Re: [ebxmlms-general] MSH over SSL with Tomcat

[Gait B. <gai...@ti...>]

Hi Patrick,

Yes indeed. I've exported the SSL key generated for the site to a file, =
and imported that to the=20
%JAVA_HOME%/jre/lib/security/cacerts keystore.=20
This way, I could successfully run the loopback test with toMSHURL in =
loopback.java set to the https URL. So MSH-MSH works, at least for the =
loopback.
Then I tried to use the https port for the client-MSH communication by =
setting the Request/Config/URL to the https URL in the =
msh.properties.xml that is used by the loopback. AFAIK, that's the =
setting the Request object will use to connect to the MSH for sending =
commands.=20
This gives the "couldn't find trusted certificate" error.
I didn't change these settings in the msh.properties.xml for the MSH, =
tomcat takes care of the SSL tunnelling.
  ----- Original Message -----=20
  From: Patrick Yee=20
  To: EbXMLms List (E-mail)=20
  Sent: Thursday, October 24, 2002 3:14 AM
  Subject: Re: [ebxmlms-general] MSH over SSL with Tomcat


  Sorry Gait, I am a little bit confused. Are you saying that you have =
already fixed the MSH-MSH problem? But still got error in MSH-client =
communication?=20

  -Patrick
    ----- Original Message -----=20
    From: Gait Boxman=20
    To: EbXMLms List (E-mail)=20
    Sent: Wednesday, October 23, 2002 10:09 PM
    Subject: Re: [ebxmlms-general] MSH over SSL with Tomcat


    thnx Patrick,

    adding the certificate to the cacerts for JRE did it.
    I also tried setting the MSH-client communication to HTTPS, but that =
still gives me a "couldn't find trusted certificate" error. I was =
expecting this to use the same certificates and stores as for MSH-MSH =
loopback.

    Gait.
      ----- Original Message -----=20
      From: Patrick Yee=20
      To: Patrick Yee=20
      Cc: EbXMLms List (E-mail)=20
      Sent: Wednesday, October 23, 2002 6:13 AM
      Subject: Re: [ebxmlms-general] MSH over SSL with Tomcat


      Sorry, I forgot to CC the answer to the list. Please find the =
answer below.

      And I want to further clarify 2 points:=20

      1. If computer A wish to connect to computer B using SSL, computer =
B should be pre-configured with SSL first, and computer B's public key =
should be imported into computer A's trusted keystore.
      2. In that case, the URL that computer A is using to connect =
should be using the same hostname or IP as the one computer B used to =
generate the key. I mean, if computer B use IP as CN to generate the =
key, computer A should use the URL with IP to connect. If computer B use =
hostname as CN, computer A should use hostname to connect.

      Regards, -Patrick
      --
      Patrick Yee
      System Architect
      Center for E-Commerce Infrastructure Development (CECID)
      Dept. of Computer Science and Information Systems
      The University of Hong Kong
      Tel: (852) 22415674
      Fax: (852) 25474611

        ----- Original Message -----=20
        From: Patrick Yee=20
        To: Gait Boxman=20
        Sent: Wednesday, October 23, 2002 12:07 PM
        Subject: Re: [ebxmlms-general] MSH over SSL with Tomcat


        Hi Gait,

        In our experience, you should do the following to make SSL on =
Tomcat to work.

        1. Generate key with alias to be "tomcat", and with CN to be the =
correct hostname or IP of the server
        2. specify the keystore details in Tomcat's configuration files.
        3. up to this point, you can test with a browser. You need to =
accept that cert on a prompt
        4. Export the public key of the generated keypair to a file =
using keytool
        5. Input the public key exported in (4) into a keystore located =
at the RECEIVING computer. The keystore is located at:
        $JAVA_HOME/jre/lib/security/cacerts. This keystore is the =
so-called trusted public keys recognized by the JRE.=20

        Step 5 is conceptually the same as accepting that cert on a =
prompt at browsers in step (3). One is for machine, one is for human.

        Hope this helps.

        Regards, -Patrick
        --
        Patrick Yee
        System Architect
        Center for E-Commerce Infrastructure Development (CECID)
        Dept. of Computer Science and Information Systems
        The University of Hong Kong
        Tel: (852) 22415674
        Fax: (852) 25474611

          ----- Original Message -----=20
          From: Gait Boxman=20
          To: ebx...@li...=20
          Sent: Wednesday, October 23, 2002 2:32 AM
          Subject: [ebxmlms-general] MSH over SSL with Tomcat


          Hi,

          I'm having some problems getting SSL to work with the MSH.
          I've set up tomcat with a certificate using 'keytool -genkey =
-alias tomcat -keyalg RSA'
          I entered my server name as the CN, and added some real values =
for the other X.500 fields.
          I enabled port 8443 in server.xml, and I managed to hook up to =
the MSH with https://my_server_name:8443/msh, after accepting the =
certificate in IE.
          I exported the key, and imported it into /tmp/cacerts. I took =
care of all the correct passwords, so that is working.
          I then tried the loopback.java with toMSHURL set to the url =
above, but that gives problems in tomcat, which tells me it can't find a =
trusted certificate. Running the same test over the normal http channel =
works fine. Did I miss something here, should I import the certificate =
to yet another store?

          TIA, Gait.

          PS Next test will be digital signatures, hints are welcome..
          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          Gait Boxman
          Manager Advanced Technology & Standards
          TIE Product Development BV
          Amsterdam, The Netherlands
          Tel: +31 20 658 9091  Fax: +31 20 658 9945
          E-mail: gai...@ti...  WWW: www.TIEglobal.com
          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~