• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 445
  • Last Modified:

Java with SSL and CA


Hi experts,

I'm trying to write a java client that uses a CA from a server to trust any server signed by that CA. Does anyone know how to code or what api to use in a java class to trust a CA?

Thanks,
Suzy
0
fyness
Asked:
fyness
  • 6
  • 4
  • 2
  • +1
1 Solution
 
fynessAuthor Commented:

Oh this is all over SSL too!

Thanks
0
 
fynessAuthor Commented:

Don't know if this helps but when I try to connect to my server i'm getting the following error

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
      at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
      at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
      at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)
      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
      at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:836)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
      at org.objectweb.celtix.bus.transports.http.HTTPClientTransport$HTTPClientOutputStreamContext.flushHeaders(HTTPClientTransport.java:313)
      at org.objectweb.celtix.bus.transports.http.HTTPClientTransport.finalPrepareOutputStreamContext(HTTPClientTransport.java:88)
      at org.objectweb.celtix.bindings.AbstractClientBinding.finalPrepareOutputStreamContext(AbstractClientBinding.java:391)
      at org.objectweb.celtix.bindings.AbstractClientBinding.invoke(AbstractClientBinding.java:177)
      at org.objectweb.celtix.bus.jaxws.EndpointInvocationHandler.invokeSEIMethod(EndpointInvocationHandler.java:148)
      at org.objectweb.celtix.bus.jaxws.EndpointInvocationHandler.invoke(EndpointInvocationHandler.java:67)
      ... 2 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
      at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
      at sun.security.validator.Validator.validate(Validator.java:203)
      at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
      at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)
      ... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
      at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
      ... 23 more
0
 
Kelvin_KingCommented:
This might help you if you are using J2EE.

http://java.sun.com/developer/technicalArticles/WebServices/appserv8-1.html

How does your server look like ?

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Kelvin_KingCommented:
Another link for setting up a certificate for J2EE server

http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Security10.html
0
 
fynessAuthor Commented:

The server is a web service server, for testing purposes both there client and server are running off my local machine. All i need to do is set my client to trust the server's CA (created using open SSL)

I've only set CA's in clients and servers using configuration files so not sure how do it in a java class

Thanks!
0
 
Kelvin_KingCommented:
So currently your server is using J2EE ?
0
 
fynessAuthor Commented:


the server is just regular java exposed via web services
0
 
Kelvin_KingCommented:
See if this tutorial helps you. It has a demo program on running a java based server, and demonstrates how to use a client to connect to it and verify the certificate.

http://www.devx.com/Java/Article/10185/1954?pf=true
0
 
Mayank SAssociate Director - Product EngineeringCommented:
"Web Services Over SSL - HOW TO" - http://www.pankaj-k.net/WSOverSSL/WSOverSSL-HOWTO.html
0
 
HemanthaKumarCommented:
Suzy,

I have done something similar , And here are the steps to accept CA  over SSL


NOTE: Create this File - DummyTrustManager.java  *********

import java.security.cert.X509Certificate;
import com.sun.net.ssl.X509TrustManager;

//DUMMYTRUSTMANAGER CLASS - To override any trust cert request to be bypassed
public class DummyTrustManager implements X509TrustManager {

       public boolean isClientTrusted( X509Certificate[] cert) {
         return true;
       }

       public boolean isServerTrusted( X509Certificate[] cert) {
         return true;
       }

       public X509Certificate[] getAcceptedIssuers() {
         return new X509Certificate[0];
       }
   }




NOTE: And this goes into your class where you are trying to access the httpconnection


import com.sun.net.ssl.*;

////////ROUTINE TO TRUST NON-STANDARD SSL CERTIFICATE
            System.setProperty(
                  "java.protocol.handler.pkgs",
                  "com.sun.net.ssl.internal.www.protocol");
            //Create a trust manager that does not validate certificate chains
            TrustManager[] trustAllCerts =
                  new TrustManager[] { new DummyTrustManager()};
            // Install the all-trusting trust manager
            SSLContext sc = SSLContext.getInstance("SSL");            
            sc.init(null, trustAllCerts, new java.security.SecureRandom());
            HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
////////END SSL CERTIFICATE TRUST


NOTE: After the CA is accepted, then you can create HTTPURLConnection and pass the data successfully.

~Hemanth
0
 
fynessAuthor Commented:

Hi Hemanth,

Just trying to implement your solution and I'm getting errors with the X509TrustManager implements, is there a jar i need for this?

Thanks,
Suzy
0
 
fynessAuthor Commented:
Hi Hemanth,

Got the jsse jar and its compiling now but do i need to declare the CA from the server anywhere?

Thanks,
suzy
0
 
Mayank SAssociate Director - Product EngineeringCommented:
Which version of Java do you use? Generally, it should be available in 1.4 +
0
 
HemanthaKumarCommented:
This is just initializing/preparing the HTTPURLConnection to accept any certificate that is raised during establishing a connection. So it all depends on your url connetion !

0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 6
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now