Override SSL handling in WS7 - JSSE/SSLContext/SSLSocketFactory - possible?
Hi there,
I'm currently trying to get SSL working with pre-shared keys, which is (as far as I know) currently not possible with SunJSSE (using JDK6). However OpenSSL supports PSKs and I already figured out that using OpenSSL for that purpose is possible - at least with Tomcat providing a custom libtcnative linked against a specific OpenSSL version. For additional options not covered by that solution it is even possible to specify ones own SSLImplementation in Tomcat's connector configuration.
Never the less, I would like to use WS7 for that purpose but I did not find any documentation on replacing current SSL handling with a custom implementation - besides implementing my own JSSE provider.
Is it possible to override the default SSL implementation used by WS7? And if not directly, are settings in java.security regarding default SSLSocketFactory honored or has WS7 its own philosophy about socket handling?
Edit: Hmm, seems like pkcs11 functions from libnss are used for that purpose. Am I right? So no way to work around that issue in Java?
Thanks in advance :)
Kind Regards,
Max
Edited by: kazcor_ol on Jun 4, 2009 4:02 AM - libnss recognized
Hi there,
I'm currently trying to get SSL working with pre-shared keys, which is (as far as I know) currently not possible with SunJSSE (using JDK6). However OpenSSL supports PSKs and I already figured out that using OpenSSL for that purpose is possible - at least with Tomcat providing a custom libtcnative linked against a specific OpenSSL version. For additional options not covered by that solution it is even possible to specify ones own SSLImplementation in Tomcat's connector configuration.
Never the less, I would like to use WS7 for that purpose but I did not find any documentation on replacing current SSL handling with a custom implementation - besides implementing my own JSSE provider.
Is it possible to override the default SSL implementation used by WS7? And if not directly, are settings in java.security regarding default SSLSocketFactory honored or has WS7 its own philosophy about socket handling?
Edit: Hmm, seems like pkcs11 functions from libnss are used for that purpose. Am I right? So no way to work around that issue in Java?
Thanks in advance :)
Kind Regards,
Max
Edited by: kazcor_ol on Jun 4, 2009 4:02 AM - libnss recognized
Similar Messages
-
How to Modify Override Handler class in jsse.jar
Hi,
Is there a way to change port number in Handler class in jsse.jar and recompile the Java file, or override the class?
The Handler class seems to be using port number 443, whereas the the Webserver of PS Application is using a different port number (7004).
Any ideas.
Thanks
JayYou're over-thinking this. The Handler class uses whatever port it is told to use by the person that constructs it. 443 is just the default.
All you have to do is put the required port number into the https URL, e.g. https://www.myhost.com:7004. -
Using the default JSSE SSL handler
I currently have a client side application that posts XML messages to various web servers using HTTPS. The client application uses the default ssl handler that comes with JSSE.
System.setProperty( "java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol" );
Security.addProvider( new com.sun.net.ssl.internal.ssl.Provider());
Should this be a security concern that I am using the default keystore that comes with the JVM. Is my data still be encrypted?Should this be a security concern that I am using the
default keystore that comes with the JVM. Is my data
still be encrypted?When you say, "default keystore", I assume that you mean the "cacerts" file. If so, you're OK. "cacerts" identifies root CAs that your client is willing to trust. Web sites whose site-certs are signed by one of the root CA in cacerts (i.e., Verisign, Thawte, et. al.) will be trusted by JSSE.
SSL generates shared-keys anew for each new session. The data used to generate this "shared secret" is protected; unless the Bad Boy between you and the server has access to the SERVER's private key, that info is safe. Your data is encrypted over the wire, and only the destination web-server will be able to decrypt it.
Grant -
CSS11500 SSL handling question for multiple url/FQDNs with the same ip address
I know that it's possible on the CSS to handle multiple incoming HTTP requests that terminate on the same IP address and port and balance them to various servers based on the url. For instance, I can set up www.cats.com and www.dogs.com at the same 192.168.35.12 address in DNS, and set up two different content rules:
content cats
vip address 192.168.35.12
port 80
url "//www.cats.com/*"
add server cats1
add server cats2
active
content dogs
vip 192.168.35.12
port 80
url "//www.dogs.com/*"
add server dogs1
add server dogs2
active.
Easy and straightforward.
But what if I want to add SSL handling for https://www.cats.com and https://www.dogs.com?
