CertificateException: Certificate chain not trusted
723 views
Skip to first unread message
Ye
Feb 25, 2009, 6:56:05 AM2/25/09
to Hermes 2.0 Discussion List
Hi,
I am using hermes ebms and connected to priority ebms server (lets
call it OtherEBMS). successfully tested Self loopback and loopback to
OtherEBMS server. now, I am trying to test loopbackSSL and message
from Hermes won't reach to OtherEBMS at all when I switched from http
to https and port to ssl port. ebms log show the following.
2009-02-25 18:28:49 [Thread-1504 ] <ERROR> <cecid.ebms.spa> <Cannot
get the reply message>
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Certificate chain not trusted
I only have OtherEMBS SSL public key. will it be enough? where do I
set to trust their SSL certificate?
any comments are appreciated.
Ye
I am using hermes ebms and connected to priority ebms server (lets
call it OtherEBMS). successfully tested Self loopback and loopback to
OtherEBMS server. now, I am trying to test loopbackSSL and message
from Hermes won't reach to OtherEBMS at all when I switched from http
to https and port to ssl port. ebms log show the following.
2009-02-25 18:28:49 [Thread-1504 ] <ERROR> <cecid.ebms.spa> <Cannot
get the reply message>
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Certificate chain not trusted
I only have OtherEMBS SSL public key. will it be enough? where do I
set to trust their SSL certificate?
any comments are appreciated.
Ye
pape...@gmail.com
Mar 3, 2009, 10:40:32 PM3/3/09
to Hermes 2.0 Discussion List
Hello,
You will need to configure two thing.
1. Specify the location of your SSL TustManager. You can define this
in "corvus.module.xml" which you can find inside the /webapps/corvus/
WEB-INF/classes/hk....(all the way down)/conf/
Uncomment the section about SSL Trust Manager and provide the details
accordingly (i.e. keystore location and password of keystore)
2. Get the SSL public certificate from the OtherEBMS and import it
into your TrustManager. You can do this with the Java Keytool
command.
After the steps above, restart H2O and the message exchange should
work. Also, if you want to receive messages via HTTPS, the otherEBMS
will also need to do the similar procedure.
Hope this help.
Regards,
ronnie
You will need to configure two thing.
1. Specify the location of your SSL TustManager. You can define this
in "corvus.module.xml" which you can find inside the /webapps/corvus/
WEB-INF/classes/hk....(all the way down)/conf/
Uncomment the section about SSL Trust Manager and provide the details
accordingly (i.e. keystore location and password of keystore)
2. Get the SSL public certificate from the OtherEBMS and import it
into your TrustManager. You can do this with the Java Keytool
command.
After the steps above, restart H2O and the message exchange should
work. Also, if you want to receive messages via HTTPS, the otherEBMS
will also need to do the similar procedure.
Hope this help.
Regards,
ronnie
Message has been deleted
Ye
Mar 9, 2009, 4:09:15 AM3/9/09
to Hermes 2.0 Discussion List
ok. Now, I can add OtherEBMS public key into my .keystore and all.
but now, the error message i get when I restart tomcat is,
Caused by:
hk.hku.cecid.piazza.commons.security.KeyStoreManagementException:
Unable to initialize the key store
by java.io.IOException: Invalid keystore format
at hk.hku.cecid.piazza.commons.security.KeyStoreComponent.load
(KeyStoreComponent.java:175)
at hk.hku.cecid.piazza.commons.security.KeyStoreComponent.init
(KeyStoreComponent.java:140)
at hk.hku.cecid.piazza.commons.security.KeyStoreComponent.init
(KeyStoreComponent.java:94)
at hk.hku.cecid.piazza.commons.module.Module.initComponents
(Module.java:182)
... 34 more
so, my question now is... what format does it need to be for .keystore
file? And if i need X.509 format, is there any tool that can
convert? keytool GUI I have (v. 1.7) doesn't have X.509 format.
