Friday, May 22
1-way ssl setup and cert issues
1-way SSL overview :
1-way ssl requires that the client verifies the servers identity , and the server accepts any client request.
When the client sends a server request, the server presents a certificate to the client , and the client verifies the identity of the serverand proceeds if succesful.
For this to happen, the server needs to install certificate and private key on the server, while the client just needs to maintain the corresponding CA certificate (in truststore mostly).
When the client sends a server request, the server presents a certificate to the client , and the client verifies the identity of the serverand proceeds if succesful.
For this to happen, the server needs to install certificate and private key on the server, while the client just needs to maintain the corresponding CA certificate (in truststore mostly).
The client truststore location can be specified using system property :
System.setProperty("javax.net.ssl.trustStore", "C:/CIBTAPPS/MyTrust.jks");
System.setProperty("javax.net.
You might need to download the certificate(download in browser and 'export' as file) and import it in a truststore :
Use keytool utility from the jdk as follows :
keytool -import -alias csw.dev.wachovia.net -file C:\CIBTAPPS\SSL.crt -keystore C:\CIBTAPPS\MyTrust.jks
Use keytool utility from the jdk as follows :
keytool -import -alias csw.dev.wachovia.net -file C:\CIBTAPPS\SSL.crt -keystore C:\CIBTAPPS\MyTrust.jks
List the certstore content as follows :
keytool -list -keystore c:\CIBTAPPS\WachoviaTrust.jks
Enter keystore password: ****
Result will look something like :
Keystore type: jks
Keystore provider: SUN
keytool -list -keystore c:\CIBTAPPS\WachoviaTrust.jks
Enter keystore password: ****
Result will look something like :
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
wachovia test ca, Aug 20, 2007, trustedCertEntry,
Certificate fingerprint (MD5): AE:72:8D:E0:55:FA:F4:77:C2:8F:5D:B1:D3:A5:A0:51
enterpriseca, Aug 31, 2007, trustedCertEntry,
Certificate fingerprint (MD5): A3:AC:32:B3:8B:75:96:D9:48:16:46:39:21:C7:3E:0C
myprivateroot, May 19, 2009, trustedCertEntry
Certificate fingerprint (MD5): AE:72:8D:E0:55:FA:F4:77:C2:8F:
enterpriseca, Aug 31, 2007, trustedCertEntry,
Certificate fingerprint (MD5): A3:AC:32:B3:8B:75:96:D9:48:16:
myprivateroot, May 19, 2009, trustedCertEntry
Troubleshooting :
Problem :
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:861)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at org.springframework.ws.transport.http.HttpUrlConnection.getRequestOutputStream(HttpUrlConnection.java:82)
at org.springframework.ws.transport.AbstractSenderConnection$RequestTransportOutputStream.createOutputStream(AbstractSenderConnection.java:101)
at org.springframework.ws.transport.TransportOutputStream.getOutputStream(TransportOutputStream.java:41)
at org.springframework.ws.transport.TransportOutputStream.write(TransportOutputStream.java:60)
at com.sun.xml.messaging.saaj.soap.MessageImpl.writeTo(MessageImpl.java:1221)
at org.springframework.ws.soap.saaj.Saaj13Implementation.writeTo(Saaj13Implementation.java:288)
at org.springframework.ws.soap.saaj.SaajSoapMessage.writeTo(SaajSoapMessage.java:119)
at org.springframework.ws.transport.AbstractWebServiceConnection.send(AbstractWebServiceConnection.java:42)
at org.springframework.ws.client.core.WebServiceTemplate.sendRequest(WebServiceTemplate.java:549)
at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:512)
at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:465)
... 23 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
at sun.security.validator.Validator.validate(Validator.java:203)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
... 45 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
... 50 more
javax.net.ssl.
at com.sun.net.ssl.internal.ssl.
at com.sun.net.ssl.internal.ssl.
at com.sun.net.ssl.internal.ssl.
at com.sun.net.ssl.internal.ssl.
at com.sun.net.ssl.internal.ssl.
at com.sun.net.ssl.internal.ssl.
at com.sun.net.ssl.internal.ssl.
at com.sun.net.ssl.internal.ssl.
at com.sun.net.ssl.internal.ssl.
at com.sun.net.ssl.internal.ssl.
at com.sun.net.ssl.internal.ssl.
at com.sun.net.ssl.internal.ssl.
at sun.net.www.protocol.https.
at sun.net.www.protocol.https.
at sun.net.www.protocol.http.
at sun.net.www.protocol.https.
at org.springframework.ws.
at org.springframework.ws.
at org.springframework.ws.
at org.springframework.ws.
at com.sun.xml.messaging.saaj.
at org.springframework.ws.soap.
at org.springframework.ws.soap.
at org.springframework.ws.
at org.springframework.ws.client.
at org.springframework.ws.client.
at org.springframework.ws.client.
... 23 more
Caused by: sun.security.validator.
at sun.security.validator.
at sun.security.validator.
at sun.security.validator.
at com.sun.net.ssl.internal.ssl.
at com.sun.net.ssl.internal.ssl.
at com.sun.net.ssl.internal.ssl.
