Return-Path: Delivered-To: apmail-ws-axis-user-archive@www.apache.org Received: (qmail 62203 invoked from network); 29 Jan 2009 10:00:42 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 29 Jan 2009 10:00:42 -0000 Received: (qmail 29511 invoked by uid 500); 29 Jan 2009 10:00:33 -0000 Delivered-To: apmail-ws-axis-user-archive@ws.apache.org Received: (qmail 29484 invoked by uid 500); 29 Jan 2009 10:00:32 -0000 Mailing-List: contact axis-user-help@ws.apache.org; run by ezmlm Precedence: bulk Reply-To: axis-user@ws.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list axis-user@ws.apache.org Received: (qmail 29475 invoked by uid 99); 29 Jan 2009 10:00:32 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Jan 2009 02:00:32 -0800 X-ASF-Spam-Status: No, hits=3.4 required=10.0 tests=HTML_MESSAGE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [209.85.217.20] (HELO mail-gx0-f20.google.com) (209.85.217.20) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Jan 2009 10:00:21 +0000 Received: by gxk13 with SMTP id 13so6274600gxk.16 for ; Thu, 29 Jan 2009 02:00:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.150.139.8 with SMTP id m8mr2400899ybd.219.1233223198995; Thu, 29 Jan 2009 01:59:58 -0800 (PST) In-Reply-To: <9e2fff830901290044q6b91a73foe42b23212e6d358d@mail.gmail.com> References: <69d5ddf00901280156g2f71e26ex9df2aab8042eba1@mail.gmail.com> <69d5ddf00901282306m6f6e9677vb75ffa08911a7fed@mail.gmail.com> <0EEEDFAFD36C4E42923464C997891E3C03AA11A8@CORPMAIL31.corp.capgemini.com> <69d5ddf00901290026p406d4110o3d1f1bf62ba2a898@mail.gmail.com> <9e2fff830901290044q6b91a73foe42b23212e6d358d@mail.gmail.com> Date: Thu, 29 Jan 2009 10:59:58 +0100 Message-ID: <69d5ddf00901290159v30e1be6fx23c1303a3af22ed4@mail.gmail.com> Subject: Re: Reload keystore file From: Sebastian Van Sande To: axis-user@ws.apache.org Content-Type: multipart/alternative; boundary=000e0cd309b4b4760a04619c26c9 X-Virus-Checked: Checked by ClamAV on apache.org --000e0cd309b4b4760a04619c26c9 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Nandana, Thanks for your reply. If I use a custom SSL Socket Factory for my 'custom protocol' and use this as the SSL default protocol handler with this code: Protocol.registerProtocol("https", new Protocol("https", new MySSLSocketFactory(), 443)); ... will Axis2 detect this and use my custom Protocol and MySSLSocketFactory? I see that I can use AuthSSLProtocolSocketFactory as my custom SSL Socket Factory to make use of my keystore and force reloading. Thanks again for your help. Kind regards, Sebastian On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya < nandana.cse@gmail.com> wrote: > I assume you use Axis2 as a web service client. I think better solution f= or > you would be to use a custom SSL Socket factory to handle your scenario. = You > can find more information on how to implement and use a custom SSL Socket > factory here [1]. You can also raise the question in commons http client > list too. > > thanks, > nandana > > [1] - http://hc.apache.org/httpclient-3.x/sslguide.html > > On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande < > sebastian@vansande.org> wrote: > >> Hi, >> >> Thanks for your reply, Yves Marie! >> >> Unfortunately, restarting the application is something we don't want sin= ce >> this application will run 24/7 in a production environment. >> >> I'm looking for a way to let Axis2 know to reload the keystore file, at >> runtime without restarting my application. >> I know *when* it has to reload the keystore file, I just don't know *how= * >> to do this in code. >> >> If anyone knows how to let Axis2 reload the keystore file, let me know! >> >> Kind