I'm not sure how to create the ssl-proxy-list where one content rule (ip address/port) combination needs to pass through the ssl module and get matched with the proper ssl certificate.
Can this be done? Can one associate multiple certs and keys with a single ssl-server entry and a single ssl accelerator service? Or do I have to create multiple ssl-proxy-lists for cats and dogs and build multiple ssl services each referring to a unique ssl-proxy-list, and then use the url parameter in the https content rule to determine which ssl service (and therefore which key/cert pair) gets the traffic?
Thanks in advance for any insights.Hi Tim,
Unfortunately this is not possible; you can't associate multiple certificates to a single proxy list due to the fact that SSL handshake is done first with no visibility of the URL being requested, so the CSS won't know which public server to use in order to perform the traffic decryption.
But there are a couple of options that you may want to look at (depending on the URL string)
If your URLs are subdomains and you hold a wildcard SSL certficate to match multiple requests, i.e your domain being "pets.com" you can have a certficate that will match request for dogs.pets.com or cats.pets.com because the cert will be in the form *.pets.com
The second option is SAN (Subject alternative names) certificates; which give you the option to include up to 4 flavors of the domain within the same file, such as pets.com, pets.net, www.1pets.com.
I hope this helps.
Pablo -
We must use JSSE because of SHA256RSA sign algorithm.
Business Service calls a remote webservice over two way ssl. Client-cert configured, Key Provider is correctly set, PKI Provider Mapping is fine. Everything is tested with SoapUI 2way SSL and worked like a charm.
But not with IIS 6.0. Renegotation is enabled (with parameter sun.security.ssl.allowUnsafeRenegotiation) and Chunked Streaming Mode is also set.
The invocation resulted in an error: [WliSbTransports:381304]Exception in HttpOutboundMessageContext.RetrieveHttpResponseWork.run: java.lang.NullPointerException
java.lang.NullPointerException
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:101)
at weblogic.socket.JSSEFilterImpl.handleResultsCommonly(JSSEFilterImpl.java:659)
at weblogic.socket.JSSEFilterImpl.handleUnwrapResults(JSSEFilterImpl.java:550)
at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:456)
at weblogic.socket.JSSEFilterImpl.read(JSSEFilterImpl.java:370)
at weblogic.socket.JSSESocket$JSSEInputStream.read(JSSESocket.java:58)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read(BufferedInputStream.java:237)
at java.io.SequenceInputStream.read(SequenceInputStream.java:149)
at java.io.SequenceInputStream.read(SequenceInputStream.java:152)
at weblogic.net.http.MessageHeader.parseHeader(MessageHeader.java:151)
at weblogic.net.http.HttpClient.parseHTTP(HttpClient.java:468)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:401)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.net.http.HttpURLConnection.getResponseCode(HttpURLConnection.java:1005)
at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.getResponse(HttpOutboundMessageContext.java:679)
at com.bea.wli.sb.transports.http.wls.HttpOutboundMessageContextWls.access$100(HttpOutboundMessageContextWls.java:26)
at com.bea.wli.sb.transports.http.wls.HttpOutboundMessageContextWls$RetrieveHttpResponseWork.handleResponse(HttpOutboundMessageContextWls.java:96)
at weblogic.net.http.AsyncResponseHandler$MuxableSocketHTTPAsyncResponse$RunnableCallback.run(AsyncResponseHandler.java:535)
at weblogic.work.ContextWrap.run(ContextWrap.java:41)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)Hi, I have the same problem but with Weblogic 12.1.1 (12c):
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:114)
at weblogic.socket.JSSEFilterImpl.handleResultsCommonly(JSSEFilterImpl.java:739)
at weblogic.socket.JSSEFilterImpl.handleUnwrapResults(JSSEFilterImpl.java:630)
at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:498)
at weblogic.socket.JSSEFilterImpl.read(JSSEFilterImpl.java:414)
at weblogic.socket.JSSESocket$JSSEInputStream.read(JSSESocket.java:58)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
at weblogic.net.http.MessageHeader.isHTTP(MessageHeader.java:224)
at weblogic.net.http.MessageHeader.parseHeader(MessageHeader.java:148)
at weblogic.net.http.HttpClient.parseHTTP(HttpClient.java:469)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:401)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37
Is there a patch for this version?
