Here a nutshell How-To about SSL certificate.
In development phase of a project often happen that certificate is auto-generated (self signed) by developer. In this case the CA of certificate is (obviously) untrusted (and certificate itself is untrusted).
In order to trust the certificate this has to be added as exception in "trusted certificate store" of Java (of course if you are using java). Java uses keytool as certificate management utility : with this utility you can add exception in order to make certificate trusted.
Steps to import
Steps for project example with SOAP over https.
#1 Reap the certificate
Two alternatives ...
#1.1 Get certificate using "shell"
if you are using a shell prompt (you can't use firefox in order to download certificate) then you can run :
openssl s_client -showcerts -connect <ip>:<port>
This command displays on screen some information and the certificate itself. You have to save (in a file) what is present between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
In this file you have to include also the two strings "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
#1.2 Get certificate using Browser
- Use Firefox (for example) in order to get certificate : type https URL in browser
- example : write SOAP URL in the URL field -> https://<ip>:<port>/SOAPService?wsdl
- browser advises you about not trusted site (so it asks you to accept certificate)
- show certificate following steps : 1) press add exception 2) press view
- select Details (is not showed in above image)
- save certificate following steps : 3) press export... 4) press save (x.509 PEM)
Get certificate
Now that you have saved locally your certificate (let me say : example.com) you have to use keytool.
Just try : /usr/java1.6/bin/keytool -printcert -file example.com
#2 Create truststore
/usr/java1.6/bin/keytool -import -v -noprompt -trustcacerts -alias soapexample -file example.com -keystore example-ks
example.com is file containing the dumped certificate as above described
example-ks is keystore (could be created if isn't present)
Just to check result :
/usr/java1.6/bin/keytool -list -v -keystore example-ks -storepass password Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: soapexample Creation date: Apr 7, 2011 Entry type: trustedCertEntry Owner: CN=....
3# Import keystore into Eclipse
Now you have to set configuration in eclipse :
From menu : [run][run configurations ...]
in pop-up window select "(x)=Arguments" tab and in "VM arguments" type :
-Djavax.net.ssl.trustStore=/Users/Giovanni/Desktop/TMP/example-ks -Djavax.net.ssl.trustStorePassword=password
(Please check path in according to your OS and don't use absolute path 🙂 )
Bonus
if your SOAP server requires "http authentication" (authentication at transport level) with user and password you can use:
https://<username>:<password>@<ip>:<port>/SOAPService?wsdl
-Djavax.net.ssl.trustStore=/Users/Giovanni/Desktop/TMP/example-ks -Djavax.net.ssl.trustStorePassword=password
then you are forcing to use example-ks (keystore) at java level : this means that all https connection uses this (your) keystore which doesn't have "official" certificates/CA.
Official JAVA keystore with all certificate is : /usr/java1.6/jre/lib/security/cacerts
In this case the best way is to keep separate the two keystore and select programmatically your "example-ks" ...
... or merge keystore (not recommended)
/usr/java1.6/bin/keytool -importkeystore -srckeystore /usr/java1.6/jre/lib/security/cacerts -destkeystore /Users/Giovanni/Desktop/TMP/example-ks
where : cacerts is java keystore which is imported to example-ksCheck :
/usr/java1.6/bin/keytool -list -v -keystore /Users/Giovanni/Desktop/TMP/example-ks -storepass password
Add Comment