regards, >> Sebastian >> >> >> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie < >> yves-marie.daniel@capgemini.com> wrote: >> >>> Hi ! >>> >>> With a Jonas application server and a mutual authentication with SSL, w= e >>> find that we had to restart Jonas so it could see change the changes of= path >>> or content for keystores. It seems to be the same with tomcat, don't kn= ow if >>> it Axis2 or the application server. >>> >>> Yves-Marie >>> >>> ------------------------------ >>> *De :* Sebastian Van Sande [mailto:sebastian@vansande.org] >>> *Envoy=E9 :* jeudi 29 janvier 2009 08:07 >>> *=C0 :* axis-user@ws.apache.org >>> *Objet :* Re: Reload keystore file >>> >>> Does anyone have a clue how I can refresh the keystore in axis2? >>> Thank you. >>> >>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande < >>> sebastian@vansande.org> wrote: >>> >>>> Hi, >>>> >>>> I have a problem with Axis2. >>>> >>>> At my project, we have an Microsoft Exchange 2007, and some other >>>> project has created an API to interact with this Exchange server with = the >>>> help of Axis2. >>>> This other project uses a Websphere server to manage a keystore to do >>>> basic authentication over SSL. >>>> My application on the otherhand runs as a standalone application, and = I >>>> have to manage the keystore myself. >>>> >>>> Now, I managed to use this keystore to calling the Exchange 2007 Web >>>> services over SSL, and it works great. >>>> But, as you probably know, certificates expire ... and they have to ge= t >>>> renewed. >>>> >>>> So, I managed to create something a 'KeyStoreManager' that will fetch >>>> the new certificates from the Exchange server and put it in the keysto= re >>>> file. >>>> And this works great as well .. *IF* I restart my application. >>>> >>>> When my application modifies the keystore file, it looks like Axis2 is >>>> using some caching mechanism. Because when I make the web service call= again >>>> (after inserting the new certificate in my keystore), it can't authent= icate >>>> because it cached the keystore file in memory. >>>> >>>> To specify the keystore to Axis2, I use this code: >>>> >>>> System.setProperty("javax.net.ssl.trustStore", >>>> "/path/to/keystore.jks"); >>>> System.setProperty("javax.net.ssl.trustStorePassword", >>>> "thisisnottherealpassword"); >>>> >>>> To extract the new certificate and add it to my keystore, I use code >>>> based on the one you can find at >>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a= -certificate-from-a-site-and-add-it-to-my-keystore >>>> >>>> The problem is: when the keystore file is updated with the new >>>> certificate, axis2 doesn't seem to know about it because it uses a cac= hed >>>> version of the keystore file. >>>> >>>> So my question is: how can I clear this axis2 keystore cache in some w= ay >>>> so axis2 will be forced to read the keystore file again? >>>> >>>> Thank you for your help, >>>> >>>> Kind regards, >>>> Sebastian >>> >>> >>> This message contains information that may be privileged or confidentia= l and is the property of the Capgemini Group. It is >>> intended only for the person to whom it is addressed. If you are not th= e intended recipient, you are not authorized to >>> read, print, retain, copy, disseminate, distribute, or use this message= or any part thereof. If you receive this message >>> in error, please notify the sender immediately and delete all copies of= this message. >>> >>> >> > > > -- > Nandana Mihindukulasooriya > WSO2 inc. > > http://nandana83.blogspot.com/ > http://www.wso2.org > --000e0cd309b4b4760a04619c26c9 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Nandana,

