WebSphere and SSL

[junk...@gmail.com]

hi,

There is java code running in websphere that opens a URL stream over SSL to another web server. During this process, I get unknown certificate error. Thanks in advance.
Here is the stack trace....

javax.net.ssl.SSLHandshakeException: unknown certificate
at com.ibm.jsse.bg.a(Unknown Source)
at com.ibm.jsse.bg.startHandshake(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.n(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.p.connect(Unknown Source)
at com.ibm.net.ssl.www.protocol.http.bw.getInputStream(Unknown Source)
at com.ibm.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream(Unknown Source)
at java.net.URL.openStream(URL.java:495)

[Paul Ilechko]

http://www-128.ibm.com/developerworks/websphere/techjournal/0502_benantar/0502_benantar.html

[junk...@gmail.com]

Hi,

I tried that but still I am getting this error. thanks

java.net.SocketException: Invalid keystore format
at javax.net.ssl.DefaultSSLSocketFactory.createSocket(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.b(Unknown Source)
at com.ibm.net.ssl.www.protocol.http.cb.a(Unknown Source)
at com.ibm.net.ssl.www.protocol.http.cb.p(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.<init>(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.a(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.a(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.a(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.q.c(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.q.connect(Unknown Source)
at com.ibm.net.ssl.www.protocol.http.ci.getInputStream(Unknown Source)
at com.ibm.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream(Unknown Source)
at java.net.URL.openStream(URL.java:942)

[Paul Ilechko]

you tried what, exactly ?

[junk...@gmail.com]

This is what I did.

I got a free certificate from verisign. I placed it on one server and I am able to connect correctly through a web browser.On the Websphere box I saved the original certificate along with the signed certificate. In Websphere Admin I tried to set up the keystore and trustedstore along with the java protocol handler.In short I have two boxes - one server running https and WebSphere (not ssl) trying to make calls to the other server.

Thanks

[Sunit Patke]

You are trying to call a web service (URL) on one box from another box that
is running WebSphere. i.e. WebSphere application is service consumer and the
remote box is service provider.

1. Are you able to access the service from the WebSphere box using web
browser with SSL (HTTPS)? If yes then the service is set up correctly for
SSL.

2. Install the SSL certificate used by the web service provider (you can get
it from the browser in step 1) in the $WASHOME/java/jre/security/cacerts
files. cacerts is a jks type certificate store and you should be able to
open it using ikeyman. The default password for cacerts is changeit.

Sunit

<junk...@gmail.com> wrote in message
news:371051855.1161287807...@ltsgwas010.sby.ibm.com...

[Paul Ilechko]

I hate to disillusion you, but I am not a mind reader. Now, you can
either try being *exact* about what you did (e.g. which certificate did
you put in which keystore) or we can just forget the whole thing. You
obviously did something wrong, but as of now, I have no idea what.

Did you read the paper that I give you the link to? That is very clear
on what needs to be done for JSSE.

[Paul Ilechko]

Sunit Patke wrote:
> You are trying to call a web service (URL) on one box from another box that
> is running WebSphere. i.e. WebSphere application is service consumer and the
> remote box is service provider.

He never mentioned web services. As far as I know he's doing straight
HTTP(s).

>
> 1. Are you able to access the service from the WebSphere box using web
> browser with SSL (HTTPS)? If yes then the service is set up correctly for
> SSL.
>
> 2. Install the SSL certificate used by the web service provider (you can get
> it from the browser in step 1) in the $WASHOME/java/jre/security/cacerts
> files. cacerts is a jks type certificate store and you should be able to
> open it using ikeyman. The default password for cacerts is changeit.

No !!!! You do *not* touch cacerts in WAS. If you do, you may break WAS
internals.

[junk...@gmail.com]

Thanks for your help....I figured out what my problem was? trust store was not setup correctly.

[Paul Ilechko]

Sunit Patke wrote:
> cacerts is a jks that contains root CA certificates and trusted certificates
> as provided by Sun. Last year some of the Verisign certificates expired and
> IBM refused to issue a patch for SDK to fix the issue. Instead we were
> pointed to Sun advisory on how to import new certificates into cacerts.

Yes, but WAS has its own keystores and truststores to provide the
ability to manage multiple SSL configurations. Changing cacerts is not
the appropriate way to set up application level trust in WAS, at least
when you have global security enabled. You should read the JSSE paper on
websphere developer domain that I referenced earlier, and you should not
be telling people to blindly add certificates to cacerts, as that will
usually be the wrong approach.

[Sunit Patke]

cacerts is a jks that contains root CA certificates and trusted certificates
as provided by Sun. Last year some of the Verisign certificates expired and
IBM refused to issue a patch for SDK to fix the issue. Instead we were
pointed to Sun advisory on how to import new certificates into cacerts.

My observation so far has been that there is nothing WAS specific in cacerts
itself. IBM does modify the security providers list for WAS but again that's
not cacerts. But this could have changed with WAS 6.x

Sunit

"Paul Ilechko" <paul.i...@us.ibm.com> wrote in message
news:eh8qag$13k54$2...@news.boulder.ibm.com...