axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastian Van Sande <sebast...@vansande.org>
Subject Re: Reload keystore file
Date Fri, 30 Jan 2009 09:01:17 GMT
Nandana,

Thanks again for your reply. How can I do trust validation? Can you give me
some code example to make it more clear?

Kind regards,
Sebastian

On Thu, Jan 29, 2009 at 3:04 PM, Nandana Mihindukulasooriya <
nandana.cse@gmail.com> wrote:

> I just looked at the javadocs of the AuthSSLProtocolSocketFactory and it's
> default implementation doing the correct thing.
>
> "AuthSSLProtocolSocketFactory will enable server authentication when
> supplied with KeyStore truststore file containg one or several trusted
> certificates. The client secure socket will reject the connection during the
> SSL session handshake if the target HTTPS server attempts to authenticate
> itself with a non-trusted certificate.
> AuthSSLProtocolSocketFactory will enable client authentication when
> supplied with KeyStore keystore file containg a private key/public
> certificate pair. The client secure socket will use the private key to
> authenticate itself to the target HTTPS server during the SSL session
> handshake if requested to do so by the server. The target HTTPS server will
> in its turn verify the certificate presented by the client in order to
> establish client's authenticity."
>
> What I meant by a trust validation is we should check whether the
> certificate we received was signed with a certificate which is in our trust
> chain. Else how can you be sure that you got the legitimate certificate.
> Living the intranet may make you little safer, but still I think it is
> better to do a trust validation.
>
> thanks,
> nandana
>
> On Thu, Jan 29, 2009 at 6:52 PM, Sebastian Van Sande <
> sebastian@vansande.org> wrote:
>
>> I don't think so, I iterate over the certificate chain of the trustManager
>> and put each certificate in the keystore.
>>
>> How do I do a trust validation? And why should I need it? This is an
>> intranet application and the service url (which also provides the
>> certificates) basically stays the same.
>>
>> Kind regards,
>> Sebastian
>> coul
>>
>>
>> On Thu, Jan 29, 2009 at 2:16 PM, Nandana Mihindukulasooriya <
>> nandana.cse@gmail.com> wrote:
>>
>>> Great. BTW, do you do a trust validation on the received certificate ?
>>>
>>> thanks,
>>> nandana
>>>
>>>
>>> On Thu, Jan 29, 2009 at 6:29 PM, Sebastian Van Sande <
>>> sebastian@vansande.org> wrote:
>>>
>>>> Thanks a lot, Nandana, injecting a custom socket factory to axis2 did
>>>> the job!
>>>>
>>>> This is what I did:
>>>> - I created a custom socket factory, based on the one you can find at
>>>> http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup
>>>> - I added a method in this custom socket factory to reset the
>>>> sslContext. This will result in reloading the keystore.
>>>>
>>>> The whole flow works now as following when a certificate should get
>>>> renewed in the keystore:
>>>> - The application calls a method which will call a method on a stub
>>>> - The stub method throws an exception which is catched ...
>>>> - In this catch block I try to do an SSL handshake with the keystore.
>>>> - If the SSL handshake fails, I start an update method on a keystore
>>>> manager ..
>>>> - this update method will extract all the certificates from the service
>>>> and put them in the keystore file
>>>> - then, it will re-init the sslcontext in the custom socket factory
>>>> - the flow returns to the catch block in the original called method
>>>> which will call 1 more time the method on the stub with the same parameters.
>>>> If it fails again, it will throw an exception to the caller ...
>>>>
>>>> The result is taht no operator action is needed to update the keystore
>>>> manually with new certificates and/or restart the application. Everything
>>>> goes automatically!
>>>>
>>>> Thanks again!
>>>>
>>>> Kind regards,
>>>> Sebastian
>>>>
>>>>
>>>> On Thu, Jan 29, 2009 at 11:57 AM, Nandana Mihindukulasooriya <
>>>> nandana.cse@gmail.com> wrote:
>>>>
>>>>>
>>>>> ... will Axis2 detect this and use my custom Protocol and MySSLSocketFactory?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> You need to set the a property in the options [1].
>>>>>
>>>>> thanks,
>>>>> nandana
>>>>>
>>>>> [1] - http://wso2.org/library/1646
>>>>>
>>>>>
>>>>>
>>>>>> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL
>>>>>> Socket Factory to make use of my keystore and force reloading.
>>>>>>
>>>>>> Thanks again for your help.
>>>>>>
>>>>>> Kind regards,
>>>>>> Sebastian
>>>>>>
>>>>>>
>>>>>> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya <
>>>>>> nandana.cse@gmail.com> wrote:
>>>>>>
>>>>>>> I assume you use Axis2 as a web service client. I think better
>>>>>>> solution for you would be to use a custom SSL Socket factory
to handle your
>>>>>>> scenario. You can find more information on how to implement and
use a custom
>>>>>>> SSL Socket factory here [1]. You can also raise the question
in commons http
>>>>>>> client list too.
>>>>>>>
>>>>>>> thanks,
