{"id":879,"date":"2011-05-02T17:03:38","date_gmt":"2011-05-02T15:03:38","guid":{"rendered":"http:\/\/mcl.jogger.pl\/2011\/05\/02\/jce-keystore-and-untrusted-sites\/"},"modified":"2012-08-14T08:38:49","modified_gmt":"2012-08-14T07:38:49","slug":"jce-keystore-and-untrusted-sites","status":"publish","type":"post","link":"https:\/\/touk.pl\/blog\/2011\/05\/02\/jce-keystore-and-untrusted-sites\/","title":{"rendered":"JCE keystore and untrusted sites"},"content":{"rendered":"

Recently at work I was in need of connecting to a web service exposed via HTTPS. I\u2019ve been doing this from inside\u00a0Servicemix 3.3.1<\/a>, which may seem a bit inhibiting, but that was a requirement. Nevertheless I\u2019ve been trying my luck with the included\u00a0servicemix-http-2008.01<\/em>\u00a0component. I\u2019ve created a simple\u00a0Service Unit<\/a>\u00a0using that component and made connection attempt. Unfortunately I\u2019ve encountered issues with the SSL conversation negotiation. I had to dig deeper into the\u00a0servicemix-http<\/em>\u00a0code to find out these had something to do with my\u00a0JCE<\/a>\u00a0keystore. Read more to find out what happened!<\/p>\n

Ok, so I had my\u00a0xbean.xml<\/em>\u00a0for http component looking like this:<\/p>\n

\u00a0<\/p>\n

As you can see this is a proxy adapter to some outside service exposed via secured HTTP protocol. Since it\u2019s\u00a0HTTPS<\/em>\u00a0I\u2019ve specified some SSL parameters. It was sufficient in my case to just pass the keystore file and it\u2019s password.<\/p>\n

I\u2019ve created my\u00a0keystore.jks<\/em>\u00a0file in\u00a0smx_home\/conf<\/em>\u00a0with password\u00a0servicemix<\/em>\u00a0in the following manner:<\/p>\n

\u00a0<\/p>\n

You can see what\u2019s in this file with this command:<\/p>\n

\u00a0<\/p>\n

At this point I thought, that having a configured keystore and my component would suffice. Wrong! As soon as I\u2019ve tried to connect to the external service I got an exception:<\/p>\n

\u00a0<\/p>\n

Hmmm.. this looks pretty nasty, but it\u2019s not that bad. As one can read\u00a0here<\/a>, it\u2019s associated with the other site\u2019s having an untrusted (unsigned) certificate. Assuming you actually trust the other end of the communication and this situation is ok for you, you should add the servers certificate to your keystore. The previously mentioned link contained a little java class that would do just that. You can find it here (original code)\u00a0InstallCert.java<\/a>\u00a0or you can look into my slightly changed version here\u00a0at github<\/a>.<\/p>\n

You should call it as follows, assuming that file\u00a0keystore.jks<\/em>\u00a0is in the current directory:<\/p>\n

\u00a0<\/p>\n

What you\u2019ll probably see, when you execute this app is this:<\/p>\n

\u00a0<\/p>\n

Please note that there is a prompt (Enter certificate to add to trusted keystore\u2026<\/em>) in which you can enter the certificate number you wish to add to your keystore.<\/p>\n

After all those steps my request got through and I could happily query HTTPS service as long as I wanted to! Great!<\/p>\n

Possible problems<\/h2>\n

In my search for this problem\u2019s solution I\u2019ve encountered this kind of exception:<\/p>\n

\u00a0<\/p>\n

A little googling led me to this\u00a0StackOverflow<\/a>\u00a0question<\/a>.<\/p>\n

It seems that you cannot have multiple keys with different passwords in the same keystore and use\u00a0KeyManagerFactory<\/a>\u00a0class. Oh well\u2026<\/p>\n

.<\/p>\n

Ending<\/h2>\n

To sum up, the solution given works, but in my opinion using the\u00a0InstallCert.java<\/em>\u00a0app is rather dirty. I\u2019ve been wondering, do you know other ways of doing that thing?<\/p>\n","protected":false},"excerpt":{"rendered":"Recently at work I was in need of connecting to a web service exposed via HTTPS. I’ve been doing this from inside Servicemix 3.3.1, which may seem a bit inhibiting, but that was a requirement. Nevertheless I’ve been trying my luck with the included ser…Recently at work I was in need of connecting to a web service exposed via HTTPS. I’ve been doing this from inside Servicemix 3.3.1, which may seem a bit inhibiting, but that was a requirement. Nevertheless I’ve been trying my luck with the included ser…\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[68,185,321],"class_list":{"0":"post-879","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-development-design","7":"tag-java","8":"tag-keystore","9":"tag-security"},"_links":{"self":[{"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/posts\/879","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/comments?post=879"}],"version-history":[{"count":4,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/posts\/879\/revisions"}],"predecessor-version":[{"id":9377,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/posts\/879\/revisions\/9377"}],"wp:attachment":[{"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/media?parent=879"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/categories?post=879"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/tags?post=879"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}