We had a webservice that is recently exposed over https.
When we try to connect to it over https using JAX-WS client, it throws following exception
com.sun.xml.ws.client.ClientTransportException: HTTP transport error: java.net.ConnectException: Connection refused: connect
Which generally means that the there is some problem over socket connection.
It throws exception when we try to call some operation of webservice using webservice client.
The http call to the webservice is working fine.
The funny thing here is that this problem only happens when we have deployed the webservice and had made our first call to access operations using https protocol.
Now as soon as we make a http call, surprisingly after that even https also starts working.
Please give some advice if some one has faced this kind of issue before.
In general your java client should have ssl certificate in trusted key store.
Use keytool for certificate management:
keytool -import -trustcacerts -keystore trastedCert -storepass traustedCertPassword -noprompt -alias trastedCert -file trastedCert.cer
Your can add trusted cert to your JVM(cacerts):
keytool -import -trustcacerts -keystore cacerts -storepass traustedCertPassword -noprompt -alias trastedCert -file trastedCert.cer
or
For jBoss app server I'm using next JAVA_OPTS params:
set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore=%PATH_TO_CERT%\traustedCert -Djavax.net.ssl.trustStorePassword=traustedCertPassword
Related
I'm a beginner developer. I want to write a rest service call with "apache cxf jaxrs". To do that I create a web client. The sample code is below:
WebClient client = WebClient.create(url);
ClientConfiguration configuration = WebClient.getConfig(client);
MultivaluedHashMap headersMap = new
MultivaluedHashMap();
headersMap.add("key","value");
client.type("application/x-www-form-urlencoded").headers(headersMap);
Form form = new Form();
Response response = client.post(form);
The service which I'm going to call need a one way ssl authorization, so I get the server certificate and convert it to JKS to config the ssl handshake .after creating a socket how can i . combine the web client which i created ssl socket. I don’t want to use spring frame work. Can somebody help me with a simple java sample?
Thanks
The server certificate needs to be added to java CACERTS. That way your java cxf client will 'trust' the server and allow SSL.
You can do this with java keytool as follows:
(assuming your java is at D:\Java and your cert is in a file called server.cer
"D:\Java\bin\keytool.exe" -import -alias my_server -keystore "D:\Java\jre\lib\security\cacerts" -storepass changeit -file server.cer
Trust this certificate? [no]: answer is y
Success is indicated with: "Certificate was added to keystore"
I'm implementing a RESTful API in an existing Spring Boot v2.1.4 application. The application contains a Spring MVC layer that is secured using Spring Security. There are views built using JSP. Some of the JSPs are embedded with client-side scripts that invoke AJAX calls to retrieve information. These calls will execute against the API rather than the existing MVC endpoints.
The new service endpoints are protected using OAuth2, and an authorization server has been set up within the application and activated using the #EnableAuthorizationServer annotation. To enable SSL on these endpoints, I've generated a private/public key pair using keytool.
keytool -genkeypair -alias apitest -keyalg RSA -validity 365 -keysize 2048 -keystore apitest.jks
I then execute the following command to export the self-signed certificate.
keytool -export -alias apitest -keystore apitest.jks -rfc -file apitest.cer
I've added the certificate to a truststore file for which the path to the file and the password are loaded into system properties when the application starts.
System.setProperty("javax.net.ssl.trustStore", truststorePath);
System.setProperty("javax.net.ssl.trustStorePassword", truststorePassword);
Since the MVC layer is secured by Spring Security, I attempt to retrieve the OAuth2 token from the token endpoint when the user has successfully logged into the application. The token is returned in the response as a cookie (not shown here).
ResourceOwnerPasswordAccessTokenProvider provider = new ResourceOwnerPasswordAccessTokenProvider();
ResourceOwnerPasswordResourceDetails resource = new ResourceOwnerPasswordResourceDetails();
resource.setClientAuthenticationScheme(AuthenticationScheme.none);
UriComponents uriComponents = ServletUriComponentsBuilder.fromServletMapping(request).path("/oauth/token").build();
resource.setAccessTokenUri(uriComponents.toUriString());
resource.setScope(Arrays.asList("read", "write"));
resource.setClientId(oAuth2ClientDetails.getClientId());
resource.setClientSecret(oAuth2ClientDetails.getClientSecret());
resource.setGrantType("password");
resource.setUsername(userName);
resource.setPassword(userCredentials);
OAuth2AccessToken accessToken = provider.obtainAccessToken(resource, new DefaultAccessTokenRequest());
return accessToken.getValue();
When this logic fires off the call to the token endpoint, the following error is observed.
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://localhost:8443/testapp/oauth/token": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:744) ~[spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:670) ~[spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:579) ~[spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
Since both the API endpoint and the authorization server are both running on localhost, I thought that a self-signed cert in the truststore file would be sufficient. What am I missing to finish this setup?
