• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

HTTPS Client Connection to Tomcat

 
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Guys,

I'm trying to implement a simple HTTPS command-line client and rapidly realize I don't fully understand the whole SSL mechanism and how it interacts with the underlying OS.

I am using JSDK 1.5 so have jsse.jar installed. This is really more a question about using keytool and certificates so please bear with me.

In order to enable HTTPS on tomcat, I did this:

keytool -genkey -alias tomcat -keyalg RSA

My understanding is that this generates a self-signed certificate in the .keystore file in my home directory. Tomcat is using the defauly passwords so after enabling the SSL connector and restarting Tomcat, it comes up ok.

So the default tomcat implementation uses the certificate in the .keystore file in the home directory under which the tomcat user has been installed.

If I point a webrowser at a servlet I have running on tomcat (using https on default port 8443), I get prompted whether I want to accept the certificate and then and then can access the servlet ok. So I believe tomcat is setup ok.

The client I am using uses an HttpsURLConnection but I found it uses a different keystore, one in ${JAVA_HOME}/jre/lib/securitycacerts.

So am I right in thinking I need to put the certificate in this file ? If so, I used:

keytool -export -class tomcat -file tomcat.cert

To export the certifuicate from my default .keystore file. Then I need to import it into the cacerts file:

keytool -import -alias tomcat -keystore ${JAVA_HOME}/jre/lib/securitycacerts -file tomcat.cert

Could someone confirm that this is the correct procedure or am I talking out of my hat here ??

Thanks,
Clive
 
Ranch Hand
Posts: 214
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can people talk out of their hat?

Yes, using HttpsURLConnection you will probably use the cacerts keystore, this is because by default, a java ssl client will attempt to verify the identity of the server i.e. check that it trusts the server's certificate. In this specific instance, you have a self-signed cert, so you have to physically import that cert into ca certs. If you got your certificate signed by verisign or another CA, then you wouldn't need to do this.

Alternatively, as we know HttpsURLConnection probably uses the SSLSession/SSLContext, you could bypass this by writing your own TrustManager implementation and doing SSLContext.getInstance().init(null, mytrustmanager, null).

Your trust manager implemention could just return true for every method.
 
clive jordan
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks very much for the reply, I just wanted to check I understood things correctly. I have looked at some examples of using TrustManagers to accept
everything, but altough I could have cut and pasted the code, I frankly did not understand it. I may revisit that when I have a better understanding of things :-)

Thanks again,
CLive
reply
    Bookmark Topic Watch Topic
  • New Topic