HTTP Post SSL certificates (Jakarta HTTP Commons)

I've inherited a legacy application and have to change from UsernamePasswordCredentials(username,password) to using SSL Certificates. (It's using the Jakarta Commons HTTPClient, and I've included the legacy code at the bottom of this post.)

I've done a lot of reading, and researching. Even picked up some Oreilly books specifically on Java Network Programming, and Web Services. I haven't seen any one specific solution, and I'm missing how I actually pass the certificate when I do the Post, but I beleive I'm going to have to use a Key/Truststore.

I don't know if I have to place the files in the right directories on the server and simply add to the cource code:
System.setProperty("javax.net.ssl.trustStore", "myTrustStore"); System.setProperty("javax.net.ssl.trustStorePassword", "somepassword"); System.setProperty("javax.net.ssl.keyStoreType", "pkcs12"); System.setProperty("javax.net.ssl.keyStore", "new.p12"); System.setProperty("javax.net.ssl.keyStorePassword", "anotherpassword");


Or am I going to have to rewrite the legacy code to include a TrustStore and KeyStore by adding something like:
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); FileInputStream instream = new FileInputStream(new File("/opt/s.../global_resources/my.keystore")); // Prepare HTTPS post SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault(); URL url = new URL(pURL); HttpsURLConnection conn = (HttpsURLConnection)url.openConnection(); conn.setSSLSocketFactory(sslsocketfactory); conn.setRequestMethod("POST"); conn.setUseCaches(false); conn.setDefaultUseCaches(false); conn.setRequestProperty("Content-type", "text/xml; charset=\"utf-8\"");


Here's the legacy source code:
public void doHTTPPOST(String pURL,String username,String password, InputStream pInputStream) throws Exception { if (log.isDebugEnabled()) { log.debug("Entry: doHTTPPOST(URL, InputStream) :" + pURL); } PostMethod post = null; int returnedHttpCode = -1; try { // Prepare HTTP post post = new PostMethod(pURL); post.setRequestEntity(new InputStreamRequestEntity(pInputStream)); post.setRequestHeader("UseCaches", "false"); post.setRequestHeader("DefaultUseCaches", "false"); post.setRequestHeader("Content-type", "text/xml; charset=\"utf-8\""); // Get HTTP client HttpClient httpclient = new HttpClient(); httpclient.getParams().setSoTimeout(S_HTTPTIMEOUT_LENGTH); GlobalPropertiesDAO gDAO = new GlobalPropertiesDAO(); GlobalPropertiesBO gBO = gDAO.getPropertyByName(GlobalProperitesConstant.HPSB_PASSWORD_PROTECTED_URL); int nValue = gBO.getIntValue(1); if(nValue==1){ httpclient.getParams().setAuthenticationPreemptive(true); Credentials defaultcreds = new UsernamePasswordCredentials(username,password); httpclient.getState().setCredentials(AuthScope.ANY, defaultcreds); } if ((returnedHttpCode = httpclient.executeMethod(post)) != HttpStatus.SC_OK) { throw new Exception("Failed to submit to the HTTP URL :" + pURL + ":" + " HTTP code is: " + returnedHttpCode); } } catch (Exception ex) { BillingServiceException bex = new BillingServiceException(BillingServiceException.S_OPERATION_TYPE_SAPRMCRONJOB, BillingServiceException.D_CONNECTION_ERROR, String.valueOf(returnedHttpCode),-1,ex.toString()); bex.setApplicationName(BillingServiceException.S_APPLICATION_HPSB_SAP_RM); throw bex; } finally { if (post != null) { post.releaseConnection(); } } }

Okay,

I've dug a little further, and am hopeful that either someone else can chime in, or perhaps if I solve this on my own, someone in the future can use this thread to assist them.

I came across another example, http://stilius.net/java/java_ssl.php, but it appears that the way the TrustStore/Keystores certificates are linked/passed is by the invocation command. In their example "java -Djavax.net.ssl.keyStore=mySrvKeystore -Djavax.net.ssl.keyStorePassword=123456 EchoServer" and "java -Djavax.net.ssl.trustStore=mySrvKeystore -Djavax.net.ssl.trustStorePassword=123456 EchoClient"

JAVA + SSL Tutorial (server and client examples)
Certificate
First we need to make certificate, this is done by using keytool that is part of J2SE SDK (program will ask for certificate owner information and password, enter 123456 as password, or you can enter your password, but notice that you have to change it in other commands listen in this tutorial):

keytool -genkey -keystore mySrvKeystore -keyalg RSA

After this command you will have certificate file in working directory of issuing keytool command.
Server source code (EchoServer.java)

import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLServerSocketFactory; import javax.net.ssl.SSLSocket; import java.io.BufferedReader; import java.io.InputStream; import java.io.InputStreamReader; public class EchoServer { public static void main(String[] arstring) { try { SSLServerSocketFactory sslserversocketfactory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault(); SSLServerSocket sslserversocket = (SSLServerSocket) sslserversocketfactory.createServerSocket(9999); SSLSocket sslsocket = (SSLSocket) sslserversocket.accept(); InputStream inputstream = sslsocket.getInputStream(); InputStreamReader inputstreamreader = new InputStreamReader(inputstream); BufferedReader bufferedreader = new BufferedReader(inputstreamreader); String string = null; while ((string = bufferedreader.readLine()) != null) { System.out.println(string); System.out.flush(); } } catch (Exception exception) { exception.printStackTrace(); } } }