Thanks in advance -
Override event handler for document events in LiveCycle
I would like to have an email notification when a user opens a policy-protected DRM pdf. Is there a way to override the event handler for Document Open events?
Or perhaps there is a way to access the event database- where can I find this information?Thank you so much for your reply. I have created an external authorization and am following the steps outlined here: http://help.adobe.com/en_US/livecycle/9.0/programLC/help/index.htm?content=001479.html
I have deployed my jar and restarted JBoss. However, now when I try to create a new policy using my external authorization, I do not see an option to add it on the create new policy page. I see only sections for Users and Groups, General Settings, Advanced Settings, and Unchangeable Advanced Settings. Could you please tell me how to add the external authorization?
Also, in the component.xml file, I followed the sample and kept this line: <component-id>com.adobe.livecycle.samples.externalauthorization</component-id>
Should that be changed? If so, to what?
Thanks. -
Thunderbird trying to override ssl certificate
When I try to send a email I get a error message, "Sending of message failed.
The message could not be sent using SMTP server smtpout.secureserver.net for an unknown reason. Please verify that your SMTP server settings are correct and try again, or contact your network administrator." Then another window pops asking to override my SSL certificate. I am using Godaddy for email hosting and they are saying it might be a security flaw within Thunderbird. It is trying to override my godaddy SSL cert with a cert with the following info.
Issued To
Common Name (CN): Server
Organization (O):Sample, Inc.
Organization Unit (OU):IT Team
Serial Number:02
Issued By
Common Name (CN):CA
Organization (O):Sample, Inc.
Organization Unit (OU):IT Team
Validity
Issued on:11/18/2010
Expires On:11/15/2020
Fingerprints
SHA1 Fingerprint:12:52:B4:38:8C:74:A2:F1:13:1F:F3:46:EF:75:CE:9A:02:E9:28:91
MD5 Fingerprint:FA:A3:01:DD:E5:5D:20:60:F7:6C:24:DA:93:14:7F:30
I don't want to override my SSL cert and every email I try to send it wants me to. Is there a virus on my computer or am I being hacked or am I over reacting and should just accept it?I've been having the same problem intermittently, for maybe a few weeks. The certificate is clearly self-signed, probably being served by just one of the SMTP pool servers behind the smtpout.secureserver.net VIP (or possibly on the load-balancer itself, if it's terminating the SSL). I've uploaded a screenshot, which appears to be identical to the one described above, as well as another screenshot of a valid GoDaddy SMTP certificate.
Unfortunately, I can't get GoDaddy support to consider this possibility, as they've responded that their servers aren't misconfigured, and that it's "being caused locally by the time and date on [my] computer." Apparently my time/date configuration, which is synchronized via NTP, is somehow causing a certificate to appear from the "IT Team" at "Sample, Inc." Right.
The other possibility I might be willing to consider is a man-in-the-middle attack from malware or a malicious actor at the ISP. The fact that the OP on this thread is having the same problem, and is getting the exact same certificate, makes the ISP theory pretty unlikely. I'm also experiencing this problem from both a Mac and a Windows box, so the malware option is unlikely as well.
I will post an update if I get a resolution through GoDaddy or other means. -
How to override or handle print from managed viewer control
i've recently switched from crystal XI to crystal XI R2.. in the process of doing this we've moved from the old activeX viewer to the manager viewer in crystaldecisions.windows.forms for our windows app.
With the old ActiveX viewer you could handle the PrintButton_Click event from the viewer and then do your own print with your own settings (we force duplex printing in some scenarios, and other things).
The managed viewer doesn't appear to expose this event. I have tried subclassing the viewer and overriding the PrintReport method but this doesn't appear to be called when you click on the Print button in the viewer (if you run viewer.PrintReport from code it does).
I've also tried subclassing the reportdocument itself and overriding the PrintToPrinter (sp?) method there but with the same results as above - clicking the Print button in the viewer doesn't run my override, but if i run reportdocument.PrintToPrinter from code it does.
If i can't find a way to do this i will end up adding my own print button to the form and hiding the print button on the viewer.. not my first choice though.
Is there any other way to override the Print button from the managed viewer?
thanks
ShawnHi, Shawn;
The .NET winform viewer does not have the option to over-ride the print button. The only option is to hide the print button, and have your own button for your custom code.
