RE: [ebxmlms-general] Configuring SSL and Hermes - step by stepGuide

[Ladislav U. <lad...@we...>]

Hello Ashique,
this problem in SSL handshake seems to me due missing trusted
certificated in local keystore. Could you please send me list of aliases
from both keystores?

You can get them by similar command
 keytool -list -keystore ./.keystore  -storepass password456




On Tue, 2006-05-09 at 08:21 -0400, Tanveer, Ashique (NIH/OD) [C] wrote:
> 
> When I Deploy Hermes on Tomcat with SSL turned on, I get an exception.
> With non-SSL port everything works fine. But as soon as I specify the
> SSL port in the msh*.properties file (under the <URL> ....</URL> tag), I
> get the exception. I will appreciate any help on this.
> 
> 2006-05-09 08:16:16,613 INFO Thread-3 gov.nih.cgaprefimpl.RequestManager
> - Regis
> tering with the msh at: https://localhost:8443/msh/
> 2006-05-09 08:16:16,643 INFO Thread-3
> gov.nih.cgaprefimpl.ExchangeMessageListene
> r - Creating an ExchangeMessageListener
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException:
> No trusted certificate found
>         at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
>         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
>         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
>         at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
>         at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
>         at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
>         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA12275)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA12275) at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect
> (DashoA12275)   at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLCo
> nnection.java:569)        at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Das
> hoA12275)        at
> hk.hku.cecid.phoenix.message.handler.Request.sendCommand(UnknownSour ce)
> at hk.hku.cecid.phoenix.message.handler.Request.sendMessageServiceHandle
> 
> Thanks
> |-----------------------------------------------------------------------
> ----| Ashique Tanveer
> | Booz | Allen | Hamilton 
> |
> | Contractor, eRA Project, National Institute Of Health
> | Off:   301-451-1772
> | Fax: 925-889-3635
> | Email:  tan...@od..., tan...@ba... 
> |-----------------------------------------------------------------------
> ---------Original Message-----
> From: Tanveer, Ashique (NIH/OD) [C] 
> Sent: Monday, May 08, 2006 4:05 PM
> To: 'ebx...@li...'
> Subject: RE: [ebxmlms-general] Configuring SSL and Hermes - step by
> stepGuide
> 
> Ladislav,
> 
> Here are couple of questions. You may be able to help with this.
> 
> 1) In your configuration what port address you specified in
> msh.properties and msh_client.properties file under <URL> ...</URL>.   I
> assume it has to be the SSL port of Tomcat. Right?
> 
> 
> 2) I understood that I will generate two sets of keystores (and 2 sets
> of certificates to be imported into the other party's keystore).
> 
> In your email you asked to modify msh*.propeties file to specify the
> keystore name/password there. But how does the tomcat configuration come
> into picture? Or is that not a necessary step? Typically I would specify
> the keystore name/password in the Tomcat server.xml under the
> <Connector>...</Connector> tag. Is that not necessary to do when I am
> running hermes in SSL mode? Only modifying the hermes properties
> (msh*.properties) is sufficient?
> 
> I am just trying to understand difference or relationship between
> tomcat's configuration for SSL (in its server.xml) and Hermes' SSL
> configuration (in msh*.properties files).
> 
> Thanks again for your time and help.
> 
> |-----------------------------------------------------------------------
> ----| Ashique Tanveer
> | Booz | Allen | Hamilton 
> |
> | Contractor, eRA Project, National Institute Of Health
> | Off:   301-451-1772
> | Fax: 925-889-3635
> | Email:  tan...@od..., tan...@ba... 
> | Learn Java, Teach Java, Talk Java, Join a JUG
> | http://servlet.java.sun.com/jugs/north_america/usa/maryland/rockville
> |-----------------------------------------------------------------------
> ----
> 
> -----Original Message-----
> From: Ladislav Urban [mailto:lad...@we...] 
> Sent: Monday, May 08, 2006 3:25 PM
> To: ebx...@li...
> Subject: RE: [ebxmlms-general] Configuring SSL and Hermes - step by
> stepGuide
> 
> Hello Ashique,
> we use SSL configuration for hermes. You can set it up the same way as
> for tomcat. 
> Are you going to use selfsigned certs?
> 
> 1st Step
