Java REST Client to access Puppet API

[Naveen Desu]

Hi,

I am building a Java RESTful Client to connect & access Puppet Master services. While attempting this, I am unable to get SSLHandshake through. Can you pls let me know where I am going wrong:

Puppet Master: puppetmaster.domain.com

Java Client: javaclient.domain.com

Obtained required signed certificates from puppetmaster.domain.com using:

a. Run command "puppet cert --generate javaclient.domain.com"

b. Obtained 

 Signed Certificate from {ssldir}/certs/javaclient.domain.com.pem & renamed it to javaclient.domain.com-cert.pem 

 Private key from {ssldir}/private_keys/javaclient.domain.com.pem & renamed it to javaclient.domain.com-key.pem

c. Created PKCS12 keystore using "openssl pkcs12 -export -name myservercert -in javaclient.domain.com-cert.pem -inkey javaclient.domain.com-key.pem -out javaclient.domain.com.p12"

d. Convert PKCS12 keystore into a JKS keystore using "keytool -importkeystore -destkeystore javaclient.domain.com.jks -srckeystore javaclient.domain.com.p12 -srcstoretype pkcs12 -alias myservercert"

Now the keystore javaclient.domain.com.jks is used in the java application using the snippet

KeyStore trustStore = KeyStore.getInstance("JKS");

trustStore.load(new FileInputStream({javaclient.domain.com.jks path}), "{Password}".toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");

tmf.init(trustStore);

ctx = SSLContext.getInstance("SSL");

ctx.init(null, tmf.getTrustManagers(), null);

ClientConfig config = new DefaultClientConfig(); // Jersey API

config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new HTTPSProperties(hostnameVerifier, ctx));

The Java client fails to run with exception "No trusted certficate found"

com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found

at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:151)

at com.sun.jersey.api.client.Client.handle(Client.java:648)

at com.sun.jersey.api.client.WebResource.handle(WebResource.java:680)

at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)

at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)

at test.JerseyRestAPI.executeRestAPI(JerseyRestAPI.java:105)

at test.JerseyRestAPI.main(JerseyRestAPI.java:37)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)

at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300)

at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468)

at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)

at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:249)

at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:149)

Can you suggest where I am going wrong - in creating Signed certificate on Puppet Master (or) creation of Keystore from the obtained certificate & private-key?

Thanks,

Naveen.

[Felix Frank]

Hi,

good thinking, but you do want to add the CA certificate of your master
to your keystore. On the agent node, it can be found in
{ssldir}/certs/ca.pem.

There should be a keytool -importcert or similar option.

HTH,
Felix

On 11/27/2013 01:47 PM, Naveen Desu wrote:
> b. Obtained
> Signed Certificate from {ssldir}/certs/javaclient.domain.com.pem &
> renamed it to javaclient.domain.com-cert.pem
> Private key from {ssldir}/private_keys/javaclient.domain.com.pem &
> renamed it to javaclient.domain.com-key.pem
>

> c. Created PKCS12 keystore using "*/openssl pkcs12 -export -name
> myservercert
> -in javaclient.domain.com-cert.pem -inkey javaclient.domain.com-key.pem -out javaclient.domain.com.p12/*"
>
> d. Convert PKCS12 keystore into a JKS keystore using "*/keytool

> -importkeystore
> -destkeystore javaclient.domain.com.jks -srckeystore javaclient.domain.com.p12 -srcstoretype

> pkcs12 -alias myservercert/*"

[Bertrand Thomas]

Hi, were you able to have it working?
I would like to do the same.

Thank you,
Bertrand