Best Regards,
Jonathan -
2-way SSL when WL7 is client; get "Required peer certificates not supplied by peer"
Background: WL7 is properly configured to use 2-way SSL, and works fine whenever
its acting as the Server; i.e., I have 2-way SSL working between a Web Browser
and WL7, or between Tomcat and WL7. However, when trying to get 2-way SSL (mutual
authentication) working between a WL7 server acting as a client and another server
such as Tomcat, acting as the server, I get a "Required peer certificates not
supplied by peer" error. The initial ServerHello handshake is fine; the problem
arises when the Tomcat server, for example, then requests WL7 to serve up its
client certificate. It's as if WL7 does not know where to locate its "client"
certificate.
I had the same problem with Tomcat initially, where it would also not know how
to locate its "client" certificte. I resolved the problem by setting the following
system properties:
javax.net.ssl.keyStore=...
javax.net.ssl.keyStorePassword=...
javax.net.ssl.trustStore=...
javax.net.ssl.trustStorePassword=...
Are their analogous system properties I need to set on the WL7 side of things,
as I noticed that WL7 seems to use its own proprietary version of JSSE API's?
How do I configure WL7 to locate its "client" certificate?
Thanks! Your help is greatly appreciated.
-DanWeblogic uses Certicom SSL implementation which has classes that conflict with
JSSE classes. As a result opening SSL connection from WLS over JSSE or API like
SOAPConnection that uses JSSE does not work as expected. The javax.net.ssl properties
are not supported and there is no replacement for the default identity keystore
property.
The best workaround I can think of in this case is to pass as the second parameter
to SOAPConnection.call() method a URL instance created with a custom URLStreamHandler
extending the weblogic.net.http.Handler. This handler can override the Handler.openConnection(URL)
method and use the HttpsURLConnection.loadLocalIdentity method to initialize identity
of the returned connection. For example:
public class MyHandler extends weblogic.net.http.Handler {
protected URLConnection openConnection(URL u) throws IOException {
URLConnection c = super.openConnection();
if (c instanceof weblogic.net.http.HttpsURLConnection) {
// initialize ssl identity
((weblogic.net.http.HttpsURLConnection) c).loadLocalIdentity(certChain,
privateKey);
return c;
URL someHTTPSUrlEndpoint = new URL("https", "localhost", 7002, "myfile", new MyHandler());
replyMessage = con.call(someSOAPMessageInstance, someHTTPSUrlEndpoint);
Pavel.
"ddumitru" <[email protected]> wrote:
>
Thanks, Pavel, for replying,
I've been reading and re-reading that page for quite a while now. Unfortunately,
the examples given are for when WL7 is acting as the "server" and not
the "client";
i.e., when some other server, such as Tomcat, WebSphere, or Oracle 9IAS,
reaches
out to the WL7 instance first, or when one WL7 instance talks to another
WL7 instance
via JNDI.
In my case, my WL7 instance needs to initiate a Web Service call; i.e.,
needs
to reach out to another server via a SAAJ (SOAP with Attachments) API
call. My
sending servlet uses the SAAJ (SOAP with attachments) API to make a Web
Service
call to another server, as follows:
SOAPConnectionFactory scf = SOAPConnectionFactory.newInstance();
SOAPConnection con = scf.createConnection();
SOAPMessage replyMessage = con.call( someSOAPMessageInstance, someHTTPSUrlEndpoint
With the SAAJ API, as illustrated above, I don't see a direct way of
configuring
(using URLConnection, SSLContext, SSLSocketFactory, etc.) the SSL connection
prior
to making a call, as suggested in the link you mentioned. Also, the
receiving
server may implement its Web Services using a non-BEA application server
that
may not even use the J2EE platorm. As such, I don't believe I can use
the JNDI
solution provided in that same link.
Again, I was able to make 2-way SSL (Mutual Authentication) connections
between
Tomcat and WL7 instances using the SAAJ API's when Tomcat was the client
initiating
the SAAJ call. In this scenario, Tomcat requested WL7 for its certificate,
WL7
served it up, and Tomcat then verified it. Then, in turn, WL7 asked
Tomcat for
its certificate, Tomcat presented it, and WL7 was able to verify Tomcat's
certificate.
I suppose I was able to make it all work under this scenario because
I was able
to configure Tomcat, which is using native JSSE API's, to locate its
"client"
certificate by setting the following system properties, as mentioned
previously:
javax.net.ssl.keyStore=...
javax.net.ssl.keyStorePassword=...
javax.net.ssl.trustStore=...
javax.net.ssl.trustStorePassword=...
