1 Reply Latest reply on Aug 31, 2005 3:47 AM by Taner dursun

    Switching keystores

    Vaughn T. Combs Newbie

      I am trying to interract with an external UDDI server for discovery (with its own keystore) and then, subsequently, with the JBoss server (using its keystore). The interraction with the UDDI server comes off without a hitch. When I try creating and using an InitialContext (using the second JBoss keystore) is where the problem comes in. Simply changing the "javax.net.ssl.trustStore" property back and forth does not help.

      Finally I tried this route:

      private SSLContext getSSLContext(String keyStoreName, String password) throws Exception
      {
      InputStream in = new FileInputStream(keyStoreName);
      char[] passwordChars = password.toCharArray();
      KeyStore ks = KeyStore.getInstance("JKS");
      ks.load(in, passwordChars);
      KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
      kmf.init(ks, passwordChars);
      SSLContext context = SSLContext.getInstance("TLS");
      context.init(kmf.getKeyManagers(), null, null);
      Arrays.fill(passwordChars, (char)'x');
      return context;
      }

      and added this:


      sslContext = this.getSSLContext(myProp, "mycrypticpassword");
      ...

      to my context settings:

      contextSettings.put(Context.SECURITY_CREDENTIALS, sslContext);
      ...

      initial = new InitialContext(contextSettings);

      I read that this would then cause the truststore specified for the ssl context to be used when I interracted with the server.

      This did not work.

      I printed out the verbose SSL logging and the frustrating part is that all seems well:

      Keystore type: JKS Keystore size: 1 Keystore provider: SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores)
      Alias: tomcat
      Cert type: X.509
      adding as trusted cert:
      Subject: CN=JBI Crew, OU=Generic JBI Platform SSL Key, O=Any JBI Platform, C=US
      Issuer: CN=JBI Crew, OU=Generic JBI Platform SSL Key, O=Any JBI Platform, C=US
      Algorithm: RSA; Serial number: 0x3eb01348
      Valid from Wed Apr 30 14:17:44 EDT 2003 until Thu Jun 23 10:57:12 EDT 2044

      NUM TRUST MANAGERS: 1
      trigger seeding of SecureRandom
      done seeding SecureRandom
      SSLContext: Protocol: TLS Protocol: TLS Provider Info: Sun JSSE provider(implements RSA Signatures, PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)



      %% No cached client session
      *** ClientHello, TLSv1
      RandomCookie: GMT: 1103215747 bytes = { 216, 101, 177, 237, 63, 248, 63, 18, 173, 3, 20, 150, 223, 12, 76, 27, 114, 118, 226, 131, 8, 12, 162, 170, 126, 214, 190, 35 }
      Session ID: {}
      Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
      Compression Methods: { 0 }
      ***
      main, WRITE: TLSv1 Handshake, length = 73
      main, WRITE: SSLv2 client hello message, length = 98
      main, READ: TLSv1 Handshake, length = 769
      *** ServerHello, TLSv1
      RandomCookie: GMT: 1103215747 bytes = { 242, 209, 236, 103, 8, 124, 51, 48, 247, 70, 162, 215, 101, 49, 191, 107, 61, 85, 61, 35, 83, 34, 41, 100, 21, 252, 112, 9 }
      Session ID: {66, 194, 189, 131, 216, 45, 94, 131, 31, 112, 29, 145, 89, 252, 233, 34, 55, 191, 86, 206, 129, 38, 10, 145, 212, 18, 132, 193, 5, 106, 121, 158}
      Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
      Compression Method: 0
      ***
      %% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
      ** SSL_RSA_WITH_RC4_128_MD5
      *** Certificate chain
      chain [0] = [
      [
      Version: V1
      Subject: CN=JBI Crew, OU=Generic JBI Platform SSL Key, O=Any JBI Platform, C=US
      Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

      Key: SunJSSE RSA public key:
      public exponent:
      010001
      modulus:
      ... 061
      Validity: [From: Wed Apr 30 14:17:44 EDT 2003,
      To: Thu Jun 23 10:57:12 EDT 2044]
      Issuer: CN=JBI Crew, OU=Generic JBI Platform SSL Key, O=Any JBI Platform, C=US
      SerialNumber: [ 3eb01348]

      ]
      Algorithm: [MD5withRSA]
      Signature:
      ... .h

      ]
      ***


      UNTIL:

      main, SEND TLSv1 ALERT: fatal, description = certificate_unknown


      When I use the server keystore that we created for our JBoss server to interract with native JUDDI and to interract with our sessions all is well AND the SSL logging is identical other than RandomCookie and SessionID:


      %% No cached client session
      *** ClientHello, TLSv1
      RandomCookie: GMT: 1103208181 bytes = { 112, 147, 246, 112, 216, 61, 15, 64, 204, 84, 246, 7, 194, 171, 46, 211, 114, 209, 75, 3, 64, 154, 195, 176, 53, 100, 85, 209 }
      Session ID: {}
      Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
      Compression Methods: { 0 }
      ***
      main, WRITE: TLSv1 Handshake, length = 73
      main, WRITE: SSLv2 client hello message, length = 98
      main, READ: TLSv1 Handshake, length = 769
      *** ServerHello, TLSv1
      RandomCookie: GMT: 1103208181 bytes = { 113, 249, 157, 217, 154, 121, 144, 35, 243, 195, 93, 80, 221, 4, 101, 94, 120, 104, 250, 250, 52, 248, 138, 10, 252, 147, 192, 222 }
      Session ID: {66, 194, 159, 245, 33, 16, 83, 46, 222, 109, 149, 222, 143, 139, 8, 210, 7, 245, 21, 211, 62, 89, 46, 102, 63, 60, 135, 136, 27, 193, 48, 196}
      Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
      Compression Method: 0
      ***
      %% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
      ** SSL_RSA_WITH_RC4_128_MD5
      *** Certificate chain
      chain [0] = [
      [
      Version: V1
      Subject: CN=JBI Crew, OU=Generic JBI Platform SSL Key, O=Any JBI Platform, C=US
      Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

      Key: SunJSSE RSA public key:
      public exponent:
      010001
      modulus:
      ... 9b7177b4 60f72061
      Validity: [From: Wed Apr 30 14:17:44 EDT 2003,
      To: Thu Jun 23 10:57:12 EDT 2044]
      Issuer: CN=JBI Crew, OU=Generic JBI Platform SSL Key, O=Any JBI Platform, C=US
      SerialNumber: [ 3eb01348]

      ]
      Algorithm: [MD5withRSA]
      Signature:
      ... A.c"8.h

      ]
      ***



      With the obvious exception that it works ;-) :

      Found trusted certificate:
      [
      [
      Version: V1
      Subject: CN=JBI Crew, OU=Generic JBI Platform SSL Key, O=Any JBI Platform, C=US
      Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4



      Any ideas as to what I am missing?

      Many Thanks in advance,
      Vaughn