> create generate keys in keystores of both tomcats. The kystore is
> usually in root directory of the tomcat and its name is .keystore
> 
> example:
> keytool -genkey -keyalg "RSA" -dname "cn=company1, ou=company,
> o=company1, c=US" -keystore ./.keystore -alias tomcat -keypass
> password222 -storepass password222
> 
> 
> 2nd Step:
> 
> Configuration of msh.properties.xml
> <SSL>
> 
> <HostnameVerifier>com.webswell.hermes.NullHostVerifier</HostnameVerifier
> >
>       <TrustedAnchor>
>         <!-- Trust keystore for SSL Server Authentication -->
>         <KeyStore>
>           <Path>/usr/local/Webswell/jakarta-tomcat</Path>
>           <File>.keystore</File>
>           <Password>password222</Password>
>         </KeyStore>
>       </TrustedAnchor>
>       <ClientAuth>
>         <URL></URL>
>         <KeyStore>
>           <Path></Path>
>           <File></File>
>           <Alias></Alias>
>           <Password></Password>
>         </KeyStore>
>       </ClientAuth>
>     </SSL>
> 
> 
> As you can see we do have null host verifier. It switch off verification
> of host name in http request against host name in credentials. I can
> send you the java code.
> 
> 3rd Step 
> 
> Export public part of the generated keys from both keystores. This will
> create the selfsigned certificate files.
>  keytool -export -alias tomcat -keystore ./.keystore  -storepass
> password222 -file ./company1.cer
> 
> 
> and import the certificates to the opposite keystore.
> 
> Ladislav 
> 
> On Mon, 2006-05-08 at 12:53 -0400, Tanveer, Ashique (NIH/OD) [C] wrote:
> >  
> > 
> > I guess I am looking for something like a "SSL configuration with
> > Hermes for dummies".  Assuming I have two Hermes server running on
> > Tomcat server, what are the steps (generate the certificate, keystore
> > etc,?)  to have both Hermes communicate via SSL. I assume some
> > configuration needed on the tomcat as well as hermes properties files?
> > Any tips would help.
> > 
> >  
> > 
> > Thanks
> > 
> > -- Ashique
> > 
> >  
> > 
> >
> |-----------------------------------------------------------------------
> ------------
> > 
> > | Ashique Tanveer
> > 
> > | Booz | Allen | Hamilton
> > 
> > |
> > 
> > | Contractor, eRA Project, National Institute Of Health
> > 
> > | Off:   301-451-1772  | Fax: 925-889-3635
> > 
> > | Email:  tan...@od..., tan...@ba... 
> > 
> >
> |-----------------------------------------------------------------------
> ------------
> > 
> > 
> >                                    
> > ______________________________________________________________________
> > From: David RR Webber (XML) [mailto:da...@dr...] 
> > Sent: Monday, May 08, 2006 12:33 PM
> > To: ebx...@li...
> > Subject: [ebxmlms-general] Configuring SSL and Hermes - step by step
> > Guide
> > 
> > 
> >  
> > 
> > Team,
> > 
> > 
> >  
> > 
> > 
> > Does anyone have any notes they can share on setting up Hermes <->
> > Hermes using SSL?
> > 
> > 
> >  
> > 
> > 
> > The Hermes docs are not forthcoming on this - so would be helpful to
> > have something available.
> > 
> > 
> >  
> > 
> > 
> > More to the point - if you succeeded in getting this working - can you
> > share the steps you 
> > 
> > 
> > had to go thru?!
> > 
> > 
> >  
> > 
> > 
> > Thanks, DW
> > 
> > 
> > ------------------------------------------------------- Using Tomcat
> > but need to do more? Need to support web services, security? Get stuff
> > done quickly with pre-integrated technology to make your job easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache
> > Geronimo
> >
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________ ebxmlms-general mailing
> list ebx...@li...
> https://lists.sourceforge.net/lists/listinfo/ebxmlms-general 
> > 
> > 
> -- 
> Ladislav Urban
> CEO
> Webswell Inc.
> 1333 Howe Avenue, Suite 100
> Sacramento, 95825 CA
> email: lad...@we...
> phone: +1 (916) 290-2040
> fax: +1 (916) 921-2850
> http://www.webswell.com
> 
> 
> 
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services,
> security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> ebxmlms-general mailing list
> ebx...@li...
> https://lists.sourceforge.net/lists/listinfo/ebxmlms-general
> 
> 
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642
> _______________________________________________
> ebxmlms-general mailing list
> ebx...@li...
> https://lists.sourceforge.net/lists/listinfo/ebxmlms-general
> 
-- 
Ladislav Urban
CEO
Webswell Inc.
1333 Howe Avenue, Suite 100
Sacramento, 95825 CA
email: lad...@we...
phone: +1 (916) 290-2040
fax: +1 (916) 921-2850
http://www.webswell.com