Based upon your feedback, I now understand that WL7 cannot be configured
in a
similar manner because WL7 uses its own version of the JSSE API's. Any
ideas
on what I might try next?
Thanks!
-Dan
"Pavel" <[email protected]> wrote:
WLS SSL API does not support any system properties for SSL identity.
The client's
identity has to be configured via methods of SSL API. The trust configuration
of SSL client running on WL server and using WLS SSL API will be the
same as of
the WL server.
See http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1019570
for more information on this. "Writing Applications that Use SSL" contains
code
examples that use different SSL APIs to connect over two-way SSL.
Pavel.
"ddumitru" <[email protected]> wrote:
Background: WL7 is properly configured to use 2-way SSL, and worksfine
whenever
its acting as the Server; i.e., I have 2-way SSL working between a
Web
Browser
and WL7, or between Tomcat and WL7. However, when trying to get 2-way
SSL (mutual
authentication) working between a WL7 server acting as a client andanother
server
such as Tomcat, acting as the server, I get a "Required peer certificates
not
supplied by peer" error. The initial ServerHello handshake is fine;
the problem
arises when the Tomcat server, for example, then requests WL7 to serve
up its
client certificate. It's as if WL7 does not know where to locate its
"client"
certificate.
I had the same problem with Tomcat initially, where it would also not
know how
to locate its "client" certificte. I resolved the problem by setting
the following
system properties:
javax.net.ssl.keyStore=...
javax.net.ssl.keyStorePassword=...
javax.net.ssl.trustStore=...
javax.net.ssl.trustStorePassword=...
Are their analogous system properties I need to set on the WL7 sideof
things,
as I noticed that WL7 seems to use its own proprietary version of JSSE
API's?
How do I configure WL7 to locate its "client" certificate?
Thanks! Your help is greatly appreciated.
-Dan -
Several SSL Connections in one Application
Hi, Im triing to wirte an application that connects to several SSL- servers. When Im writing an application with one connection I set the systemproperties javax.net.ssl.keyStore and password and use the SSLSocketFactory.getDefault().
But now, this doesnt work, heres my testcode:
System.setProperty("javax.net.ssl.keyStore", "c:/keystore1");
System.setProperty("javax.net.ssl.keyStorePassword", "123456");
System.setProperty("javax.net.ssl.trustStore", "c:/keystore1");
System.setProperty("javax.net.ssl.trustStorePassword", "123456");
SSLSocket s = (SSLSocket) SSLSocketFactory.getDefault().createSocket("server1", 1099);
s.startHandshake();
System.out.println("Handshake1 works");
System.setProperty("javax.net.ssl.keyStore", "c:/keystore2");
System.setProperty("javax.net.ssl.keyStorePassword", "tetappl");
System.setProperty("javax.net.ssl.trustStore", "c:/keystore2");
System.setProperty("javax.net.ssl.trustStorePassword", "tetappl");
s = (SSLSocket) SSLSocketFactory.getDefault().createSocket("server2", 636);
s.startHandshake();
System.out.println("Handshake2 works");Of cause, if this worked, I didnt write here. I think I have to create one SocketFactory for each connection, but I dont know how. Please help.
Bye MichaelSSLContext.getInstance().getSocketFactory(). You'll have to make other arrangements instead of the system properties. See SSLContext.init() and work your way down from there to creating your own trust managers. See also the Javadoc Guide to Features/Security/JSSE for how to create trust managers and keystore managers.
-
Hi!
I1ve been experimenting with SSL and weblogic. I run the following code to
retrieve an HTML page.
public static void main(String[] args) throws Exception {
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
w.protocol");
System.setProperty("javax.net.ssl.trustStore","C:\\Documents and
Settings\\tdevos\\.keystore");
URL ssl = new URL(args[0]);
BufferedReader in = new BufferedReader(
new InputStreamReader(
ssl.openStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
Everything goes fine over a non HTTPS connection. E.g. when I type in
java myApp http://localhost:7001
everything goes fine. However when I run
java myApp https://localhost:7002
I get the following error:
Exception in thread "main" java.io.IOException: HTTPS hostname wrong:
should be <localhost>, but cert says <weblogic.bea.com>
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([Dash
oPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStrea
m([DashoPro-V1.2-120198])
at java.net.URL.openStream(URL.java:798)
I imported the weblogic key in the correct way (I think ...)