Thanks for your reply. If I use a custom SSL Socket Fact= ory for my 'custom protocol' and use this as the SSL default protoc= ol handler with this code:
Protocol.registerProtocol("https&qu=
ot;, 

new Protocol("https", new MySSLSocketFactory(), 443));
= ... will Axis2 detect this and use my custom Protocol and MySSLSocketFactor= y?

I see that I can use AuthSSLProtocolSocketFactory as my custom SS= L Socket Factory to make use of my keystore and force reloading.

Thanks again for your help.

Kind regards,
Sebastian

On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihinduku= lasooriya <na= ndana.cse@gmail.com> wrote:
I assume you use = Axis2 as a web service client. I think better solution for you would be to = use a custom SSL Socket factory to handle your scenario. You can find more = information on how to implement and use a custom SSL Socket factory here [1= ]. You can also raise the question in commons http client list too.

thanks,
nandana

[1] - http://hc.apache.org/httpclient-3.= x/sslguide.html

On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande <= sebastian@vansa= nde.org> wrote:
Hi,

Thanks= for your reply, Yves Marie!

Unfortunately, restarting the applicati= on is something we don't want since this application will run 24/7 in a= production environment.

I'm looking for a way to let Axis2 know to reload the keystore file= , at runtime without restarting my application.
I know *when* it has to reload the keystore file, I just don't know *ho= w* to do this in code.

If anyone knows how to let Axis2 reload the k= eystore file, let me know!

Kind regards,
= Sebastian


On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie <<= a href=3D"mailto:yves-marie.daniel@capgemini.com" target=3D"_blank">yves-ma= rie.daniel@capgemini.com> wrote:
Hi !
 
With a Jonas application server and a mutual=20 authentication with SSL, we find that we had to restart Jonas so it could s= ee=20 change the changes of path or content for keystores. It seems to be the sam= e=20 with tomcat, don't know if it Axis2 or the application=20 server.
 
Yves-Marie

De : Sebastian Van Sande=20 [mailto:sebasti= an@vansande.org]
Envoy=E9 : jeudi 29 janvier 2009=20 08:07
=C0 : axis-user@ws.apache.org
Objet : Re:=20 Reload keystore file

Does anyone have a clue how I can refresh the keystore in=20 axis2?
Thank you.

On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van = Sande=20 <sebastian@vansande.org>=20 wrote:
Hi,

I=20 have a problem with Axis2.

At my project, we have an Microsoft Exc= hange=20 2007, and some other project has created an API to interact with this Exc= hange=20 server with the help of Axis2.
This other project uses a Websphere ser= ver=20 to manage a keystore to do basic authentication over SSL.
My applicati= on on=20 the otherhand runs as a standalone application, and I have to manage the= =20 keystore myself.

Now, I managed to use this keystore to calling th= e=20 Exchange 2007 Web services over SSL, and it works great.
But, as you= =20 probably know, certificates expire ... and they have to get=20 renewed.

So, I managed to create something a 'KeyStoreManager&= #39; that=20 will fetch the new certificates from the Exchange server and put it in th= e=20 keystore file.
And this works great as well .. *IF* I restart my=20 application.

When my application modifies the keystore file, it lo= oks=20 like Axis2 is using some caching mechanism. Because when I make the web= =20 service call again (after inserting the new certificate in my keystore), = it=20 can't authenticate because it cached the keystore file in memory.
=
To=20 specify the keystore to Axis2, I use this code:

   = =20        =20 System.setProperty("javax.net.ssl.trustStore",=20 "/path/to/keystore.jks");
      &nb= sp;=20     System.setProperty("javax.net.ssl.trustStorePassw= ord",=20 "thisisnottherealpassword");   

To extra= ct the new=20 certificate and add it to my keystore, I use code based on the one you ca= n=20 find at http://helpdesk.objects.com.au/java/how-do-i-programatically-ex= tract-a-certificate-from-a-site-and-add-it-to-my-keystore=20

The problem is: when the keystore file is updated with the new=20 certificate, axis2 doesn't seem to know about it because it uses a ca= ched=20 version of the keystore file.

So my question is: how can I clear t= his=20 axis2 keystore cache in some way so axis2 will be forced to read the keys= tore=20 file again?

Thank you for your help,

Kind regards,
Sebastian=20 

This message contains inform=
ation that may be privileged or confidential and is the property of the Cap=
gemini Group. It is=20
intended only for the person to whom it is addressed. If you are not the in=
tended recipient, you are not authorized to=20
read, print, retain, copy, disseminate, distribute, or use this message or =
any part thereof. If you receive this message=20
in error, please notify the sender immediately and delete all copies of thi=
s message.




--
Nandana Mihindukulasooriya  
WSO2 inc.
=
http://nan= dana83.blogspot.com/
http://www.wso2.org

--000e0cd309b4b4760a04619c26c9--