Https with JSSE

Similar Messages

• How to use HTTPS with JSSE URLConnection in servlet

  Hi, I have a servlet that calls another servlet using the URLConnection class. This seems to work very well if I am using http. However when trying to call it using https using JSSE I get the following error:
  "javax.net.ssl.SSLHandshakeException: untrusted server cert chain."
  The following is the code that I am using in the servlet:
            java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
            System.getProperties().put("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
            this.servlet = new URL(servletURL);
            URLConnection conServlet = servlet.openConnection();
  Both of these servlets are under IIS on my machine. I am able to execute each of the servlets from the browser using https directly. Does this sounds like an SSL certifcate problem or is that something in the Java code? Any ideas greatly appreciated.

  Hi,
  Perhaps you can create your own trust manager. I've found this example in another newsgroup: (please note that this example trusts everyone, but you can modify the trust manager as you wish)
  if (putUrl.startsWith("https"))
    //set up to handle SSL if necessary
    System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
    System.setProperty("javax.net.debug", "ssl,handshake,data,trustmanager");
    Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
    //use our own trust manager so we can always trust
    //the URL entered in the configuration.
    X509TrustManager tm = new MyX509TrustManager();
    KeyManager []km = null;
    TrustManager []tma = {tm};
    SSLContext sc = SSLContext.getInstance("ssl");
    sc.init(km,tma,new java.security.SecureRandom());
    SSLSocketFactory sf1 = sc.getSocketFactory();
    HttpsURLConnection.setDefaultSSLSocketFactory (sf1);
  m_url = new URL (putUrl);
  class MyX509TrustManager implements X509TrustManager {
  public boolean isClientTrusted(X509Certificate[] chain) {
    return true;
  public boolean isServerTrusted(X509Certificate[] chain) {
    return true;
  public X509Certificate[] getAcceptedIssuers() {
    return null;
  }Hope this helps,
  Kurt.

• SSL/HTTPS with JSSE

  I'm writing an Https client, running within WebLogic. Can I use Sun's JSSE implementation
  instead of WebLogic's? I set the Sun JSSE provider at position 1, as well as setting
  the protocol handler to Sun's implementation. However my client program (running
  within WebLogic) still seeems to be using WebLogic's SSL (and https) implementations.
  Is there a way to NOT use WebLogic's SSL implementation?
  Thanks!

  hi,
  user URL( "https","www.verisign.com","443","",new
  com.sun.net.ssl.internal.www.protocol.https.Handler()); to create url.
  thanks
  kiran
  "Junaid" <[email protected]> wrote in message
  news:3cc84396$[email protected]..
  >
  I'm writing an Https client, running within WebLogic. Can I use Sun's JSSEimplementation
  instead of WebLogic's? I set the Sun JSSE provider at position 1, as wellas setting
  the protocol handler to Sun's implementation. However my client program(running
  within WebLogic) still seeems to be using WebLogic's SSL (and https)implementations.
  Is there a way to NOT use WebLogic's SSL implementation?
  Thanks!

• Connecting to https with jdk1.5 throwing InvalidAlgorithmParameterException

  Hi,
  My current system has jdk1.3, weblogic7.1 and axis1.1.
  I have a simple class in java which I use to connect to https://*.jsp.
  Here is the sample code.
  System.setProperty("javax.net.ssl.trustStore","/usr/local/client.keystore");
  System.setProperty"java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());   
  System.setProperty("java.security.egd", "file:/dev/urandom");
  URL url = new URL("https://xyz.com/index.jsp");
  InputStreamReader isr = new InputStreamReader(url.openStream());
     char[] buf = new char[1024];
      int nread;
      while ((nread = isr.read(buf, 0, buf.length)) > 0)
        System.out.print(new String(buf, 0, nread));
      System.out.flush();This code works well in jdk1.3 with jsse.jar, jnet.jar, jcert.jar in the classpath and a keystore which has a trusted entry for https://xyz.com/
  I use the first 4lines of the code in a Axis Client to transfer SOAP msgs in https protocol.
  Now I am migrating to JDK1.5, WebLogic9.1 and Axis1.3.
  I have the same keystore. I do not have jsse.jar, jnet.jar, jcert.jar because jdk1.5 has JSSE.
  This same set of code is giving exception in JDK1.5.
  Any Solution?
  Thanks
  Senthil
  Here is the exception from the stack trace
  Exception in thread "main" javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trust
  Anchors parameter must be non-empty
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptionAlerts.java:166)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1443)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1426)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1045)
  at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
  at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:913)
  at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
  at java.net.URL.openStream(URL.java:1007)
  at axistest.URLReader.main(URLReader.java:24)
  Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
  at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:56)
  at sun.security.validator.Validator.getInstance(Validator.java:146)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:105)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:167)
  at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
  at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)