Regards,
Ye
but now, the error message i get when I restart tomcat is,
Caused by:
hk.hku.cecid.piazza.commons.security.KeyStoreManagementException:
Unable to initialize the key store
by java.io.IOException: Invalid keystore format
at hk.hku.cecid.piazza.commons.security.KeyStoreComponent.load
(KeyStoreComponent.java:175)
at hk.hku.cecid.piazza.commons.security.KeyStoreComponent.init
(KeyStoreComponent.java:140)
at hk.hku.cecid.piazza.commons.security.KeyStoreComponent.init
(KeyStoreComponent.java:94)
at hk.hku.cecid.piazza.commons.module.Module.initComponents
(Module.java:182)
... 34 more
so, my question now is... what format does it need to be for .keystore
file? And if i need X.509 format, is there any tool that can
convert? keytool GUI I have (v. 1.7) doesn't have X.509 format.
Regards,
Ye
Torsten Kirschner
Mar 9, 2009, 4:39:45 AM3/9/09
to cecid-...@googlegroups.com
On Mar 9, 2009 9:09am, Ye <MrY...@gmail.com> wrote:
> ok. Now, I can add OtherEBMS public key into my .keystore and all.
> And if i need X.509 format, is there any tool that can
> convert? keytool GUI I have (v. 1.7) doesn't have X.509 format.
I'd recommend OpenSSL (http://www.openssl.org/). It can do that and everything else certificate-related.> convert? keytool GUI I have (v. 1.7) doesn't have X.509 format.
Message has been deleted
Message has been deleted
Martin Kalén
Mar 9, 2009, 5:54:51 AM3/9/09
to Hermes 2.0 Discussion List
On 9 Mar, 09:09, Ye <MrYe...@gmail.com> wrote:
> so, my question now is... what format does it need to be for .keystore
> file? And if i need X.509 format, is there any tool that can
> convert? keytool GUI I have (v. 1.7) doesn't have X.509 format.
proprietary format called JKS and defined by Sun. Normally you don't
need knowledge about the format if you use keytool to manage the
certificates in keystore.
X.509 is a complete PKI standard and does not specify a single
certificate format. There are several possible formats. Read a bit
more on e.g. Wikipedia: http://en.wikipedia.org/wiki/X.509
I would listen to T. Kirschner's advice and use OpenSSL for
conversion. If you have a public certficate in PEM-format (Base64-
encoded DER certificate, ASCII readable) you can convert it to DER
(binary format) with:
openssl x509 -in [your_public_cert.pem] -out new_public_cert.der -
outform DER
After this, use keytool to import:
keytool -import -alias [your_certificate_alias] -file
new_public_cert.der -keystore [your_jks_keystore] -storepass
[your_jks_keystore_password]
Read more about Sun's keytool at http://java.sun.com/j2se/1.5.0/docs/tooldocs/#security
Regards,
Martin
P.S. Hint: the certificate part is not Hermes-specific, but rather a
generic Java Cryptography Architecture (JCA) problem - this means you
can search for answers using more generic terms than Hermes, H2O etc.
Ye
Mar 9, 2009, 6:26:17 AM3/9/09
to Hermes 2.0 Discussion List
Dear Martin,
The public key I extract from CPA is in X509 format. But I can import
into .keystore but I can't really restart tomcat as it has exception
error on Invalid Keystore Format. I tried to import using command
line keytool but always get io.EOFException error and when I use
Keytool GUI, I can import. but got error as mention above.
Now, the question is back to what format can tomcat understand?
probably any format that keytool generate. But why my tomcat is
getting errors and not starting. converting to x509 is my desperate
attempt which might not solve my problem.
my tomcat version is 5.5 and my jdk is 1.5.0_15 if that is of any
relevant.
convus.modlue.xml contain
<component id="ssl-trust-manager" name="SSL Trust Manager">
<class>hk.hku.cecid.piazza.commons.security.KeyStoreTrustManager</
class>
<parameter name="keystore-location" value="c:\certs" />
<parameter name="keystore-password" value="changeit" />
</component>
and my .keystore file is in c:\certs
and yes. I am still using default .keystore just importing public key
using keytool GUI.
convus.properties.xml contain
<environment>
<properties>
<http.proxyHost/>
<http.proxyPort/>
<https.proxyHost/>
<https.proxyPort/>
<sun.net.client.defaultConnectTimeout>30000</
sun.net.client.defaultConnectTimeout>
<sun.net.client.defaultReadTimeout>300000</
sun.net.client.defaultReadTimeout>
<!--javax.net.ssl.trustStore>/jdk1.5.0_15/jre/lib/security/cacerts</
javax.net.ssl.trustStore-->
<!-- javax.net.ssl.trustStore>/j2sdk1.4.2_04/jre/lib/security/
cacerts</javax.net.ssl.trustStore -->
<!-- javax.net.ssl.trustStorePassword>password</
javax.net.ssl.trustStorePassword -->
<file.encoding>UTF-8</file.encoding>
</properties>
</environment>
not sure if those above are of any relevant. any suggesetion?