keytool -import -trustcacerts -keystore "C:\Documents and
Settings\tdevos\.keystore" -file democert.pem
I understand that he expects weblogic.bea.com instead of localhost but what
I don`t understand is that the example works when I rewrite my code to the
following:
System.setProperty("javax.net.ssl.trustStore", "C:\\Documents and
Settings\\tdevos\\.keystore");
SSLSocketFactory factory =
(SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket)factory.createSocket("localhost", 7002);
socket.startHandshake();
PrintWriter out = new PrintWriter(
new BufferedWriter(
new OutputStreamWriter(
socket.getOutputStream())));
out.println("GET http://localhost/ HTTP/1.1");
out.println();
out.flush();
if (out.checkError())
System.out.println("SSLSocketClient: java.io.PrintWriter error");
/* read response */
BufferedReader in = new BufferedReader(
new InputStreamReader(
socket.getInputStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
out.close();
socket.close();
This is also NOT the way I want to write my code because I`m planning to do
SOAP calls over the SSL.so I can`t simply use the GET method.
In my opinion I should tell weblogic to use another private key than the one
in the delivered. But how can I make a private key on my own?
Is there a way to export a private key with the standard java keytool and
how can I tell weblogic to use it? If can get rid of the error
Exception in thread "main" java.io.IOException: HTTPS hostname wrong:
should be <localhost>, but cert says <weblogic.bea.com>
then everything is fine!
Thanks in advance for replying
Tim De VosYou can try to abuse the attached code to get your stuff work. Note do not try HTTPS
POST with Weblogic 6 now. The key point here is the DummyHostnameVerifier. You should
not use such method in your production code.
import java.io.*;
import java.net.*;
import com.sun.net.ssl.*;
import javax.net.ssl.*;
import java.security.*;
public class TestHttpsURL{
public static void main(String[] args){
SSLContext ctx;
//KeyManagerFactory kmf;
KeyStore ks;
try{
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
//ctx = SSLContext.getInstance ("SSL");
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509", "SunJSSE");
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
ctx = SSLContext.getInstance ("SSL");
ctx.init (kmf.getKeyManagers(), X509TrustManagerImpl.getTrustManagers("SunX509",null),
null);
SSLSocketFactory factory = ctx.getSocketFactory();
String msg = "USERID=user&PASSWORD=password";
HttpsURLConnection conn = (HttpsURLConnection)(new URL("https://localhost:7002/PostTest.jsp")).openConnection();
//URLConnection conn = (new URL("http://localhost:7001/PostTest.jsp")).openConnection();
conn.setDefaultSSLSocketFactory(factory);
conn.setSSLSocketFactory(factory);
conn.setHostnameVerifier(new DummyHostnameVerifier());
conn.setDoOutput(true);
conn.setDoOutput(true);
conn.setRequestProperty("Content-Length", String.valueOf(msg.length()));
conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
conn.setRequestProperty("Accept", "image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/msword, application/vnd.ms-powerpoint, application/vnd.ms-excel,
conn.setRequestProperty("Accept-Language", "en-us");
conn.setRequestProperty("User-Agent","Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0)");
conn.setRequestProperty("Host", "localhost:7002");
OutputStream out = conn.getOutputStream();
out.write(msg.getBytes());
out.flush();
byte[] resp = new byte[1024];
int len;
BufferedInputStream in = new BufferedInputStream(conn.getInputStream());
while((len = in.read(resp))>0){
System.out.print((new String(resp,0,len, "8859_1")));
}catch(Exception ex){
ex.printStackTrace();
class DummyHostnameVerifier implements HostnameVerifier{
public boolean verify(String urlHostname, String certHostname){
return true;
"Tim De Vos" <[email protected]> wrote:
Hi!
