2 Replies Latest reply on Jan 31, 2007 5:44 AM by stone_42

    HTTPS Client auth from within JBoss

      Hello,

      I need to call a https secured web application from within JBoss. Establishing a https connection is no problem, but the web application I call requires client authentication and I did not manage to specify a certificate.
      My code is as follows

      SSLContext context;
       KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
       KeyStore truststore = KeyStore.getInstance(KeyStore
       .getDefaultType());
       char[] password = "secret".toCharArray();
       String keyStoreLocation = "META-INF/keystore";
       String trustStoreLocation = "META-INF/truststore";
       InputStream is = getClass().getResourceAsStream(keyStoreLocation);
       keystore.load(is, password);
       is = getClass().getResourceAsStream(trustStoreLocation);
       truststore.load(is, password.toCharArray());
       KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
       kmf.init(keystore, password);
       TrustManagerFactory tmf = TrustManagerFactory
       .getInstance("SunX509");
       tmf.init(truststore);
      
       context = SSLContext.getInstance("TLS");
       context.init(kmf.getKeyManagers(), tmf.getTrustManagers(),
       new SecureRandom());
       HttpsURLConnection.setDefaultSSLSocketFactory(context
       .getSocketFactory());
      
       HttpsURLConnection conn = (HttpsURLConnection) new URL("https://...").openConnection();
       conn.connect();
       Certificate[] clientCerts = conn.getLocalCertificates();
      [...]


      If I understand things right, the clientCerts array in my code should contain at least one element, but it is always empty.
      Can anybody help me how to configure the certificates correctly?

      Regards,
      Martin

        • 1. Re: HTTPS Client auth from within JBoss

          Hello again,

          I simplified my example and tried to run a scenario similar to scenario 2 from http://wiki.jboss.org/wiki/Wiki.jsp?page=SSLSetup, but with my own client implementation.
          My code is

          SSLContext context;
           KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
           KeyStore truststore = KeyStore.getInstance(KeyStore
           .getDefaultType());
           char[] password = "123456".toCharArray();
           String keyStoreLocation = "META-INF/client.keystore";
           String trustStoreLocation = "META-INF/client.truststore";
           InputStream is = getClass().getResourceAsStream(keyStoreLocation);
           keystore.load(is, password);
           is = getClass().getResourceAsStream(trustStoreLocation);
           truststore.load(is, password);
           KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
           kmf.init(keystore, password);
           TrustManagerFactory tmf = TrustManagerFactory
           .getInstance("SunX509");
           tmf.init(truststore);
          
           context = SSLContext.getInstance("SSL");
           context.init(kmf.getKeyManagers(), tmf.getTrustManagers(),
           new SecureRandom());
           HttpsURLConnection.setDefaultSSLSocketFactory(context
           .getSocketFactory());
           HttpsURLConnection
           .setDefaultHostnameVerifier(new HostnameVerifier() {
           public boolean verify(String arg0, SSLSession arg1) {
           return true;
           }
           });
           URL url = new URL("https://node3058.it.de:8443");
           URLConnection uc = url.openConnection();
           uc.connect();
          

          I use certificates created as described on the wiki page. I run my code once from a java standalone client and once from within an EJB running in JBoss. From the standalone client, everything runs fine, from within JBoss, I get the exception
          javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
           at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
           at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
           at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
           at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847)
           at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
           at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
           at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
           at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)
           at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
           at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:133)
           ... 84 more
          Caused by: sun.security.validator.ValidatorException: No trusted certificate found
           at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304)
           at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)
           at sun.security.validator.Validator.validate(Validator.java:203)
           at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
           at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
           at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)
           ... 94 more


          Can anyone tell me where the difference is between a ssl client in a standalone java application and a ssl client running in JBoss?

          Regards,
          Martin

          • 2. Re: HTTPS Client auth from within JBoss

            Hello again,

            I found my problem, very stupid.
            My keystore and truststore files were not at the requested location in the classpath, and the keyStore implementation accepts null as InputStream parameter in the load() method.
            Now, everything is running fine.

            Regards,
            Martin