Menu
▾
▴
[ebxmlms-general] Re: Trusted SSL certs not implemented
|
From: Mattias J <ma...@ex...> - 2004-06-25 10:34:19
|
After this I ran into some other problems so here goes the full story:
I am trying to send an ebXML message in our development environment from
computer Macbeth to computer Othello.
I have compiled Hermes from the latest CVS sources and installed on both
machines.
Macbeth is running JDK 1.4.2 and using Resin 2.1.13 as servlet container.
Othello is running JDK 1.4.1 and using Resin 2.1.11 as servlet container.
(Both are running Windows XP.)
First I created a self-signed certificate for Othello, using its IP as CN
keytool -genkey -keyalg RSA -alias othello -keystore othello.keystore
-storepass changeit
I installed this certificate in Resin and was able to call Hermes on
Othello from a browser on Macbeth using SSL (after manually accepting
myself as certificate authority, of course).
Then I exported the public key using
keytool -export -rfc -alias othello -file othello.cer -keystore
othello.keystore -storepass changeit
This cert I imported into another keystore
keytool -import -alias othello -file othello.cer -keystore
trusted.keystore -storepass changeit
I set up this keystore in the msh.properties.xml of Macbeth as follows
<DigitalSignature>
<TrustedAnchor>
<KeyStore>
<Path>/hermes</Path>
<File>trusted.keystore</File>
<Password>changeit</Password>
</KeyStore>
</TrustedAnchor>
(I can see in the logs that the keystore is found)
Then I created a small client on Macbeth trying to send an ebXML message
through Macbeths MSH to Othello using this request:
Request mshReq = new Request(appCtx, new
URL("https://213.15.xxx.xxx/msh/"), null, Constants.TRANSPORT_TYPE_HTTPS);
The error in the log was the same whether I had added the trusted keystore
in msh.properties.xml above or not:
[10505] Cannot send SOAP message
Exception: javax.net.ssl.SSLHandshakeException
Message: sun.security.validator.ValidatorException: No trusted
certificate found
Therefore I added the public key into the global JRE store
(jre/lib/security/cacerts) using
keytool -import -alias othello -file othello.cer -keystore cacerts
-storepass changeit
After restarting Resin on Macbeth I got rid of the error above but instead got
[10505] Cannot send SOAP message
Exception: java.io.IOException
Message: HTTPS hostname wrong: should be <213.15.xxx.xxx>
This I didn't understand either, so I thought I'd try to create my own
com.sun.net.ssl.HostnameVerifier (from a tip I found in the mailing list
archives). I configured Macbeth with this hostname verifier
(<HostnameVerifier>foo.bar.MyHostnameVerifier</HostnameVerifier>) but
noticed it was not being used. Through looking at the source and adding
some debug output I found out that not only
com.sun.net.ssl.HostnameVerifier but also
com.sun.net.ssl.HttpsURLConnection is deprecated and instead
javax.net.ssl.HttpsURLConnection (and javax.net.ssl.HostnameVerifier) is
used on my machine. That is the reason that
hk.hku.cecid.phoenix.message.transport.Http never configured my HTTPS
connection to use my own HostnameVerifier and problably also the reason why
my Hermes-local trusted keystore is not being used.
That is where I am at now.
- Is Hermes outdated, is my computer misconfigured or why does the HTTPS
connection implementation not match?
- How do I get rid of the "HTTPS hostname wrong" (preferrably without
implementing my own HostnameVerifier)?
Thanks in advance.
Mattias Jiderhamn
Expert Systems
At 2004-06-25 03:24, you wrote:
>No. It works fines for me when I do the testing for SSL part. Can you tell
>me more on how you use it?
>
>Regards,
>Bob Koon
>
>Mattias J wrote:
>
>>It seems to me (both through testing and though looking at the souce
>>code) that even if you define a keystore with trusted certificates in
>>msh.properties.xml, it is not used. Is this correct?
>>
>>This is the setting I would like to use:
>> <SSL>
>> <!-- Trust keystore for SSL Server Authentication -->
>> <TrustedAnchor>
>> <KeyStore>
>> <Path>/hermes</Path>
>> <File>trusted.keystore</File>
>> <Password>foobar</Password>
>> </KeyStore>
>> </TrustedAnchor>
>> </SSL>
|