I1ve been experimenting with SSL and weblogic. I run the following code
to
retrieve an HTML page.
public static void main(String[] args) throws Exception {
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
w.protocol");
System.setProperty("javax.net.ssl.trustStore","C:\\Documents and
Settings\\tdevos\\.keystore");
URL ssl = new URL(args[0]);
BufferedReader in = new BufferedReader(
new InputStreamReader(
ssl.openStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
Everything goes fine over a non HTTPS connection. E.g. when I type in
java myApp http://localhost:7001
everything goes fine. However when I run
java myApp https://localhost:7002
I get the following error:
Exception in thread "main" java.io.IOException: HTTPS hostname wrong:
should be <localhost>, but cert says <weblogic.bea.com>
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([Dash
oPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStrea
m([DashoPro-V1.2-120198])
at java.net.URL.openStream(URL.java:798)
I imported the weblogic key in the correct way (I think ...)
keytool -import -trustcacerts -keystore "C:\Documents and
Settings\tdevos\.keystore" -file democert.pem
I understand that he expects weblogic.bea.com instead of localhost but what
I don`t understand is that the example works when I rewrite my code to the
following:
System.setProperty("javax.net.ssl.trustStore", "C:\\Documents and
Settings\\tdevos\\.keystore");
SSLSocketFactory factory =
(SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket)factory.createSocket("localhost", 7002);
socket.startHandshake();
PrintWriter out = new PrintWriter(
new BufferedWriter(
new OutputStreamWriter(
socket.getOutputStream())));
out.println("GET http://localhost/ HTTP/1.1");
out.println();
out.flush();
if (out.checkError())
System.out.println("SSLSocketClient: java.io.PrintWriter error");
/* read response */
BufferedReader in = new BufferedReader(
new InputStreamReader(
socket.getInputStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
out.close();
socket.close();
This is also NOT the way I want to write my code because I`m planning to
do
SOAP calls over the SSL.so I can`t simply use the GET method.
In my opinion I should tell weblogic to use another private key than the
one
in the delivered. But how can I make a private key on my own?
Is there a way to export a private key with the standard java keytool and
how can I tell weblogic to use it? If can get rid of the error
Exception in thread "main" java.io.IOException: HTTPS hostname wrong:
should be <localhost>, but cert says <weblogic.bea.com>
then everything is fine!
Thanks in advance for replying
Tim De Vos -
I am trying to write a client server app and i want my calls to be encrypted via SSL.
I am using IBM JDK as my runtime is WebSphere.
//For JSSEPrvider2 use:com.ibm.net.ssl.www2.protocol
//For JSSE Provider use: com.ibm.net.ssl.internal.www.protocol
System.setProperty("java.protocol.handler.pkgs", "com.ibm.net.ssl.www2.protocol");
I notice for https we have to use the packages mentioned above.
My server talks plain tcp/ip?
What should my package names be?
If somebdoy can poin tm eon how to do it in Sun JDK i can do the necessary changes for the IBM JDK .
Appreciate any assistance
Warm Regards,
MangluPlease examine http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html to see how to use SSL/TLS over TCP.
-
Hi,
If I want to make an SSL connection using JSSE from within WebLogic to another JSSE based Java application on a remote machine, how would I make this work without turning WebLogic's SSL property off?
It seems that WebLogic's SSL libraries get invoked whenever SSL connections from within WebLogic occur, which throws exceptions and prevents further communications with a remote JSSE based Java application.
Anyone know if this problem is resolved in service packs of v5.1 or the latest version (6.1)? Thanks!Hi Solomon,
The property to turn off the weblogic's SSL Handler is
weblogic.security.SSLHandler.enable=false
-- SunnyNani
"Solomon" <[email protected]> wrote in message
news:[email protected]..
>
Hi Sunny,
I am also facing a similar problem. I want to enable SSL and use JSSE toconnect
to another SSL application.
As you mentioned how can I disable Weblogic SSL Protocol Handler ? Is itby making
the property
"weblogic.security.ssl.enable" false or is there someother way?
If I make this property false then I cannot use weblogic on SSL !
Please advice.
Thanks,
Solomon
"Sunnynani \([email protected]\)" <[email protected]> wrote:
Yang,
By default, weblogic's SSL handler is enabled and gets invoked. In order
to
use JSSE or any third-party package, you have to disable it.
-- SunnyNani.
"Yichong Yang" <[email protected]> wrote in message
news:[email protected]..
Hi,
If I want to make an SSL connection using JSSE from within WebLogicto
another JSSE based Java application on a remote machine, how would I
make
this work without turning WebLogic's SSL property off?
It seems that WebLogic's SSL libraries get invoked whenever SSLconnections from within WebLogic occur, which throws exceptions and
prevents
further communications with a remote JSSE based Java application.
