[AG-DEV] Venue Server certificates problem

Wed Jul 12 23:33:08 CDT 2006

OK - got it

    what I had to do was, extend the JSSESocketFactory from the AXIS 
library and over-ride its method for creating SSLSockets (so I could 
actually create the socket myself - thanks for the code to do that 
Andrew) then set the System property "axis.socketSecureFactory" to be 
the name of this class. I don't know why it has to be done this way, 
especially when there's a SocketFactoryFactory class, but it works.

    Thanks again, Rod


Rod Harris wrote:
> Thanks Andrew,
>
>    I've tried what you sent me, but I still have a problem.
>
> I don't create the SSLSocket in my code, the WSIF library does it when 
> I try to communicate with the server, and I'm guessing it has its own 
> SSLSocketFactory or it creates its SSLSockets via the SSLSocket 
> constructor because even when I use the static method 
> /HttpsURLConnection.setDefaultSSLSocketFactory( sslsocketfactory )/ it 
> still refuses to trust the server.
>
> Another thing I've tried is to use the method you posted and, via my 
> own socket, get the certificates from the server (which I can get to 
> work) then return them in the /getAcceptedIssuers()/ method. But again 
> when I try to communicate with the server via the WSIF library it 
> still won't trust it so it must be creating its own SSLSockets that 
> don't use the modified (AcceptAll)TrustManager.
>
> Unless you have another suggestion I think my next best bet is to try 
> to get hold of the javadoc for the AXIS library and see if I can set 
> its SSLSocketFactory (if it even has one).
>
>    Cheers, Rod
>
> Andrew A Rowley wrote:
>> Hi,
>>
>> Java by default will not accept a server certificate unless it, or 
>> its CA is in the trusted store.  As you say, you can get round this 
>> with TrustManagers by doing the following:
>>
>> SSLContext sslContext = SSLContext.getInstance("SSL");
>> sslContext.init(null, new TrustManager[]{new 
>> AcceptAllTrustManager()},                 new SecureRandom());
>> SSLSocketFactory sslsocketfactory = sslContext.getSocketFactory();
>> SSLSocket sslsocket = (SSLSocket) 
>> sslsocketfactory.createSocket(server, 
>>                                                                 port);
>>
>> You then need the code for the AcceptAllTrustManager, which is:
>>
>> public class AcceptAllTrustManager implements X509TrustManager {
>>         public void checkClientTrusted(X509Certificate[] chain, 
>>         String authType) {
>>         // Do Nothing just now
>>     }
>>
>>     public void checkServerTrusted(X509Certificate[] chain,         
>> String authType) {
>>         // Do nothing just now
>>     }
>>
>>     public X509Certificate[] getAcceptedIssuers() {
>>         return new X509Certificate[0];
>>     }
>> }
>>
>> You can make this all more secure by adding prompts to check that the 
>> server is trusted by the client, but this will get round the problems 
>> (it does for me anyway).
>>
>> Andrew :)
>>
>> ============================================
>> Access Grid Support Centre,
>> RSS Group,
>> Manchester Computing,
>> Kilburn Building,
>> University of Manchester,
>> Oxford Road,
>> Manchester, M13 9PL, UK
>> Tel: +44(0)161-275 0685
>> Email: Andrew.Rowley at manchester.ac.uk
>>  
>>> -----Original Message-----
>>> From: owner-ag-dev at mcs.anl.gov [mailto:owner-ag-dev at mcs.anl.gov] On 
>>> Behalf
>>> Of Rod Harris
>>> Sent: 12 July 2006 04:40
>>> To: ag-dev at mcs.anl.gov
>>> Subject: [AG-DEV] Venue Server certificates problem
>>>
>>> Hi All
>>>
>>>     I'm in the middle of trying to get VB running as a shared app with
>>> AG3.
>>>
>>> VB is a Java app and I'm using WSIF to connect to the Venue to get the
>>> streams.
>>>
>>> I've generated the Java code from the WSDL thats part of AG 3.0.1
>>>
>>> I get this error however when calling the GetStreams method:
>>>     PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find valid certification path to requested target
>>>
>>> After searching today I found a few explanations that reckon that its
>>> that the certificate(s) obtained from the VenueServer are not trusted.
>>>
>>> I tried a few hacks to get around this (disabling or modifying
>>> TrustManagers) but nothing worked.
>>>
>>> I've used WSIF to successfully connect to another server that doesn't
>>> use SSL so I'm sure the problem is somewhere with the certificates.
>>>
>>> I've also tried to connect to both the APAG and ANL venue servers and
>>> had the same problem.
>>>
>>> So, I was wondering if anyone has used WSIF to connect to a secure AG3
>>> venue and if so what they did to get it to work.
>>>
>>>     Cheers, Rod
>>>
>>>
>>>
>>>
>>> -- 
>>> No virus found in this outgoing message.
>>> Checked by AVG Free Edition.
>>> Version: 7.1.394 / Virus Database: 268.9.10/385 - Release Date: 
>>> 11/07/2006
>>>
>>>     
>>
>>
>>
>>   
>
>
>


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.10/387 - Release Date: 12/07/2006