[AG-DEV] Venue Server certificates problem

Rod Harris rod.harris at anu.edu.au
Wed Jul 12 21:09:31 CDT 2006


Thanks Andrew,

    I've tried what you sent me, but I still have a problem.

I don't create the SSLSocket in my code, the WSIF library does it when I 
try to communicate with the server, and I'm guessing it has its own 
SSLSocketFactory or it creates its SSLSockets via the SSLSocket 
constructor because even when I use the static method 
/HttpsURLConnection.setDefaultSSLSocketFactory( sslsocketfactory )/ it 
still refuses to trust the server.

Another thing I've tried is to use the method you posted and, via my own 
socket, get the certificates from the server (which I can get to work) 
then return them in the /getAcceptedIssuers()/ method. But again when I 
try to communicate with the server via the WSIF library it still won't 
trust it so it must be creating its own SSLSockets that don't use the 
modified (AcceptAll)TrustManager.

Unless you have another suggestion I think my next best bet is to try to 
get hold of the javadoc for the AXIS library and see if I can set its 
SSLSocketFactory (if it even has one).

    Cheers, Rod

Andrew A Rowley wrote:
> Hi,
>
> Java by default will not accept a server certificate unless it, or its CA is in the trusted store.  As you say, you can get round this with TrustManagers by doing the following:
>
> SSLContext sslContext = SSLContext.getInstance("SSL");
> sslContext.init(null, new TrustManager[]{new AcceptAllTrustManager()}, 
>                 new SecureRandom());
> SSLSocketFactory sslsocketfactory = sslContext.getSocketFactory();
> SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(server, 
>                                                                 port);
>
> You then need the code for the AcceptAllTrustManager, which is:
>
> public class AcceptAllTrustManager implements X509TrustManager {
>     
>     public void checkClientTrusted(X509Certificate[] chain, 
>         String authType) {
>         // Do Nothing just now
>     }
>
>     public void checkServerTrusted(X509Certificate[] chain, 
>         String authType) {
>         // Do nothing just now
>     }
>
>     public X509Certificate[] getAcceptedIssuers() {
>         return new X509Certificate[0];
>     }
> }
>
> You can make this all more secure by adding prompts to check that the server is trusted by the client, but this will get round the problems (it does for me anyway).
>
> Andrew :)
>
> ============================================
> Access Grid Support Centre,
> RSS Group,
> Manchester Computing,
> Kilburn Building,
> University of Manchester,
> Oxford Road,
> Manchester, 
> M13 9PL, 
> UK
> Tel: +44(0)161-275 0685
> Email: Andrew.Rowley at manchester.ac.uk 
>
>   
>> -----Original Message-----
>> From: owner-ag-dev at mcs.anl.gov [mailto:owner-ag-dev at mcs.anl.gov] On Behalf
>> Of Rod Harris
>> Sent: 12 July 2006 04:40
>> To: ag-dev at mcs.anl.gov
>> Subject: [AG-DEV] Venue Server certificates problem
>>
>> Hi All
>>
>>     I'm in the middle of trying to get VB running as a shared app with
>> AG3.
>>
>> VB is a Java app and I'm using WSIF to connect to the Venue to get the
>> streams.
>>
>> I've generated the Java code from the WSDL thats part of AG 3.0.1
>>
>> I get this error however when calling the GetStreams method:
>>     PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>>
>> After searching today I found a few explanations that reckon that its
>> that the certificate(s) obtained from the VenueServer are not trusted.
>>
>> I tried a few hacks to get around this (disabling or modifying
>> TrustManagers) but nothing worked.
>>
>> I've used WSIF to successfully connect to another server that doesn't
>> use SSL so I'm sure the problem is somewhere with the certificates.
>>
>> I've also tried to connect to both the APAG and ANL venue servers and
>> had the same problem.
>>
>> So, I was wondering if anyone has used WSIF to connect to a secure AG3
>> venue and if so what they did to get it to work.
>>
>>     Cheers, Rod
>>
>>
>>
>>
>> --
>> No virus found in this outgoing message.
>> Checked by AVG Free Edition.
>> Version: 7.1.394 / Virus Database: 268.9.10/385 - Release Date: 11/07/2006
>>
>>     
>
>
>
>   



-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.10/387 - Release Date: 12/07/2006




More information about the ag-dev mailing list