  I have se same problem.
  I do a System.setProperty("javax.net.ssl.trustStore", <path_filetruststore>)
  and I have the same error.
  Can you tell me if you revolve this problem? how?

• How to use HTTPS with sender SOAP Adapter

  Hi,
  I am implementing a synchronous SOAP- proxy scenario and on the sender communication channel I have to use the Http Security Level as "HTTPS with client Authentication".
  Where from I get the certificates to be used in sender Agreement.
  Please give me a step by step approach to achieve this.
  Regards,
  Nitin

  Nitin,
  Kindly go through the below links ...
  http://help.sap.com/saphelp_nw04/helpdata/en/1f/7e2441509fa831e10000000a1550b0/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
  Also, make a search on the SDN as this question has been answered many a times on the forum.
  Regards,
  Neetesh

• Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

  Hello All,
  We are currently building up a HTTPS message exchange with an external client.
  Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
  The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
  Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
  Now we have to configure the addtional Client Authentication.
  At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
  But what are the next steps to get this scenario successfully in place?
  Many thanks in advance!
  Jochen

  Hi Colleagues,
  following Steps still have to be done:
  - Mapping public key to technical user at Java Stack
    As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
  - Be sure CA root certivicate at Database under STRUSTSSO2
  - Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
  - use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
  Many thanks to all for support!
  Regards,
  Jochen

• HTTPS with Client Authentication not available in EHP1?

  Hi Guys,
  I am not seeing this option in PI 7.1 EHP1.
  At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
  any help would be appreciated
  Thanks,
  Srini

  Hi Srinivas,
  I didnot use it personally. But when I see on SAP help I dont see that option anywhere. Please see this sap help:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/3555240bea31c3e10000000a42189d/content.htm
  But you have an option sender agreeement for security. Please see this help:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/ceb8cf18d3424be10000000a421937/content.htm
  Since we have the option to skip the adapter engine they have enabled this option in http adapter. So you can directly hit to integration engine skipping the adapter framework, which will help in improving the performance. Please see this help on this:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/43/64db4daf9f30b4e10000000a11466f/frameset.htm
  Regards,
  ---Satish

• Error in scenario "FILE to HTTP(with SSL)" - HTTP client code 110 reason.

  Hi friends,
  Our scenario is as follows:
  We are trying to send XML file from our SAP-XI to external tool "COMMunix XC" (a multi-protocol EDI platform tool).
  We have configured " FILE TO HTTP(with SSL)" scenario (trying to connect HTTPS/port)
  1. We have created RFC destination of type G and refered the same RFC in Communication channel (Adapter type: HTTP)
  2. We have send the SSL Server certificate to other party and ensure that they have imported at thier end.
  3. We have included the certificates from other party in our SAP XI STRUST under SSL Client (Standard) node.
  4. We have tried " CONNECTION TEST " in the RFC destination created in type G (in STEP 1) and it shows the GREEN TICK at bottom, no other message nor any error message
  When we trigger the communication we recieve the error: HTTP client code 110 reason in SXMB_MONI.
  Please let us know if we have missed out some step.
  What does error message indicate,
  Regards,
  Rehan

  Hi Rehan,
  I see that the PROCTIMEOUT was already at a very high value.
  Does this occur for messages of a particularly large size?  If yes, you could increase the parameter
     icm/HTTP/max_request_size_KB = 2097152
  This would need to be done in the sender/receiver system as well as XI.
  Otherwise you could try reproducing the issue and checking the dev_icm log in the work directory, or go to SMICM -> Goto -> Display trace file
  check for errors like NIECONN_REFUSED or "no service for protocol HTTPS" which can often be related to this type of issue.
  Kind regards,
  Sarah

• HTTPS with Client Authentication in SOAP sender Adapter

  Hi All,
  In SOAP Sender communication channel. When I generate WSDL with “HTTP Security Level = HTTP:” it works when third party tries to send data to XIwebservice.
  But when I tried with “HTTPS with Client Authentication” option its giving error
  “InfoPath either cannot connect to the data source, the service has timed out, or the server has an invalid certificate.”
  Please guide how to use “HTTPS with Client Authentication” option, and what all configuration need to apply in XI & in third party to use this.
  Regards

  Rohan,
  With spy you can trace the entire route, since you are using client authentication using certificate, it would be a better option to verify with the certificate.
  You also have the option of using a username/pwd combo though that is not advocated as it lowers security levels and is permeable to passive sniffing.
  So the answer to your question is yes, after importing the certificate with sender and third party reciever a test would reveal the complete scenario along with any issues that you could encounter..
  Regards
  Ravi Raman

• HTTPS with null cipher

  Hi,
  I have two OSB's communicating over SSL.
  How do I configure Weblogic to use a particular cipher during communication.
  I want the communication to use TLS_RSA_WITH_NULL_SHA, or any null cipher, so that
  the content can be scanned as it passed through a firewall.

  Hi Rana da,
  If you want to use Https, make sure Https service must be activated in the system. Check Tcode: SMICM for HTTPS status.
  Have a look at below link
  Sender SOAP Adapter: HTTPS with Client Authentication

• Https with SCEP?

  Has anyone been able to get https to work with SCEP?
  Right now I'm just trying to authenticate a trustpoint and it does work if I use http as my enrollment URL but as soon as I change it https I get the following: Unable to locate cert record by issuername in my debug.
  The router is communicating with the server (over https) because I can see it reading the subject of the certificates in the chain but it keeps erroring out, I get: Cert record not found, returning E_NOT_FOUND for each certificate in the chain until ultimately it dies and gives the Unable to locate cert record by issuername.
  Thanks!!

  Hi Rana da,
  If you want to use Https, make sure Https service must be activated in the system. Check Tcode: SMICM for HTTPS status.
  Have a look at below link
  Sender SOAP Adapter: HTTPS with Client Authentication

• Https with client authentication handshake_failure

  Hi everyone. I hope anyone could help me. I have a client class 1 certificate from verisign (digital id) which is needed for https service request. I have installed it on Internet Explorer and it works fine:
  1) Internet Explorer ask me to trust in https server certificate.
  2) I accept the server certificate
  3) Internet Explorer ask me for select which client certificate send to server.
  4) I select my verisign client certificate
  5) Https server returns an xml with the response of the service.
  Now I have to implement this behaviour in Java. I have exported the client certificate to a .pfx file from Internet Explorer. Now I use this file directly as my key store. Then I used Internet Explorer to export server certificate as a .cer file and imported it into cacerts. The fact is that no matters what kind of transformation on the client certificate nor what validations i disable: I always get "Received fatal alert: handshake_failure" exception when trying to do in.readLine() (where in comes from BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream()));).
  I couldn't guess that connecting to a https server with client certificate was so difficult. I have read lots of examples and documentation, that always drive me to implement the same code.
  Sincerely, I don't use to ask in forums when having the first problems, but this time I'm really frustrated.
  Thanks in advance for any answer.

  Hi Rana da,
  If you want to use Https, make sure Https service must be activated in the system. Check Tcode: SMICM for HTTPS status.
  Have a look at below link
  Sender SOAP Adapter: HTTPS with Client Authentication

• HTTPS With Client Authentication

  Hi,
  I've created a simple Web Service in PI 7.11 SP 4 when trying to connect to the Web Service from Soap UI I get the following error:
  java.security.AccessControlException: client certificate required
  In the the transaction scim the following can be seen:
  [Thr 5061] <<- SapSSLSessionInit()==SAP_O_K
  [Thr 5061]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
  [Thr 5061]     out: sssl_hdl = 1117534b0
  [Thr 5061] <<- SapSSLSetSessionCredHdl(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]      in: sssl_hdl = 1117534b0
  [Thr 5061]      in: cred_hdl = 116cfc110
  [Thr 5061] NiIBlockMode: set blockmode for hdl 271 TRUE
  [Thr 5061]   SSL NI-sock: local=XX.XX.XX.XX:50001  peer=XX.XX.XX.XX:2310
  [Thr 5061] <<- SapSSLSetNiHdl(sssl_hdl=1117534b0, ni_hdl=271)==SAP_O_K
  [Thr 5061] <<- SapSSLSessionStart(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]          status = "resumed SSL session, NO client cert"
  The fault is not at the Soap UI end as I've fired the request at a Tomcat server and confirmed that a certificate is sent when requested.
  Sender Communication Channel, 
  Transport Protocol: HTTP,
  Message Protocol: Soap 1.1,
  Adapter Engine: Central Adepter Engine,
  HTTPS with Client Authentication,
  Keep Headers
  Any ideas?
  Kind regards,
  John

  Hi Peter,
  If memory serves we did not find a solution to this problem. I think, and a quick check of the configuration suggests I'm right, that we're handling the HTTPS connection on an IIS box and passing it through to a non encrypted HTTP sender on PI.
  It may be that Soap UI is not configured correctly, however when I was getting the 'client certificate required', as mentioned in the original post, I'd confirmed that soap UI was correctly configured by connecting to an alternative Web Service. I also used Wireshark to see whether or not a certificate was being requested, or sent. It's invaluable if you're using Soap UI.
  All the best,
  John

• HTTPS with client auth

  Hello , I am working on a scenario to implement Client Authentication with HTTPS , i got to a blog where its mentioed of steps of implementing HTTPS with Client auth on XI system , in order to test it i would also require a webservice client that works for this purpose. i got to SAP Soap client , but whatz the way to generate the certificate request so that i can send it to CA and get it signed any ideas pl?

  Hi together,
  i have the same problem? is anybody out there who could give us some hints?
  many thanks
  alex schramm

• HTTPS with load balancing

  Hi guys,
  We have a portal system with instance 08, so we typically connect to the portal using port 50800 for HTTP, and 50801 for HTTPS.
  We have just created a second server node for this portal (in the config tool).
  When we connect to 50800, does this automatically load balance the user to the better server? From some reading on these forums, it seemed to indicate that load balancing will only occur if I connect using port 8109. (where 09 is the instance number for the SCS of our portal)
  When connecting to port 8109, we are redirected to port 50800, as I'd expect.
  Question 1 - do we need to use 8109 for load balancing, or can we still use 50800?
  Question 2 - If we need to use 8109, which is a HTTP port, how can we achieve load balancing with HTTPS. Is there a different port we need to use to have HTTPS with load balancing?
  Question 3 - Is the creation of a second server node the best way to accomodate additional users and load on the portal system, or is there a better way to do things?
  Thanks,
  Michael.

  Better late than never.
  The load balancing you describe through the message server has its limitation. It redirects you to one of the dialog server hosts which means that any bookmarks will always point directly to a dialog server which may be down at that moment.
  Access directly to a dialog server on port 50800 will sort of load balanc on the java server instances that are on that server but not on other servers.
  The general recommendation is to setup an external loadbalancer and SAP Web dispatcher is a good match if the load is not very high. SAP webdispatcher will then bind up the cluster address and act as a proxy towards the dialog servers of the portal. The user will therefore only see one address. This will also work for HTTPS.
  Regards
  Dagfinn