of path
>> or content for keystores. It seems to be the same with tomcat, don't know if
>> it Axis2 or the application server.
>>
>> Yves-Marie
>>
>> ------------------------------
>> *De :* Sebastian Van Sande [mailto:sebastian@vansande.org]
>> *Envoyé :* jeudi 29 janvier 2009 08:07
>> *À :* axis-user@ws.apache.org
>> *Objet :* Re: Reload keystore file
>>
>> Does anyone have a clue how I can refresh the keystore in axis2?
>> Thank you.
>>
>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
>> sebastian@vansande.org> wrote:
>>
>>> Hi,
>>>
>>> I have a problem with Axis2.
>>>
>>> At my project, we have an Microsoft Exchange 2007, and some other project
>>> has created an API to interact with this Exchange server with the help of
>>> Axis2.
>>> This other project uses a Websphere server to manage a keystore to do
>>> basic authentication over SSL.
>>> My application on the otherhand runs as a standalone application, and I
>>> have to manage the keystore myself.
>>>
>>> Now, I managed to use this keystore to calling the Exchange 2007 Web
>>> services over SSL, and it works great.
>>> But, as you probably know, certificates expire ... and they have to get
>>> renewed.
>>>
>>> So, I managed to create something a 'KeyStoreManager' that will fetch the
>>> new certificates from the Exchange server and put it in the keystore file.
>>> And this works great as well .. *IF* I restart my application.
>>>
>>> When my application modifies the keystore file, it looks like Axis2 is
>>> using some caching mechanism. Because when I make the web service call again
>>> (after inserting the new certificate in my keystore), it can't authenticate
>>> because it cached the keystore file in memory.
>>>
>>> To specify the keystore to Axis2, I use this code:
>>>
>>> System.setProperty("javax.net.ssl.trustStore",
>>> "/path/to/keystore.jks");
>>> System.setProperty("javax.net.ssl.trustStorePassword",
>>> "thisisnottherealpassword");
>>>
>>> To extract the new certificate and add it to my keystore, I use code
>>> based on the one you can find at
>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>>>
>>> The problem is: when the keystore file is updated with the new
>>> certificate, axis2 doesn't seem to know about it because it uses a cached
>>> version of the keystore file.
>>>
>>> So my question is: how can I clear this axis2 keystore cache in some way
>>> so axis2 will be forced to read the keystore file again?
>>>
>>> Thank you for your help,
>>>
>>> Kind regards,
>>> Sebastian
>>
>>
>> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is
>> intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to
>> read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message
>> in error, please notify the sender immediately and delete all copies of this message.
>>
>>
>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
http://www.wso2.org
Re: Reload keystore file
Posted by Sebastian Van Sande <se...@vansande.org>.
Hi,
Thanks for your reply, Yves Marie!
Unfortunately, restarting the application is something we don't want since
this application will run 24/7 in a production environment.
I'm looking for a way to let Axis2 know to reload the keystore file, at
runtime without restarting my application.
I know *when* it has to reload the keystore file, I just don't know *how* to
do this in code.
If anyone knows how to let Axis2 reload the keystore file, let me know!
Kind regards,
Sebastian
On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <
yves-marie.daniel@capgemini.com> wrote:
> Hi !
>
> With a Jonas application server and a mutual authentication with SSL, we
> find that we had to restart Jonas so it could see change the changes of path
> or content for keystores. It seems to be the same with tomcat, don't know if
> it Axis2 or the application server.
>
> Yves-Marie
>
> ------------------------------
> *De :* Sebastian Van Sande [mailto:sebastian@vansande.org]
> *Envoyé :* jeudi 29 janvier 2009 08:07
> *À :* axis-user@ws.apache.org
> *Objet :* Re: Reload keystore file
>
> Does anyone have a clue how I can refresh the keystore in axis2?
> Thank you.
>
> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
> sebastian@vansande.org> wrote:
>
>> Hi,
>>
>> I have a problem with Axis2.
>>
>> At my project, we have an Microsoft Exchange 2007, and some other project
>> has created an API to interact with this Exchange server with the help of
>> Axis2.
>> This other project uses a Websphere server to manage a keystore to do
>> basic authentication over SSL.
>> My application on the otherhand runs as a standalone application, and I
>> have to manage the keystore myself.
>>
>> Now, I managed to use this keystore to calling the Exchange 2007 Web
>> services over SSL, and it works great.
>> But, as you probably know, certificates expire ... and they have to get
>> renewed.
>>
>> So, I managed to create something a 'KeyStoreManager' that will fetch the
>> new certificates from the Exchange server and put it in the keystore file.
>> And this works great as well .. *IF* I restart my application.
>>
>> When my application modifies the keystore file, it looks like Axis2 is
>> using some caching mechanism. Because when I make the web service call again
>> (after inserting the new certificate in my keystore), it can't authenticate
>> because it cached the keystore file in memory.
