We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Java with SSL and CA

fyness
fyness asked
on
Medium Priority
537 Views
Last Modified: 2012-06-22

Hi experts,

I'm trying to write a java client that uses a CA from a server to trust any server signed by that CA. Does anyone know how to code or what api to use in a java class to trust a CA?

Thanks,
Suzy
Comment
Watch Question

Author

Commented:

Oh this is all over SSL too!

Thanks

Author

Commented:

Don't know if this helps but when I try to connect to my server i'm getting the following error

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
      at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
      at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
      at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)
      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
      at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:836)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
      at org.objectweb.celtix.bus.transports.http.HTTPClientTransport$HTTPClientOutputStreamContext.flushHeaders(HTTPClientTransport.java:313)
      at org.objectweb.celtix.bus.transports.http.HTTPClientTransport.finalPrepareOutputStreamContext(HTTPClientTransport.java:88)
      at org.objectweb.celtix.bindings.AbstractClientBinding.finalPrepareOutputStreamContext(AbstractClientBinding.java:391)
      at org.objectweb.celtix.bindings.AbstractClientBinding.invoke(AbstractClientBinding.java:177)
      at org.objectweb.celtix.bus.jaxws.EndpointInvocationHandler.invokeSEIMethod(EndpointInvocationHandler.java:148)
      at org.objectweb.celtix.bus.jaxws.EndpointInvocationHandler.invoke(EndpointInvocationHandler.java:67)
      ... 2 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
      at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
      at sun.security.validator.Validator.validate(Validator.java:203)
      at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
      at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)
      ... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
      at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
      ... 23 more
This might help you if you are using J2EE.

http://java.sun.com/developer/technicalArticles/WebServices/appserv8-1.html

How does your server look like ?

Another link for setting up a certificate for J2EE server

http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Security10.html

Author

Commented:

The server is a web service server, for testing purposes both there client and server are running off my local machine. All i need to do is set my client to trust the server's CA (created using open SSL)

I've only set CA's in clients and servers using configuration files so not sure how do it in a java class

Thanks!
So currently your server is using J2EE ?

Author

Commented:


the server is just regular java exposed via web services
See if this tutorial helps you. It has a demo program on running a java based server, and demonstrates how to use a client to connect to it and verify the certificate.

http://www.devx.com/Java/Article/10185/1954?pf=true
Mayank SPrincipal Technologist
CERTIFIED EXPERT

Commented:
"Web Services Over SSL - HOW TO" - http://www.pankaj-k.net/WSOverSSL/WSOverSSL-HOWTO.html
Suzy,

I have done something similar , And here are the steps to accept CA  over SSL


NOTE: Create this File - DummyTrustManager.java  *********

import java.security.cert.X509Certificate;
import com.sun.net.ssl.X509TrustManager;

//DUMMYTRUSTMANAGER CLASS - To override any trust cert request to be bypassed
public class DummyTrustManager implements X509TrustManager {

       public boolean isClientTrusted( X509Certificate[] cert) {
         return true;
       }

       public boolean isServerTrusted( X509Certificate[] cert) {
         return true;
       }

       public X509Certificate[] getAcceptedIssuers() {
         return new X509Certificate[0];
       }
   }




NOTE: And this goes into your class where you are trying to access the httpconnection


import com.sun.net.ssl.*;

////////ROUTINE TO TRUST NON-STANDARD SSL CERTIFICATE
            System.setProperty(
                  "java.protocol.handler.pkgs",
                  "com.sun.net.ssl.internal.www.protocol");
            //Create a trust manager that does not validate certificate chains
            TrustManager[] trustAllCerts =
                  new TrustManager[] { new DummyTrustManager()};
            // Install the all-trusting trust manager
            SSLContext sc = SSLContext.getInstance("SSL");            
            sc.init(null, trustAllCerts, new java.security.SecureRandom());
            HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
////////END SSL CERTIFICATE TRUST


NOTE: After the CA is accepted, then you can create HTTPURLConnection and pass the data successfully.

~Hemanth

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:

Hi Hemanth,

Just trying to implement your solution and I'm getting errors with the X509TrustManager implements, is there a jar i need for this?

Thanks,
Suzy

Author

Commented:
Hi Hemanth,

Got the jsse jar and its compiling now but do i need to declare the CA from the server anywhere?

Thanks,
suzy
Mayank SPrincipal Technologist
CERTIFIED EXPERT

Commented:
Which version of Java do you use? Generally, it should be available in 1.4 +
This is just initializing/preparing the HTTPURLConnection to accept any certificate that is raised during establishing a connection. So it all depends on your url connetion !

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.