SSL : Java, Keytool, SOAP and Eclipse

Here a nutshell How-To about SSL certificate.

In development phase of a project often happen that certificate is auto-generated (self signed) by developer. In this case the CA of certificate is (obviously) untrusted (and certificate itself is untrusted).
In order to trust the certificate this has to be added as exception in "trusted certificate store" of Java (of course if you are using java). Java uses keytool as certificate management utility : with this utility you can add exception in order to make certificate  trusted.

Steps to import

Steps for project example with SOAP over https.

#1 Reap the certificate

Two alternatives ...

#1.1 Get certificate using "shell"

if you are using a shell prompt (you can't use firefox in order to download certificate) then you can run :

openssl s_client -showcerts -connect <ip>:<port>

This command displays on screen some information and the certificate itself. You have to save  (in a file) what is present between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
In this file you have to include also the two strings "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".

#1.2 Get certificate using Browser

  • Use Firefox (for example) in order to get certificate : type https URL in browser
    • example : write SOAP URL in the URL field -> https://<ip>:<port>/SOAPService?wsdl
  • browser advises you about  not trusted site (so it asks you to accept certificate)
  • show certificate following  steps : 1) press add exception 2) press view
Get certificate
Get certificate
  • select Details (is not showed in above image)
  • save certificate following steps : 3) press export...  4) press save (x.509 PEM)
    Screen shot 2011-04-11 at 11.15.37 PM
    Get certificate

Now that you have saved locally your certificate (let me say : example.com) you have to use keytool.
Just try : /usr/java1.6/bin/keytool -printcert -file example.com

#2 Create truststore

/usr/java1.6/bin/keytool -import -v -noprompt -trustcacerts -alias soapexample -file example.com -keystore  example-ks

example.com  is file containing the dumped certificate as above described
example-ks   is keystore (could be created if isn't present)

Just to check result :

/usr/java1.6/bin/keytool -list -v -keystore example-ks -storepass password

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: soapexample
Creation date: Apr 7, 2011
Entry type: trustedCertEntry
Owner: CN=.... 

3# Import keystore into Eclipse

Now you have to set configuration in eclipse :
From menu : [run][run configurations ...] in pop-up window select "(x)=Arguments" tab and in "VM arguments" type :

-Djavax.net.ssl.trustStore=/Users/Giovanni/Desktop/TMP/example-ks
-Djavax.net.ssl.trustStorePassword=password
Import into Eclipse project
Import into Eclipse project

(Please check path in according to your OS and don't use absolute path 🙂 )

Bonus

if your SOAP server requires "http authentication" (authentication at transport level) with user and password you can use:

https://<username>:<password>@<ip>:<port>/SOAPService?wsdl

 --------------------- UPDATE  ---------------------
if you use :

-Djavax.net.ssl.trustStore=/Users/Giovanni/Desktop/TMP/example-ks
-Djavax.net.ssl.trustStorePassword=password

then you are forcing to use example-ks (keystore)  at java level  : this means that all https connection uses this (your) keystore which doesn't have "official" certificates/CA.

Official JAVA keystore with all certificate is : /usr/java1.6/jre/lib/security/cacerts
In this case the best way is to keep separate the two keystore and select programmatically your "example-ks" ...
... or merge keystore (not recommended)

/usr/java1.6/bin/keytool -importkeystore -srckeystore /usr/java1.6/jre/lib/security/cacerts  -destkeystore /Users/Giovanni/Desktop/TMP/example-ks

where : cacerts is java keystore which is imported to example-ks
Check :

/usr/java1.6/bin/keytool -list -v -keystore /Users/Giovanni/Desktop/TMP/example-ks -storepass password

 

Powered by WP Review