Anyone know if this problem is resolved in service packs of v5.1 orthe
latest version (6.1)? Thanks! -
SOAP SSL error when connecting in with java
Hi,
We are trying to make a simple application that makes requests to the CCM via the AXL SOAP interface to get personal address book information. When we do the request it errors out with a SSL handshake problem, I have pasted some of the exact error output below: Any help or ideas would be appreciated !!!
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_
failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Un
known Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Sou
rce)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Sou
rce)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect
(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown S
ource)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unk
nown Source)
Full logs attached, I have imported the CCM cert into the Java keystore and still no luck. The only way I can get this to work by testing is to have CCM in VM and web deployed on actual physical machine and that's only for a single user dev. environment.
RobBy default, the ssl certificate from the ccm is untrusted - so you get a verification error. There are two ways to work around this.. one is importing the certificate to the trusted store (google it), the other is writing your code so that it automatically accepts untrusted certs.
For the latter, you could have a method like this (which I stole from the axlsql application)
public void init() throws InitializationException
X509TrustManager xtm = new MyTrustManager();
TrustManager[] mytm = { xtm };
SSLContext ctx;
try
ctx = SSLContext.getInstance("SSL");
ctx.init(null, mytm, null);
SSLSocketFactory sf = ctx.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(sf);
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier()
public boolean verify(String hostname, SSLSession session)
return true;
catch (NoSuchAlgorithmException ex)
throw new InitializationException("SSL Algorithm not found: " + ex.getMessage());
catch (KeyManagementException ex)
throw new InitializationException("Key management exception: " + ex.getMessage()); -
Getting standard Java SSL implementation to work with Weblogic
JDK 1.3.1
Weblogic 7.03
I need to allow for code within my WLS application to act as a SSL client to a remote Web service.
For standalone (non-WLS) code, I am using the standard Sun provided SSL implementation libraries (using jsse.jar, jcert.jar, and jnet.jar place in JRE_HOME/lib/ext), along with the appropriate changes to the JRE_HOME/lib/security/java.security file (security.provider.3=com.sun.net.ssl.internal.ssl.Provider) and the -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol setting on the Java command line. That works fine.
However, if I attempt to provide the -D option on my Weblogic server Java command line, it gives me an out of memory error. My thinking was that the settings for the JRE would work but they don't seem to.
My question is how does one set up Weblogic server apps. to successfully act as SSL clients in a static way via configuration files? Can this only be done dynamically?
Thanks,
WesJDK 1.3.1
Weblogic 7.03
I need to allow for code within my WLS application to act as a SSL client to a remote Web service.
For standalone (non-WLS) code, I am using the standard Sun provided SSL implementation libraries (using jsse.jar, jcert.jar, and jnet.jar place in JRE_HOME/lib/ext), along with the appropriate changes to the JRE_HOME/lib/security/java.security file (security.provider.3=com.sun.net.ssl.internal.ssl.Provider) and the -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol setting on the Java command line. That works fine.
However, if I attempt to provide the -D option on my Weblogic server Java command line, it gives me an out of memory error. My thinking was that the settings for the JRE would work but they don't seem to.
My question is how does one set up Weblogic server apps. to successfully act as SSL clients in a static way via configuration files? Can this only be done dynamically?
Thanks,
Wes
Maybe you are looking for
-
Help!!! Error while installing Oracle9i Application Server on Solaris 5.8
I have installed oracle 9i on sun solaris 5.8. it has the original seed database provided by oracle. I am doing runinstall from disk1 directory of 9iAS and trying to install Oracle 9iApplication Server 9.0.2.0.0 after this I get a screen with Install
-
What's wrong with this banner or IE6/7?
Hi Something strange is going on with IE 6 and 7 re: my random banners. http://www.enhancedwireless.net/index.html If you go to this page and refresh you should eventually see 7 different banners - all of which play (eventually) on Opera, Safari, FF,
-
How to restore without losing playlists created manually
I assume I need to restore my iPod because I inadvertently locked the volume limit and can't unlock it. (I clicked on combination, which locked it automatically without giving me a chance to enter a combination). So, my question is how to restore wit
-
Need to call webservice WSDL directly from Java code
Hi All, I hope u all are doing great. I am new to web services and i have a requirement where i need to call the webservice directly from the java code, we dont need any middle layer(via proxy n all). Can you all please help me on this, we are using
-
Payment debited three times in my credit card anyone can help me please .? How I recollect my money