Regards,
Ye
On Mar 9, 4:54 pm, Martin Kalén <martin.ka...@gmail.com> wrote:
> On 9 Mar, 09:09, Ye <MrYe...@gmail.com> wrote:
>
> > so, my question now is... what format does it need to be for .keystore
> > file? And if i need X.509 format, is there any tool that can
> > convert? keytool GUI I have (v. 1.7) doesn't have X.509 format.
>
> The default Java runtime keystore format, if you use a Sun JRE, is a
> proprietary format called JKS and defined by Sun. Normally you don't
> need knowledge about the format if you use keytool to manage the
> certificates in keystore.
>
> X.509 is a complete PKI standard and does not specify a single
> certificate format. There are several possible formats. Read a bit
> more on e.g. Wikipedia:http://en.wikipedia.org/wiki/X.509
>
> I would listen to T. Kirschner's advice and use OpenSSL for
> conversion. If you have a public certficate in PEM-format (Base64-
> encoded DER certificate, ASCII readable) you can convert it to DER
> (binary format) with:
> openssl x509 -in [your_public_cert.pem] -out new_public_cert.der -
> outform DER
>
> After this, use keytool to import:
> keytool -import -alias [your_certificate_alias] -file
> new_public_cert.der -keystore [your_jks_keystore] -storepass
> [your_jks_keystore_password]
>
> Read more about Sun's keytool athttp://java.sun.com/j2se/1.5.0/docs/tooldocs/#security
The public key I extract from CPA is in X509 format. But I can import
into .keystore but I can't really restart tomcat as it has exception
error on Invalid Keystore Format. I tried to import using command
line keytool but always get io.EOFException error and when I use
Keytool GUI, I can import. but got error as mention above.
Now, the question is back to what format can tomcat understand?
probably any format that keytool generate. But why my tomcat is
getting errors and not starting. converting to x509 is my desperate
attempt which might not solve my problem.
my tomcat version is 5.5 and my jdk is 1.5.0_15 if that is of any
relevant.
convus.modlue.xml contain
<component id="ssl-trust-manager" name="SSL Trust Manager">
<class>hk.hku.cecid.piazza.commons.security.KeyStoreTrustManager</
class>
<parameter name="keystore-location" value="c:\certs" />
<parameter name="keystore-password" value="changeit" />
</component>
and my .keystore file is in c:\certs
and yes. I am still using default .keystore just importing public key
using keytool GUI.
convus.properties.xml contain
<environment>
<properties>
<http.proxyHost/>
<http.proxyPort/>
<https.proxyHost/>
<https.proxyPort/>
<sun.net.client.defaultConnectTimeout>30000</
sun.net.client.defaultConnectTimeout>
<sun.net.client.defaultReadTimeout>300000</
sun.net.client.defaultReadTimeout>
<!--javax.net.ssl.trustStore>/jdk1.5.0_15/jre/lib/security/cacerts</
javax.net.ssl.trustStore-->
<!-- javax.net.ssl.trustStore>/j2sdk1.4.2_04/jre/lib/security/
cacerts</javax.net.ssl.trustStore -->
<!-- javax.net.ssl.trustStorePassword>password</
javax.net.ssl.trustStorePassword -->
<file.encoding>UTF-8</file.encoding>
</properties>
</environment>
not sure if those above are of any relevant. any suggesetion?
Regards,
Ye
On Mar 9, 4:54 pm, Martin Kalén <martin.ka...@gmail.com> wrote:
> On 9 Mar, 09:09, Ye <MrYe...@gmail.com> wrote:
>
> > so, my question now is... what format does it need to be for .keystore
> > file? And if i need X.509 format, is there any tool that can
> > convert? keytool GUI I have (v. 1.7) doesn't have X.509 format.
>
> The default Java runtime keystore format, if you use a Sun JRE, is a
> proprietary format called JKS and defined by Sun. Normally you don't
> need knowledge about the format if you use keytool to manage the
> certificates in keystore.
