Java with SSL and CA


Hi experts,

I'm trying to write a java client that uses a CA from a server to trust any server signed by that CA. Does anyone know how to code or what api to use in a java class to trust a CA?

Thanks,
Suzy
fynessAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

fynessAuthor Commented:

Oh this is all over SSL too!

Thanks
0
fynessAuthor Commented:

Don't know if this helps but when I try to connect to my server i'm getting the following error

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
      at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
      at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
      at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)
      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
      at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:836)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
      at org.objectweb.celtix.bus.transports.http.HTTPClientTransport$HTTPClientOutputStreamContext.flushHeaders(HTTPClientTransport.java:313)
      at org.objectweb.celtix.bus.transports.http.HTTPClientTransport.finalPrepareOutputStreamContext(HTTPClientTransport.java:88)
      at org.objectweb.celtix.bindings.AbstractClientBinding.finalPrepareOutputStreamContext(AbstractClientBinding.java:391)
      at org.objectweb.celtix.bindings.AbstractClientBinding.invoke(AbstractClientBinding.java:177)
      at org.objectweb.celtix.bus.jaxws.EndpointInvocationHandler.invokeSEIMethod(EndpointInvocationHandler.java:148)
      at org.objectweb.celtix.bus.jaxws.EndpointInvocationHandler.invoke(EndpointInvocationHandler.java:67)
      ... 2 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
      at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
      at sun.security.validator.Validator.validate(Validator.java:203)
      at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
      at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)
      ... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
      at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
      ... 23 more
0
Kelvin_KingCommented:
This might help you if you are using J2EE.

http://java.sun.com/developer/technicalArticles/WebServices/appserv8-1.html

How does your server look like ?

0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Kelvin_KingCommented:
Another link for setting up a certificate for J2EE server

http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Security10.html
0
fynessAuthor Commented:

The server is a web service server, for testing purposes both there client and server are running off my local machine. All i need to do is set my client to trust the server's CA (created using open SSL)

I've only set CA's in clients and servers using configuration files so not sure how do it in a java class

Thanks!
0
Kelvin_KingCommented:
So currently your server is using J2EE ?
0
fynessAuthor Commented:


the server is just regular java exposed via web services
0
Kelvin_KingCommented:
See if this tutorial helps you. It has a demo program on running a java based server, and demonstrates how to use a client to connect to it and verify the certificate.

http://www.devx.com/Java/Article/10185/1954?pf=true
0
Mayank SAssociate Director - Product EngineeringCommented:
"Web Services Over SSL - HOW TO" - http://www.pankaj-k.net/WSOverSSL/WSOverSSL-HOWTO.html
0
HemanthaKumarCommented:
Suzy,

I have done something similar , And here are the steps to accept CA  over SSL


NOTE: Create this File - DummyTrustManager.java  *********

import java.security.cert.X509Certificate;
import com.sun.net.ssl.X509TrustManager;

//DUMMYTRUSTMANAGER CLASS - To override any trust cert request to be bypassed
public class DummyTrustManager implements X509TrustManager {

       public boolean isClientTrusted( X509Certificate[] cert) {
         return true;
       }

       public boolean isServerTrusted( X509Certificate[] cert) {
         return true;
       }

       public X509Certificate[] getAcceptedIssuers() {
         return new X509Certificate[0];
       }
   }




NOTE: And this goes into your class where you are trying to access the httpconnection


import com.sun.net.ssl.*;

////////ROUTINE TO TRUST NON-STANDARD SSL CERTIFICATE
            System.setProperty(
                  "java.protocol.handler.pkgs",
                  "com.sun.net.ssl.internal.www.protocol");
            //Create a trust manager that does not validate certificate chains
            TrustManager[] trustAllCerts =
                  new TrustManager[] { new DummyTrustManager()};
            // Install the all-trusting trust manager
            SSLContext sc = SSLContext.getInstance("SSL");            
            sc.init(null, trustAllCerts, new java.security.SecureRandom());
            HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
////////END SSL CERTIFICATE TRUST


NOTE: After the CA is accepted, then you can create HTTPURLConnection and pass the data successfully.

~Hemanth
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fynessAuthor Commented:

Hi Hemanth,

Just trying to implement your solution and I'm getting errors with the X509TrustManager implements, is there a jar i need for this?

Thanks,
Suzy
0
fynessAuthor Commented:
Hi Hemanth,

Got the jsse jar and its compiling now but do i need to declare the CA from the server anywhere?

Thanks,
suzy
0
Mayank SAssociate Director - Product EngineeringCommented:
Which version of Java do you use? Generally, it should be available in 1.4 +
0
HemanthaKumarCommented:
This is just initializing/preparing the HTTPURLConnection to accept any certificate that is raised during establishing a connection. So it all depends on your url connetion !

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.