[AG-DEV] Venue Server certificates problem
Rod Harris
rod.harris at anu.edu.au
Wed Jul 12 23:33:08 CDT 2006
OK - got it
what I had to do was, extend the JSSESocketFactory from the AXIS
library and over-ride its method for creating SSLSockets (so I could
actually create the socket myself - thanks for the code to do that
Andrew) then set the System property "axis.socketSecureFactory" to be
the name of this class. I don't know why it has to be done this way,
especially when there's a SocketFactoryFactory class, but it works.
Thanks again, Rod
Rod Harris wrote:
> Thanks Andrew,
>
> I've tried what you sent me, but I still have a problem.
>
> I don't create the SSLSocket in my code, the WSIF library does it when
> I try to communicate with the server, and I'm guessing it has its own
> SSLSocketFactory or it creates its SSLSockets via the SSLSocket
> constructor because even when I use the static method
> /HttpsURLConnection.setDefaultSSLSocketFactory( sslsocketfactory )/ it
> still refuses to trust the server.
>
> Another thing I've tried is to use the method you posted and, via my
> own socket, get the certificates from the server (which I can get to
> work) then return them in the /getAcceptedIssuers()/ method. But again
> when I try to communicate with the server via the WSIF library it
> still won't trust it so it must be creating its own SSLSockets that
> don't use the modified (AcceptAll)TrustManager.
>
> Unless you have another suggestion I think my next best bet is to try
> to get hold of the javadoc for the AXIS library and see if I can set
> its SSLSocketFactory (if it even has one).
>
> Cheers, Rod
>
> Andrew A Rowley wrote:
>> Hi,
>>
>> Java by default will not accept a server certificate unless it, or
>> its CA is in the trusted store. As you say, you can get round this
>> with TrustManagers by doing the following:
>>
>> SSLContext sslContext = SSLContext.getInstance("SSL");
>> sslContext.init(null, new TrustManager[]{new
>> AcceptAllTrustManager()}, new SecureRandom());
>> SSLSocketFactory sslsocketfactory = sslContext.getSocketFactory();
>> SSLSocket sslsocket = (SSLSocket)
>> sslsocketfactory.createSocket(server,
>> port);
>>
>> You then need the code for the AcceptAllTrustManager, which is:
>>
>> public class AcceptAllTrustManager implements X509TrustManager {
>> public void checkClientTrusted(X509Certificate[] chain,
>> String authType) {
>> // Do Nothing just now
>> }
>>
>> public void checkServerTrusted(X509Certificate[] chain,
>> String authType) {
>> // Do nothing just now
>> }
>>
>> public X509Certificate[] getAcceptedIssuers() {
>> return new X509Certificate[0];
>> }
>> }
>>
>> You can make this all more secure by adding prompts to check that the
>> server is trusted by the client, but this will get round the problems
>> (it does for me anyway).
>>
>> Andrew :)
>>
>> ============================================
>> Access Grid Support Centre,
>> RSS Group,
>> Manchester Computing,
>> Kilburn Building,
>> University of Manchester,
>> Oxford Road,
>> Manchester, M13 9PL, UK
>> Tel: +44(0)161-275 0685
>> Email: Andrew.Rowley at manchester.ac.uk
>>
>>> -----Original Message-----
>>> From: owner-ag-dev at mcs.anl.gov [mailto:owner-ag-dev at mcs.anl.gov] On
>>> Behalf
>>> Of Rod Harris
>>> Sent: 12 July 2006 04:40
>>> To: ag-dev at mcs.anl.gov
>>> Subject: [AG-DEV] Venue Server certificates problem
>>>
>>> Hi All
>>>
>>> I'm in the middle of trying to get VB running as a shared app with
>>> AG3.
>>>
>>> VB is a Java app and I'm using WSIF to connect to the Venue to get the
>>> streams.
>>>
>>> I've generated the Java code from the WSDL thats part of AG 3.0.1
>>>
>>> I get this error however when calling the GetStreams method:
>>> PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find valid certification path to requested target
>>>
>>> After searching today I found a few explanations that reckon that its
>>> that the certificate(s) obtained from the VenueServer are not trusted.
>>>
>>> I tried a few hacks to get around this (disabling or modifying
>>> TrustManagers) but nothing worked.
>>>
>>> I've used WSIF to successfully connect to another server that doesn't
>>> use SSL so I'm sure the problem is somewhere with the certificates.
>>>
>>> I've also tried to connect to both the APAG and ANL venue servers and
>>> had the same problem.
>>>
>>> So, I was wondering if anyone has used WSIF to connect to a secure AG3
>>> venue and if so what they did to get it to work.
>>>
>>> Cheers, Rod
>>>
>>>
>>>
>>>
>>> --
>>> No virus found in this outgoing message.
>>> Checked by AVG Free Edition.
>>> Version: 7.1.394 / Virus Database: 268.9.10/385 - Release Date:
>>> 11/07/2006
>>>
>>>
>>
>>
>>
>>
>
>
>
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.10/387 - Release Date: 12/07/2006
More information about the ag-dev
mailing list