Compile it by using simple command:

javac EchoServer.java

Client source code (EchoClient.java)

import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import java.io.*; public class EchoClient { public static void main(String[] arstring) { try { SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault(); SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("localhost", 9999); InputStream inputstream = System.in; InputStreamReader inputstreamreader = new InputStreamReader(inputstream); BufferedReader bufferedreader = new BufferedReader(inputstreamreader); OutputStream outputstream = sslsocket.getOutputStream(); OutputStreamWriter outputstreamwriter = new OutputStreamWriter(outputstream); BufferedWriter bufferedwriter = new BufferedWriter(outputstreamwriter); String string = null; while ((string = bufferedreader.readLine()) != null) { bufferedwriter.write(string + '\n'); bufferedwriter.flush(); } } catch (Exception exception) { exception.printStackTrace(); } } }

Compile it by using simple command:

javac EchoClient.java

Running server and client using SSL
First copy certificate file that you created before into working directory and run server with these parameters (notice that you have to change keyStore name and/or trustStrorePassword if you specified different options creating certificate:

java -Djavax.net.ssl.keyStore=mySrvKeystore -Djavax.net.ssl.keyStorePassword=123456 EchoServer

And now again copy certificate file that you created before into working directory and run client with these parameters (notice that you have to change keyStore name and/or trustStrorePassword if you specified different options creating certificate:

java -Djavax.net.ssl.trustStore=mySrvKeystore -Djavax.net.ssl.trustStorePassword=123456 EchoClient

If you want SSL debug information just add these parameters when running server and/or client:

-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol -Djavax.net.debug=ssl

Playing with server and client
Now just type any string on client console and press return. The same string has to appear on server console.
Copyright
This document is copyrighted to Tomas Vilda. You can use it in all ways, but don't change this section and allways include it.

In my case, my application is running via WebLogic 10.

It appears that I need to modify my WebLogic Setup to use the appropriate KeyStore and/or Trust Store.

http://docs.oracle.com/cd/E11035_01/wls100/secmanage/identity_trust.html

How WebLogic Server Locates Trust
WebLogic Server uses the following algorithm when it loads its trusted CA certificates:

1.If the keystore is specified by the -Dweblogic.security.SSL.trustedCAkeystore command-line argument, load the trusted CA certificates from that keystore.
2.Else if the keystore is specified in the configuration file (config.xml), load trusted CA certificates from the specified keystore. If the server is configured with DemoTrust, trusted CA certificates will be loaded from the WL_HOME\server\lib\DemoTrust.jks and the JDK cacerts keystores.
3.Else if the trusted CA file is specified in the configuration file (config.xml), load trusted CA certificates from that file (this is only for compatibility with 6.x SSL configurations).
4.Else load trusted CA certificates from WL_HOME\server\lib\cacerts keystore.

I'm hopeful once I import the certificates into my stores, then modify the WebLogic Configuration that either the old POST method will simply work, passing the certificates. If not I will have to look and see if I need code changes "System.setProperty" or "KeyStore" and "SSLSocketFactory"

Further down the path I go...

In my /opt/.../config/config.xml there is a specific line:
<custom-trust-key-store-file-name>/opt/bea/security/trustedCAs.jks</custom-trust-key-store-file-name>

So I beleive my next step is to add my new certificate to that file with something like:
keytool -importcert -alias FriendlyName -file exportedClass2_2013.cer -trustcacerts -keystore cacerts -storepass boguspassword

Does anyone have any experience with this, and/or can you validate my assumptions before I go blindly adding an exported certificate into my development environment, and attempt to test?

Well, now I'm wondering if perhaps everything I need is solely in the WebLogic configuration.

http://docs.oracle.com/cd/E13222_01/wls/docs100/ConsoleHelp/pagehelp/Corecoreserverserverconfigssltitle.html

Use Server Certs:
Sets whether the client should use the server certificates/key as the client identity when initiating a connection over https.

MBean Attribute:
SSLMBean.UseServerCerts

Changes take effect after you redeploy the module or restart the server.

I reckon I'm off to either find a WebLogic Forum to post my question(s) in, or off to the bookstore to try and find a WebLogic 10 book because there has to be someone that has already solved this issue.

Moved to Security forum for a more specific audience.