... 45 more
Caused by: sun.security.provider.
at sun.security.provider.
at java.security.cert.
at sun.security.validator.
... 50 more
Possible solutions :
Set the system property to appropriate keystore : System.setProperty("javax.net.
If this is already set, the certificate might not exist in the store. Use keytool list to check the same.
Problem :
Caused by: java.io.IOException: HTTPS hostname wrong: should be <nc-sils-f5c-ict01-1wlg-weblogic-sit.test.wachovia.net >
Caused by: java.io.IOException: HTTPS hostname wrong: should be <nc-sils-f5c-ict01-1wlg-
at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java:490)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:861)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at org.springframework.ws.transport.http.HttpUrlConnection.getRequestOutputStream(HttpUrlConnection.java:82)
at org.springframework.ws.transport.AbstractSenderConnection$RequestTransportOutputStream.createOutputStream(AbstractSenderConnection.java:101)
at org.springframework.ws.transport.TransportOutputStream.getOutputStream(TransportOutputStream.java:41)
at org.springframework.ws.transport.TransportOutputStream.write(TransportOutputStream.java:60)
at com.sun.xml.messaging.saaj.soap.MessageImpl.writeTo(MessageImpl.java:1221)
at org.springframework.ws.soap.saaj.Saaj13Implementation.writeTo(Saaj13Implementation.java:288)
at org.springframework.ws.soap.saaj.SaajSoapMessage.writeTo(SaajSoapMessage.java:119)
at org.springframework.ws.transport.AbstractWebServiceConnection.send(AbstractWebServiceConnection.java:42)
at org.springframework.ws.client.core.WebServiceTemplate.sendRequest(WebServiceTemplate.java:549)
at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:512)
at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:465)... 25 more
Possible solutions :
The client also verifies hostname aka if the Cert Subject Distinguished Name (DN) contain a Common Name (CN) that exactly matches the hostname in the Web Service URL?
For example, a Web Service hosted at https://www.mycompany.com/services should be protected by an SSL certificate with a CN ofwww.mycompany.com .
In case of mismatch the above exception is seen. You need to have the right certificate with matching url and cn name.
There is no easy way to turn off hostname verification at the webservice client level. Programatically , it can be done as specified here : http://www.theserverside.com/discussions/thread.tss?thread_id=34538
Dips at 5:52 AM
x.509 issue
Trying to generate an x509 certificate object from a byte stream :
byte[] certBytes = (byte[]) certificatestring.
ByteArrayInputStream bin = new ByteArrayInputStream(
CertificateFactory cf = CertificateFactory.
X509Certificate certificate = (X509Certificate) cf.generateCertificate(bin);
It was giving me following exception :
java.security.cert.CertificateParsingException: invalid DER-encoded certificate data
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1680)
at sun.security.x509.X509CertImpl.(X509CertImpl.java:303)
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:104)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:271)
at sun.security.x509.
at sun.security.provider.
at java.security.cert.
The same certificate if I loaded from a saved .cer file, was working perfectly fine. It seemed like it was an issue with different kind of input streams. I checked for source code (thank heavens for open source !) at http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-sun/security/sun/security/provider/X509Factory.java.htm and it seemed that there are 2 types of encoding it expects :
Base64 - if the inputstream starts with "-----BEGIN"
DER - if does not starts with above.
The bytestream which I had read from ldap needed to be appended with "-----BEGIN CERTIFICATE-----\n" and at the end with "\n-----END CERTIFICATE-----"
The certstring looked something like (valid one):
-----BEGIN CERTIFICATE-----
MIICYDCCAgqgAwIBAgIQBuJwHCWs3BMk7g16aheAGDANBgkqhkiG9w0BAQQFADBP
MSIwIAYDVQQKExlGaXJzdCBVbmlvbiBOYXRpb25hbCBCYW5rMSkwJwYDVQQLEyBD
b21tZXJjaWFsIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw05OTA5MTIwMDAwMDBa
Fw0wMDA5MTEyMzU5NTlaMIGZMSIwIAYDVQQKFBlGaXJzdCBVbmlvbiBOYXRpb25h
bCBCYW5rMSkwJwYDVQQLFCBDb21tZXJjaWFsIENlcnRpZmljYXRlIEF1dGhvcml0
eTEYMBYGA1UECxMPVVNFUklEIC0gd2xmYWRtMRYwFAYDVQQDEw13bGZhZG0gd2xm
YWRtMRYwFAYJKoZIhvcNAQkBFgdpQGkubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDC8Y/pbxTPmCd+eEyXWtMnlBhXwGbTyc41VQd3g74jn31AvFFJ3f9P
0ZFw+rN2+IP2nUhn2EfyzskY7P7VsohKRCXxoovMSeIdXib3414S6jfhRXCMbUdA
PNQi5TyByfSKaf/VBwypufU52ERq/pBzpm2ktREii7btmt+8I109wwIDAQABozMw
MTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIHgDARBgpghkgBhvhFAQYJBAMB
Af8wDQYJKoZIhvcNAQEEBQADQQCjF+Vy7JHEIVAasDnw62j3hi6FhgDRVOgaEEbb
BoaGVCSAAibNX4V02b+LOfDYXaJVpipFEiYiX5QE+Eht0i/s
-----END CERTIFICATE-----
MIICYDCCAgqgAwIBAgIQBuJwHCWs3B
MSIwIAYDVQQKExlGaXJzdCBVbmlvbi
b21tZXJjaWFsIENlcnRpZmljYXRlIE
Fw0wMDA5MTEyMzU5NTlaMIGZMSIwIA
bCBCYW5rMSkwJwYDVQQLFCBDb21tZX
eTEYMBYGA1UECxMPVVNFUklEIC0gd2
YWRtMRYwFAYJKoZIhvcNAQkBFgdpQG
ADCBiQKBgQDC8Y/pbxTPmCd+
0ZFw+rN2+
PNQi5TyByfSKaf/VBwypufU52ERq/
MTAJBgNVHRMEAjAAMBEGCWCGSAGG+
Af8wDQYJKoZIhvcNAQEEBQADQQCjF+
BoaGVCSAAibNX4V02b+
-----END CERTIFICATE-----
This should create that x509 object for you in a ziffy !