I suspect your problem may be related to the certs not having a parent root authority. I usually recommend the approach of creating real world self signed certificates like this, with a trust chain:
First create the Root Certification Authority
Then use that to create Server SSL Certs
ROOT AUTHORITY
For local development with OAuth I create a root authority called mycompany.ca.crt, and then add Java trust like this, plus also distribute this cert to browsers:
keytool -keystore cacerts -storepass changeit -importcert -alias mycompanyca -file ~/Desktop/mycompany.ca.crt
CREATING SSL CERTS
I then use the root certificate to create SSL certs, and no extra trust configuration is needed.
SCRIPTS
If interested, take a look at these scripts of mine, which use the openssl tool:
makeCerts.ps1 script is for Windows
makeCerts.sh script is for MacOS or Linux
Other files are created when scripts are run
You would need to edit domain names to match the ones you are using
My examples use a wildcard domain that I use for local PC development, and I also add domains to my host file. In a browser client I then see this:
Further info in my blog post though I suspect you know most of this already, based on your question.
I need to implement the 2-Way Handshaking(mutual authentication) for SOAP request
2 - Way Handshaking is (mutual authentication),
In the request we need to send the SSL certificate to authenticate by server.
(Server will authenticate with pre-shared SSL certificate).
A-party - Server
B-party - Client (Me)
We have generated SSL certificate using,
openssl req -newkey rsa:2048 -nodes -keyout B-party.key -x509 -days 1000 -out B-party.cer
To import into trustStore
keytool -import -trustcacerts -file B-party.cer -alias server -keystore B-partyr.jks
To import into trustStore
keytool -import -trustcacerts -file A-party.cer -alias server -keystore A-party.jks
1) A-party shared my Selfsigned SSL certificate(.cer) with B-party.
2) B-party shared their SSL certificate with A-party.
3) B-party imported the client Shared SSL certificate in their truststore successfully using keytool
4) A-party also Added the the certificate at their END.
Now B party generated JKS from B-party SSL certificate(.cer) using keytool.
(JKS contains Certificate and Key)
Before calling the stub(WSDL shared by A-party) we need set the System property to send the SSL cert in request,
As i know this is to send ssl cert in request (if not, correct me).
System.setProperty("javax.net.ssl.keyStore", "B-party.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
System.setProperty("javax.net.ssl.trustStore", "A-party.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "password");
System.setProperty("javax.net.debug", "ssl");
Now we called the Stub Method to perform the operation but we are receiving "handshake_failure".
Why Handshake exception raised as we know the same ssl certificate was sent in the request.
Exception
HTTPSender - Unable to sendViaPost to url[]
org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Now we are sending the ssl certificate in JKS format will it acceptable by all servers , is server is cable of reading certificate from request.
Is self signed certificate is send TLS Certificate Request ?
If TLS Certificate Request is send by server, how to check whether that list has my self-signed certificate.
Is there any way to establish an HTTPS connection without importing the certificate to keyStore?
Currently , I am importing the certificate to myKeyStore
keytool -import -alias aliasOfCertifiate -file myCertificateFile.cer -keystore myKeystore
using a javax.net.ssl.HttpsURLConnection object to establish the HTTPS connection. But, as per a new requirement, my HTTPS client may need to communicate with thousands of web servers. So, I believe, importing the certificate might not be a good idea.
Any ideas?
I'm attempting an SSL connection from a ColdFusion 8 Enterprise client to a Redhat 5 Postgres server. Another party set up Postgres and sent me the certificates.
I imported root.crt into E:\JRun4\jre\lib\security\cacerts successfully and restarted the service.
The Postgres pg_hba.conf file has the client IP, and connects fine without SSL
Postgresql.conf has ssl=on
The server-side certs were created according to http://www.postgresql.org/docs/8.2/static/ssl-tcp.html and presumingly done correct.
With SSL enabled, I get org.postgresql.util.PSQLException: The connection attempt failed. which produces little helpful information from the searches I've done.
JDBC URL: jdbc:postgresql://x.x.x.x/main?ssl=true
Class: org.postgresql.Driver
What can be done to see/test if the error source is on my end or the server end?
Obvious questions to start with in troubleshooting something like this are:
Can you connect with SSL enabled using psql?
Is there anything of interest in the postgresql logs?
If that doesn't work, is there a way you can test the certificate against the root ca's signature?
If that fails, the only thing I can think of is tracing the client side and seeing exactly where in the SSL libraries it fails.
For certificate problems add &sslfactory=org.postgresql.ssl.NonValidatingFactory to your jdbc url. See https://jdbc.postgresql.org/documentation/91/ssl-client.html for more information.
I found the notes I took for solving this. Note that the drive and folder paths may be different for your setup.
Copy server.crt.der your destination server
Open a command window in your destination server and go to E:\Jrun4\jre\bin\
Type in the following command: keytool -importcert -alias postgres -keystore e:\jrun4\jre\lib\security\cacerts -file c:\location\of\server.crt -storepass changeit
It will prompt you whether you should trust this certificate; answer yes
To verify it successfully installed, type: keytool -list -alias postgres -keystore e:\jrun4\jre\lib\security\cacerts -storepass changeit. If successful you'll see a single listing return by that alias, otherwise it will say none found
After the certificate has been stored you may delete the actual certificate file from the server
Restart ColdFusion services on the client machine