• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

connect to a SOAP webservice using SSL

 
Ranch Hand
Posts: 510
Google Web Toolkit Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,
I'm using a local apache 2 web server to run sugarcrm community edition on a linux machine. i use a java client with sugarcrm SOAP API to authenticate users. this works for http connections. Now i want to be able to authenticate users through secure https connections.
I know for this i'll need to tell my web server to enable SSL connections..a probable solution is to Modify .htaccess file in the sugar system.
in case there is a user who hasn't configured his web server/sugar system to accept https connections , can we enable him to connect by using SSL code logic in client soap code? I mean there are users in my java application who are complaining that my application couldn't authenticate them through SSL . so i'm looking for a way to support SSL connection through sugarcrm soap API (in java).
What i need is even if user didn't configured his webserver/sugarcrm system for SSL connection , my java client code will enable him to talk to sugarcrm soap service through a secure connection. is this possible? i mean can i write java code on client side to enforce SSL communication with sugarcrm soap service even if user didn't enabled SSL on web server?

any help is much appreciated.
 
Yahya Elyasse
Ranch Hand
Posts: 510
Google Web Toolkit Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,
i performed the necessary steps to install a self signed certificate and configure my apache2 web server to enable SSL.
the configuration now is successful. when i type url like ' https://localhost' i get the famous apache2 message . i'm also able to connect to my Sugar installation through https from my web browser.

Now the problem:
when i try to connect from my java application it throws a bad exception . i suppose this is caused by the key certificates being self signed and not authenticated by a CA.
i investigated more the issue of the exception error thrown when using a SSL from a Java API with only a self-signed certificate.
this article http://brian.pontarelli.com/2008/07/26/java-ssl-and-self-signed-certificates/ explains a workaround to solve this problem. It suggests that the error exception occurs when the certificate is self-signed or signed by an authority that has not been verified by the JDK you are using. so the self-signed certificate has to be added to JDK's keystore.

my question : if the user of my application didn't added his self-signed certificate to jdk's keystore, is there a way i can automate this process? is it possible to connect through ssl using only a self-signed certificate and force the jdk to accept this self-signed certificate?

thanks.
 
Ranch Hand
Posts: 490
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

my question : if the user of my application didn't added his self-signed certificate to jdk's keystore, is there a way i can automate this process? is it possible to connect through ssl using only a self-signed certificate and force the jdk to accept this self-signed certificate?



I don't have a lot of experience, but you should be able to create a dialog to let the user choose to accept the certificate and then programmatically call keystore.

Do not accept is behind the scenes, and seriously consider a signed certificate if you are going offer your program to others. IMO, self signed certs are acceptable for testing and internal use, like inside a LAN, but nothing else.
 
Yahya Elyasse
Ranch Hand
Posts: 510
Google Web Toolkit Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Rusty Shackleford wrote:

my question : if the user of my application didn't added his self-signed certificate to jdk's keystore, is there a way i can automate this process? is it possible to connect through ssl using only a self-signed certificate and force the jdk to accept this self-signed certificate?



I don't have a lot of experience, but you should be able to create a dialog to let the user choose to accept the certificate and then programmatically call keystore.

Do not accept is behind the scenes, and seriously consider a signed certificate if you are going offer your program to others. IMO, self signed certs are acceptable for testing and internal use, like inside a LAN, but nothing else.



thank you,
if user uses a signed certificate 'CA' will it be automatically verified by the jdk ? user in this case don't have to add his CA to the jdk keystore .right?
 
Rusty Shackleford
Ranch Hand
Posts: 490
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If the CA is recognized, I believe it should accept it.
 
Yahya Elyasse
Ranch Hand
Posts: 510
Google Web Toolkit Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Rusty Shackleford wrote:
I don't have a lot of experience, but you should be able to create a dialog to let the user choose to accept the certificate and then programmatically call keystore.

Do not accept is behind the scenes, and seriously consider a signed certificate if you are going offer your program to others. IMO, self signed certs are acceptable for testing and internal use, like inside a LAN, but nothing else.



i want to be able to prompt user to trust the self-signed (unknown certificate). then it is the user responsibility to trust or reject the unknown/self-signed certificate.
Now i need to know which Exception i should catch that indicates the certificate was not trusted ? is there an Error Number or specific Exception that indicates the case of self-signed /untrusted certificates. In other terms i'm looking for a solution to detect when the CA is not trusted and then i prompt user whether to trust the certificate or not. also i'll need to get information of the untrusted certificate how can i get these certificate infos to display to user?

thanks for your further assistance on this issue.
 
Rusty Shackleford
Ranch Hand
Posts: 490
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I believe a KeyStoreException is thrown if there is a certificate problem. Here is more information about handling certificates.

The problem with your viewpoint is that the vast majority of computer users don't have the required knowledge to be able to make an informed decision about self-signed certificates. Many security professionals wouldn't be able to tell if it is valid or not either, unless they had prior knowledge of the certificate and its fingerprints. The difference is security pros would likely not accept it but could at least make an informed decision and your "average" user has been conditioned to blindly accept everything. This is the big flaw of SSL, but nothing better has been developed yet, but at least signed certificates strengthen the system quite a bit. Self-signed certificates are a small step up from transmitting data in the clear.
 
Yahya Elyasse
Ranch Hand
Posts: 510
Google Web Toolkit Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Rusty Shackleford wrote:I believe a KeyStoreException is thrown if there is a certificate problem. Here is more information about handling certificates.

The problem with your viewpoint is that the vast majority of computer users don't have the required knowledge to be able to make an informed decision about self-signed certificates. Many security professionals wouldn't be able to tell if it is valid or not either, unless they had prior knowledge of the certificate and its fingerprints. The difference is security pros would likely not accept it but could at least make an informed decision and your "average" user has been conditioned to blindly accept everything. This is the big flaw of SSL, but nothing better has been developed yet, but at least signed certificates strengthen the system quite a bit. Self-signed certificates are a small step up from transmitting data in the clear.


thank you for your reply,
in your opinion , should i try to handle the special case of untrusted certificate for SSL connection?
I have the impression i'm trying to make my application too smart. Probably i should only test if the application can connect through https to the remote webservice with CA certificate. and if the certificate is not trusted by server then i should merely display an error message to the user?
I'm trying to make the life of my application users easy by offering them all possible options to connect to the soap service.
in your opinion what are the best decisions and features i should implement to make the connection to the soap service robust and reliable? for example, should i consider proxy connection beside SSL? what are the other authentication options i should tackle beside SSL and plain HTTP connection?

thanks.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic