wood burning stoves 2.0*
The moose likes Security and the fly likes HTTP Post SSL certificates (Jakarta HTTP Commons) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "HTTP Post SSL certificates (Jakarta HTTP Commons)" Watch "HTTP Post SSL certificates (Jakarta HTTP Commons)" New topic
Author

HTTP Post SSL certificates (Jakarta HTTP Commons)

Todd Reser
Greenhorn

Joined: Mar 20, 2012
Posts: 7
I've inherited a legacy application and have to change from UsernamePasswordCredentials(username,password) to using SSL Certificates. (It's using the Jakarta Commons HTTPClient, and I've included the legacy code at the bottom of this post.)

I've done a lot of reading, and researching. Even picked up some Oreilly books specifically on Java Network Programming, and Web Services. I haven't seen any one specific solution, and I'm missing how I actually pass the certificate when I do the Post, but I beleive I'm going to have to use a Key/Truststore.

I don't know if I have to place the files in the right directories on the server and simply add to the cource code:



Or am I going to have to rewrite the legacy code to include a TrustStore and KeyStore by adding something like:



Here's the legacy source code:


Todd Reser
Greenhorn

Joined: Mar 20, 2012
Posts: 7
Okay,

I've dug a little further, and am hopeful that either someone else can chime in, or perhaps if I solve this on my own, someone in the future can use this thread to assist them.

I came across another example, http://stilius.net/java/java_ssl.php, but it appears that the way the TrustStore/Keystores certificates are linked/passed is by the invocation command. In their example "java -Djavax.net.ssl.keyStore=mySrvKeystore -Djavax.net.ssl.keyStorePassword=123456 EchoServer" and "java -Djavax.net.ssl.trustStore=mySrvKeystore -Djavax.net.ssl.trustStorePassword=123456 EchoClient"


JAVA + SSL Tutorial (server and client examples)
Certificate
First we need to make certificate, this is done by using keytool that is part of J2SE SDK (program will ask for certificate owner information and password, enter 123456 as password, or you can enter your password, but notice that you have to change it in other commands listen in this tutorial):


After this command you will have certificate file in working directory of issuing keytool command.
Server source code (EchoServer.java)



Compile it by using simple command:


Client source code (EchoClient.java)



Compile it by using simple command:


Running server and client using SSL
First copy certificate file that you created before into working directory and run server with these parameters (notice that you have to change keyStore name and/or trustStrorePassword if you specified different options creating certificate:


And now again copy certificate file that you created before into working directory and run client with these parameters (notice that you have to change keyStore name and/or trustStrorePassword if you specified different options creating certificate:

If you want SSL debug information just add these parameters when running server and/or client:


Playing with server and client
Now just type any string on client console and press return. The same string has to appear on server console.
Copyright
This document is copyrighted to Tomas Vilda. You can use it in all ways, but don't change this section and allways include it.
Todd Reser
Greenhorn

Joined: Mar 20, 2012
Posts: 7
In my case, my application is running via WebLogic 10.

It appears that I need to modify my WebLogic Setup to use the appropriate KeyStore and/or Trust Store.

http://docs.oracle.com/cd/E11035_01/wls100/secmanage/identity_trust.html

How WebLogic Server Locates Trust
WebLogic Server uses the following algorithm when it loads its trusted CA certificates:

1.If the keystore is specified by the -Dweblogic.security.SSL.trustedCAkeystore command-line argument, load the trusted CA certificates from that keystore.
2.Else if the keystore is specified in the configuration file (config.xml), load trusted CA certificates from the specified keystore. If the server is configured with DemoTrust, trusted CA certificates will be loaded from the WL_HOME\server\lib\DemoTrust.jks and the JDK cacerts keystores.
3.Else if the trusted CA file is specified in the configuration file (config.xml), load trusted CA certificates from that file (this is only for compatibility with 6.x SSL configurations).
4.Else load trusted CA certificates from WL_HOME\server\lib\cacerts keystore.


I'm hopeful once I import the certificates into my stores, then modify the WebLogic Configuration that either the old POST method will simply work, passing the certificates. If not I will have to look and see if I need code changes "System.setProperty" or "KeyStore" and "SSLSocketFactory"
Todd Reser
Greenhorn

Joined: Mar 20, 2012
Posts: 7
Further down the path I go...

In my /opt/.../config/config.xml there is a specific line:


So I beleive my next step is to add my new certificate to that file with something like:


Does anyone have any experience with this, and/or can you validate my assumptions before I go blindly adding an exported certificate into my development environment, and attempt to test?
Todd Reser
Greenhorn

Joined: Mar 20, 2012
Posts: 7
Well, now I'm wondering if perhaps everything I need is solely in the WebLogic configuration.

http://docs.oracle.com/cd/E13222_01/wls/docs100/ConsoleHelp/pagehelp/Corecoreserverserverconfigssltitle.html

Use Server Certs:
Sets whether the client should use the server certificates/key as the client identity when initiating a connection over https.

MBean Attribute:
SSLMBean.UseServerCerts

Changes take effect after you redeploy the module or restart the server.


I reckon I'm off to either find a WebLogic Forum to post my question(s) in, or off to the bookstore to try and find a WebLogic 10 book because there has to be someone that has already solved this issue.
Vijitha Kumara
Bartender

Joined: Mar 24, 2008
Posts: 3816

Moved to Security forum for a more specific audience.


SCJP 5 | SCWCD 5
[How to ask questions] [Twitter]
 
Consider Paul's rocket mass heater.
 
subject: HTTP Post SSL certificates (Jakarta HTTP Commons)
 
Similar Threads
sending xml over http - security issue
how to send user credentials to a protected restful webservice
sending xml over http
Talk to sharepoint through its web services
Calling webservice: works from standalone app but not from weblogic