{"id":879,"date":"2011-05-02T17:03:38","date_gmt":"2011-05-02T15:03:38","guid":{"rendered":"http:\/\/mcl.jogger.pl\/2011\/05\/02\/jce-keystore-and-untrusted-sites\/"},"modified":"2012-08-14T08:38:49","modified_gmt":"2012-08-14T07:38:49","slug":"jce-keystore-and-untrusted-sites","status":"publish","type":"post","link":"https:\/\/touk.pl\/blog\/2011\/05\/02\/jce-keystore-and-untrusted-sites\/","title":{"rendered":"JCE keystore and untrusted sites"},"content":{"rendered":"

Recently at work I was in need of connecting to a web service exposed via HTTPS. I’ve been doing this from inside\u00a0Servicemix 3.3.1<\/a>, which may seem a bit inhibiting, but that was a requirement. Nevertheless I’ve been trying my luck with the included\u00a0servicemix-http-2008.01<\/em>\u00a0component. I’ve created a simple\u00a0Service Unit<\/a>\u00a0using that component and made connection attempt. Unfortunately I’ve encountered issues with the SSL conversation negotiation. I had to dig deeper into the\u00a0servicemix-http<\/em>\u00a0code to find out these had something to do with my\u00a0JCE<\/a>\u00a0keystore. Read more to find out what happened!<\/p>\n

Ok, so I had my\u00a0xbean.xml<\/em>\u00a0for http component looking like this:<\/p>\n

 <\/p>\n

As you can see this is a proxy adapter to some outside service exposed via secured HTTP protocol. Since it’s\u00a0HTTPS<\/em>\u00a0I’ve specified some SSL parameters. It was sufficient in my case to just pass the keystore file and it’s password.<\/p>\n

I’ve created my\u00a0keystore.jks<\/em>\u00a0file in\u00a0smx_home\/conf<\/em>\u00a0with password\u00a0servicemix<\/em>\u00a0in the following manner:<\/p>\n

 <\/p>\n

You can see what’s in this file with this command:<\/p>\n

 <\/p>\n

At this point I thought, that having a configured keystore and my component would suffice. Wrong! As soon as I’ve tried to connect to the external service I got an exception:<\/p>\n

 <\/p>\n

Hmmm.. this looks pretty nasty, but it’s not that bad. As one can read\u00a0here<\/a>, it’s associated with the other site’s having an untrusted (unsigned) certificate. Assuming you actually trust the other end of the communication and this situation is ok for you, you should add the servers certificate to your keystore. The previously mentioned link contained a little java class that would do just that. You can find it here (original code)\u00a0InstallCert.java<\/a>\u00a0or you can look into my slightly changed version here\u00a0at github<\/a>.<\/p>\n

You should call it as follows, assuming that file\u00a0keystore.jks<\/em>\u00a0is in the current directory:<\/p>\n

 <\/p>\n

What you’ll probably see, when you execute this app is this:<\/p>\n

 <\/p>\n

Please note that there is a prompt (Enter certificate to add to trusted keystore…<\/em>) in which you can enter the certificate number you wish to add to your keystore.<\/p>\n

After all those steps my request got through and I could happily query HTTPS service as long as I wanted to! Great!<\/p>\n

Possible problems<\/h2>\n

In my search for this problem’s solution I’ve encountered this kind of exception:<\/p>\n

 <\/p>\n

A little googling led me to this\u00a0StackOverflow<\/a>\u00a0question<\/a>.<\/p>\n

It seems that you cannot have multiple keys with different passwords in the same keystore and use\u00a0KeyManagerFactory<\/a>\u00a0class. Oh well…<\/p>\n

.<\/p>\n

Ending<\/h2>\n

To sum up, the solution given works, but in my opinion using the\u00a0InstallCert.java<\/em>\u00a0app is rather dirty. I’ve been wondering, do you know other ways of doing that thing?<\/p>\n","protected":false},"excerpt":{"rendered":"Recently at work I was in need of connecting to a web service exposed via HTTPS. I’ve been doing this from inside Servicemix 3.3.1, which may seem a bit inhibiting, but that was a requirement. Nevertheless I’ve been trying my luck with the included ser…Recently at work I was in need of connecting to a web service exposed via HTTPS. I’ve been doing this from inside Servicemix 3.3.1, which may seem a bit inhibiting, but that was a requirement. Nevertheless I’ve been trying my luck with the included ser…\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[68,185,321],"class_list":{"0":"post-879","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-development-design","7":"tag-java","8":"tag-keystore","9":"tag-security"},"_links":{"self":[{"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/posts\/879","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/comments?post=879"}],"version-history":[{"count":4,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/posts\/879\/revisions"}],"predecessor-version":[{"id":9377,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/posts\/879\/revisions\/9377"}],"wp:attachment":[{"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/media?parent=879"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/categories?post=879"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/tags?post=879"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}