Dips at 5:51 AM
Monday, December 5
Is it possible
to get so turned on by a well formed EAR !!I mean Enterprise Archive file :-)
I dont know why..but I really started drooling on seeing the topology view for the Websphere commerce instance..it is saxylicious !
Am I a nerd..or am I a nerd !
Dips at 9:52 PM
Saturday, November 12
Learning lessons...
Learnt - How to upload a local file from your client machine to your server machine - use input type="file" - gives you a streaming file data in say your request object..Looking for - way to detemine/manipulate IE browser advanced settings through javascript..
Dips at 7:50 PM
Friday, August 5
Drooling over..
Rules Engine.. Drools...JSR 94...RETE... more to come....Dips at 3:01 PM
Friday, July 29
Essential for a J2EE Programmer
check this outhttp://www-128.ibm.com/developerworks/java/library/j-javares.html?ca=drs-#author
Dips at 4:30 PM
Friday, July 22
Annotate-tate-tate
Annotation - extra information associated with a particular point in a documentAs of Java release 5.0(Tiger) , the platform has a general purpose annotation (also known as metadata) facility that permits you to define and use your own annotation types. The facility consists of a
>> syntax for declaring annotation types - declare an annotation type by preceding @ to normal interface declaration
>> syntax for annotating declarations - annotation is a special kind of modifier and so can be used anywhere that a modifier is used.
It generally preceds any declaration (class, method, variable, parameter etc) and consists of the @ tag + annotation name + element , value in ()
>> APIs for reading annotations - Class, Method api has annotation information which can be read with help of reflection.
>> a class file representation for annotations - generate support documents based on annotations
>> and an annotation processing tool.
Annotations do not directly affect program semantics, but they do affect the way programs are treated by tools and libraries, which can in turn affect the semantics of the running program. Annotations can be read from source files, class files, or reflectively at run time.
Annotation types :
>> Marker Annotation : An annotation type with no elements :
Definition :
@Retention(RetentionPolicy.RUNTIME)
@interface Test { }
Declaration :
@Test public class TimeTravel { ... }
>> Single member annotation :
Definition :
@Retention(RetentionPolicy.RUNTIME)
@interface Copyright {
int value(); // this variable name must be value
}
Declaration :
@Copyright("My Copyright")public class MyClass{...}
>> Custom annotation :
Definition :
@Retention(RetentionPolicy.RUNTIME)
@interface RequestForEnhancement {
int id();
String synopsis();
String engineer() default "[unassigned]";
String date(); default "[unimplemented]";
}
Declaration :
@RequestForEnhancement(id = 2868724,synopsis = "Manage Entitlements", engineer = "Mr. X", date = "4/1/3007" )
public static void manage() { ... }
Note that the annotation type declaration is itself annotated. Such annotations are called meta-annotations. The first (@Retention(RetentionPolicy.RUNTIME)) indicates that annotations with this type are to be retained by the VM so they can be read reflectively at run-time. The second (@Target(ElementType.METHOD)) indicates that this annotation type can be used to annotate only method declarations.
The defined annotations can be read, processed through the api (for simple processing) or by APT.
Possible usages for annotations :
>> Generate config files from annotated data in the code , so as to keep data at one place and avoid maitainence hassles.
>> Generate XML representation of data objects
>> Generate automatic boilerplate code using annotations.
Boilerplate - In information technology, a boilerplate is a unit of writing that can be reused over and over without change.
By extension, the idea is sometimes applied to reusable programming as in "boilerplate code." .. like a text template.
Useful Links :
http://java.sun.com/j2se/1.5.0/docs/guide/language/annotations.html
http://www.java2s.com/ExampleCode/Language-Basics/Annotation.htm
http://www.javaspecialists.co.za/archive/Issue097.html
http://javaboutique.internet.com/tutorials/annotation/index-2.html
Dips at 3:30 PM