>>>>>>> nandana
>>>>>>>
>>>>>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html
>>>>>>>
>>>>>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande <
>>>>>>> sebastian@vansande.org> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Thanks for your reply, Yves Marie!
>>>>>>>>
>>>>>>>> Unfortunately, restarting the application is something we
don't want
>>>>>>>> since this application will run 24/7 in a production environment.
>>>>>>>>
>>>>>>>> I'm looking for a way to let Axis2 know to reload the keystore
file,
>>>>>>>> at runtime without restarting my application.
>>>>>>>> I know *when* it has to reload the keystore file, I just
don't know
>>>>>>>> *how* to do this in code.
>>>>>>>>
>>>>>>>> If anyone knows how to let Axis2 reload the keystore file,
let me
>>>>>>>> know!
>>>>>>>>
>>>>>>>> Kind regards,
>>>>>>>> Sebastian
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <
>>>>>>>> yves-marie.daniel@capgemini.com> wrote:
>>>>>>>>
>>>>>>>>>  Hi !
>>>>>>>>>
>>>>>>>>> With a Jonas application server and a mutual authentication
with
>>>>>>>>> SSL, we find that we had to restart Jonas so it could
see change the changes
>>>>>>>>> of path or content for keystores. It seems to be the
same with tomcat, don't
>>>>>>>>> know if it Axis2 or the application server.
>>>>>>>>>
>>>>>>>>> Yves-Marie
>>>>>>>>>
>>>>>>>>>  ------------------------------
>>>>>>>>> *De :* Sebastian Van Sande [mailto:sebastian@vansande.org]
>>>>>>>>> *Envoyé :* jeudi 29 janvier 2009 08:07
>>>>>>>>> *À :* axis-user@ws.apache.org
>>>>>>>>> *Objet :* Re: Reload keystore file
>>>>>>>>>
>>>>>>>>> Does anyone have a clue how I can refresh the keystore
in axis2?
>>>>>>>>> Thank you.
>>>>>>>>>
>>>>>>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande
<
>>>>>>>>> sebastian@vansande.org> wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I have a problem with Axis2.
>>>>>>>>>>
>>>>>>>>>> At my project, we have an Microsoft Exchange 2007,
and some other
>>>>>>>>>> project has created an API to interact with this
Exchange server with the
>>>>>>>>>> help of Axis2.
>>>>>>>>>> This other project uses a Websphere server to manage
a keystore to
>>>>>>>>>> do basic authentication over SSL.
>>>>>>>>>> My application on the otherhand runs as a standalone
application,
>>>>>>>>>> and I have to manage the keystore myself.
>>>>>>>>>>
>>>>>>>>>> Now, I managed to use this keystore to calling the
Exchange 2007
>>>>>>>>>> Web services over SSL, and it works great.
>>>>>>>>>> But, as you probably know, certificates expire ...
and they have
>>>>>>>>>> to get renewed.
>>>>>>>>>>
>>>>>>>>>> So, I managed to create something a 'KeyStoreManager'
that will
>>>>>>>>>> fetch the new certificates from the Exchange server
and put it in the
>>>>>>>>>> keystore file.
>>>>>>>>>> And this works great as well .. *IF* I restart my
application.
>>>>>>>>>>
>>>>>>>>>> When my application modifies the keystore file, it
looks like
>>>>>>>>>> Axis2 is using some caching mechanism. Because when
I make the web service
>>>>>>>>>> call again (after inserting the new certificate in
my keystore), it can't
>>>>>>>>>> authenticate because it cached the keystore file
in memory.
>>>>>>>>>>
>>>>>>>>>> To specify the keystore to Axis2, I use this code:
>>>>>>>>>>
>>>>>>>>>>             System.setProperty("javax.net.ssl.trustStore",
>>>>>>>>>> "/path/to/keystore.jks");
>>>>>>>>>>             System.setProperty("javax.net.ssl.trustStorePassword",
>>>>>>>>>> "thisisnottherealpassword");
>>>>>>>>>>
>>>>>>>>>> To extract the new certificate and add it to my keystore,
I use
>>>>>>>>>> code based on the one you can find at
>>>>>>>>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore
>>>>>>>>>>
>>>>>>>>>> The problem is: when the keystore file is updated
with the new
>>>>>>>>>> certificate, axis2 doesn't seem to know about it
because it uses a cached
>>>>>>>>>> version of the keystore file.
>>>>>>>>>>
>>>>>>>>>> So my question is: how can I clear this axis2 keystore
cache in
>>>>>>>>>> some way so axis2 will be forced to read the keystore
file again?
>>>>>>>>>>
>>>>>>>>>> Thank you for your help,
>>>>>>>>>>
>>>>>>>>>> Kind regards,
>>>>>>>>>> Sebastian
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This message contains information that may be privileged
or confidential and is the property of the Capgemini Group. It is
>>>>>>>>> intended only for the person to whom it is addressed.
If you are not the intended recipient, you are not authorized to
>>>>>>>>> read, print, retain, copy, disseminate, distribute, or
use this message or any part thereof. If you receive this message
>>>>>>>>> in error, please notify the sender immediately and delete
all copies of this message.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Nandana Mihindukulasooriya
>>>>>>> WSO2 inc.
>>>>>>>
>>>>>>> http://nandana83.blogspot.com/
>>>>>>> http://www.wso2.org
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Nandana Mihindukulasooriya
>>> WSO2 inc.
>>>
>>> http://nandana83.blogspot.com/
>>> http://www.wso2.org
>>>
>>
>>
>

Mime
View raw message