>
> X.509 is a complete PKI standard and does not specify a single
> certificate format. There are several possible formats. Read a bit
> more on e.g. Wikipedia:http://en.wikipedia.org/wiki/X.509
>
> I would listen to T. Kirschner's advice and use OpenSSL for
> conversion. If you have a public certficate in PEM-format (Base64-
> encoded DER certificate, ASCII readable) you can convert it to DER
> (binary format) with:
> openssl x509 -in [your_public_cert.pem] -out new_public_cert.der -
> outform DER
>
> After this, use keytool to import:
> keytool -import -alias [your_certificate_alias] -file
> new_public_cert.der -keystore [your_jks_keystore] -storepass
> [your_jks_keystore_password]
>
Martin Kalén
Mar 9, 2009, 9:47:51 PM3/9/09
to Hermes 2.0 Discussion List
Greetings,
On 9 Mar, 11:26, Ye <MrYe...@gmail.com> wrote:
> convus.modlue.xml contain
>
> <component id="ssl-trust-manager" name="SSL Trust Manager">
> <class>hk.hku.cecid.piazza.commons.security.KeyStoreTrustManager</class>
> <parameter name="keystore-location" value="c:\certs" />
> <parameter name="keystore-password" value="changeit" />
> </component>
> and my .keystore file is in c:\certs
Change keystore-location to the full path, ie:
<parameter name="keystore-location" value="c:\certs\.keystore" />
Also, if it's a JKS keystore and still does not work you can try to
add (since I don't know the default choice of
hk.hku.cecid.piazza.commons.security.KeyStoreKeyManager):
<parameter name="keystore-type" value="JKS" />
> convus.properties.xml contain
>
> <environment>
> <properties>
> <!--javax.net.ssl.trustStore>/jdk1.5.0_15/jre/lib/security/cacerts</
> javax.net.ssl.trustStore-->
CECID classes for SSL key- and trust managers above (in
corvus.module.xml) and return to the shipped defaults. In the default
configuration, the JRE standard implementations of SSL key- and trust
managers will be used (ie Sun-supplied implementations for a Sun JRE).
The H2O web GUI can then be used to change the values of
corvus.properties.xml if you don't want to edit it by hand. Note that
changes still requires a restart of the application server to take
effect.
These two configuration scenarios are mutually exclusive. When you
select the CECID classes with ssl-[key|trust]-manager in
corvus.module.xml, setting javax.net.ssl-parameters in
corvus.properties.xml have no effect in H2O.
Good luck,
Martin
On 9 Mar, 11:26, Ye <MrYe...@gmail.com> wrote:
> convus.modlue.xml contain
>
> <component id="ssl-trust-manager" name="SSL Trust Manager">
> <class>hk.hku.cecid.piazza.commons.security.KeyStoreTrustManager</class>
> <parameter name="keystore-location" value="c:\certs" />
> <parameter name="keystore-password" value="changeit" />
> </component>
> and my .keystore file is in c:\certs
<parameter name="keystore-location" value="c:\certs\.keystore" />
Also, if it's a JKS keystore and still does not work you can try to
add (since I don't know the default choice of
hk.hku.cecid.piazza.commons.security.KeyStoreKeyManager):
<parameter name="keystore-type" value="JKS" />
> convus.properties.xml contain
>
> <environment>
> <properties>
> <!--javax.net.ssl.trustStore>/jdk1.5.0_15/jre/lib/security/cacerts</
> javax.net.ssl.trustStore-->
> <!-- javax.net.ssl.trustStorePassword>password</
> javax.net.ssl.trustStorePassword -->
> javax.net.ssl.trustStorePassword -->
> not sure if those above are of any relevant. any suggesetion?
These parameters are only used if you comment out the activation of
CECID classes for SSL key- and trust managers above (in
corvus.module.xml) and return to the shipped defaults. In the default
configuration, the JRE standard implementations of SSL key- and trust
managers will be used (ie Sun-supplied implementations for a Sun JRE).
The H2O web GUI can then be used to change the values of
corvus.properties.xml if you don't want to edit it by hand. Note that
changes still requires a restart of the application server to take
effect.
These two configuration scenarios are mutually exclusive. When you
select the CECID classes with ssl-[key|trust]-manager in
corvus.module.xml, setting javax.net.ssl-parameters in
corvus.properties.xml have no effect in H2O.
Good luck,
Martin
Reply all
Reply to author
Forward
0 new messages