>>
>> To specify the keystore to Axis2, I use this code:
>>
>> System.setProperty("javax.net.ssl.trustStore",
>> "/path/to/keystore.jks");
>> System.setProperty("javax.net.ssl.trustStorePassword",
>> "thisisnottherealpassword");
>>
>> To extract the new certificate and add it to my keystore, I use code based
>> on the one you can find at
>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>>
>> The problem is: when the keystore file is updated with the new
>> certificate, axis2 doesn't seem to know about it because it uses a cached
>> version of the keystore file.
>>
>> So my question is: how can I clear this axis2 keystore cache in some way
>> so axis2 will be forced to read the keystore file again?
>>
>> Thank you for your help,
>>
>> Kind regards,
>> Sebastian
>
>
>
>
>
> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is
> intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to
> read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message
> in error, please notify the sender immediately and delete all copies of this message.
>
>
RE: Reload keystore file
Posted by "DANIEL, Yves Marie" <yv...@capgemini.com>.
Hi !
With a Jonas application server and a mutual authentication with SSL, we find that we had to restart Jonas so it could see change the changes of path or content for keystores. It seems to be the same with tomcat, don't know if it Axis2 or the application server.
Yves-Marie
________________________________
De : Sebastian Van Sande [mailto:sebastian@vansande.org]
Envoyé : jeudi 29 janvier 2009 08:07
À : axis-user@ws.apache.org
Objet : Re: Reload keystore file
Does anyone have a clue how I can refresh the keystore in axis2?
Thank you.
On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <se...@vansande.org> wrote:
Hi,
I have a problem with Axis2.
At my project, we have an Microsoft Exchange 2007, and some other project has created an API to interact with this Exchange server with the help of Axis2.
This other project uses a Websphere server to manage a keystore to do basic authentication over SSL.
My application on the otherhand runs as a standalone application, and I have to manage the keystore myself.
Now, I managed to use this keystore to calling the Exchange 2007 Web services over SSL, and it works great.
But, as you probably know, certificates expire ... and they have to get renewed.
So, I managed to create something a 'KeyStoreManager' that will fetch the new certificates from the Exchange server and put it in the keystore file.
And this works great as well .. *IF* I restart my application.
When my application modifies the keystore file, it looks like Axis2 is using some caching mechanism. Because when I make the web service call again (after inserting the new certificate in my keystore), it can't authenticate because it cached the keystore file in memory.
To specify the keystore to Axis2, I use this code:
System.setProperty("javax.net.ssl.trustStore", "/path/to/keystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "thisisnottherealpassword");
To extract the new certificate and add it to my keystore, I use code based on the one you can find at http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
The problem is: when the keystore file is updated with the new certificate, axis2 doesn't seem to know about it because it uses a cached version of the keystore file.
So my question is: how can I clear this axis2 keystore cache in some way so axis2 will be forced to read the keystore file again?
Thank you for your help,
Kind regards,
Sebastian
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is
intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to
read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message
in error, please notify the sender immediately and delete all copies of this message.
Re: Reload keystore file
Posted by Sebastian Van Sande <se...@vansande.org>.
Does anyone have a clue how I can refresh the keystore in axis2?
Thank you.
On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande <
sebastian@vansande.org> wrote:
> Hi,
>
> I have a problem with Axis2.
>
> At my project, we have an Microsoft Exchange 2007, and some other project
> has created an API to interact with this Exchange server with the help of
> Axis2.
> This other project uses a Websphere server to manage a keystore to do basic
> authentication over SSL.
> My application on the otherhand runs as a standalone application, and I
> have to manage the keystore myself.
>
> Now, I managed to use this keystore to calling the Exchange 2007 Web
> services over SSL, and it works great.
> But, as you probably know, certificates expire ... and they have to get
> renewed.
>
> So, I managed to create something a 'KeyStoreManager' that will fetch the
> new certificates from the Exchange server and put it in the keystore file.
> And this works great as well .. *IF* I restart my application.
>
> When my application modifies the keystore file, it looks like Axis2 is
> using some caching mechanism. Because when I make the web service call again
> (after inserting the new certificate in my keystore), it can't authenticate
> because it cached the keystore file in memory.
>
> To specify the keystore to Axis2, I use this code:
>
> System.setProperty("javax.net.ssl.trustStore",
> "/path/to/keystore.jks");
> System.setProperty("javax.net.ssl.trustStorePassword",
> "thisisnottherealpassword");
>
> To extract the new certificate and add it to my keystore, I use code based
> on the one you can find at
> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>
> The problem is: when the keystore file is updated with the new certificate,
> axis2 doesn't seem to know about it because it uses a cached version of the
> keystore file.
>
> So my question is: how can I clear this axis2 keystore cache in some way so
> axis2 will be forced to read the keystore file again?
>
> Thank you for your help,
>
> Kind regards,
> Sebastian