This post is meant to remind me on how to implement SSL certificates within Java. It was definitely a learning experience digging into trust stores and keystores.
Installation of client certificates in a Java client environment
This section describes the steps required to install the provided certificates in a Java client environment. In general you will create a new Java keystore and truststore using the files and password we have provided. Here are the steps to follow:
1. Make sure you have access to a Java 6 installation. You only need this for the keytool utility. The files you create with Java 6 are fully compatible with Java 5 but the keytool utility in Java 5 does not support importing PKCS #12 files.
2. Import the PKCS #12 file provided into a new keystore by issuing the following command: (Use the CLEAR Administrator provided password for all password prompts)
keytool -importkeystore -v -srckeystore clientcert.p12 -srcstoretype PKCS12 –keystore newstore.ks
3. Next create a truststore that includes the CA certificate: (You can select you own password)
keytool -import -v -keystore newtrust.ks -file cacertfile.pem
4. Finally use the Java system properties when running your client to ensure that the proper certificate is selected during SSL negotiation. The properties are: For keytool commands, I referred to this site: http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html A good site for troubleshooting is: http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services I ended up using the SSLPoke.java file on the atlassian site to help troubleshoot the SSL connection. This really helped understand connection issues. Sample code within Palantir Within Palantir, I was able to use the following code to successfully connect to the SSL endpoint. As I mentioned earlier, this is mostly for my usage for future deployments. If someone else finds it useful, I’m glad that you were helped.
-Djavax.net.ssl.keyStore=newstore.ks \
-Djavax.net.ssl.keyStorePassword=
-Djavax.net.ssl.trustStore=newtrust.ks \
-Djavax.net.ssl.trustStorePassword=
String string = "";
StringBuffer sb = new StringBuffer();
sb.append("");
String strGetURL = strURL;
try {
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream keyInput = this.getClass().getResourceAsStream("/newstore.ks");
keyStore.load(keyInput, "certificatepwd".toCharArray());
keyInput.close();
keyManagerFactory.init(keyStore, "certificatepwd".toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream trustInput = this.getClass().getResourceAsStream("/newtrust.ks");
trustStore.load(trustInput, "certificatepwd".toCharArray());
trustInput.close();
trustManagerFactory.init(trustStore);
SSLContext sct = SSLContext.getInstance("SSL");
sct.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
SSLContext.setDefault(sct);
SSLSocketFactory sslsocketfactory = sct.getSocketFactory();
// SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
// SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
String username="username:password";
String encoding = new sun.misc.BASE64Encoder().encode (username.getBytes());
URL url = new URL(strGetURL);
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
conn.setRequestProperty ("Authorization", "Basic " + encoding);
conn.setRequestProperty ( "Content-Type", "application/xml" );
conn.setRequestMethod("GET");
conn.setDoOutput(true);
conn.setSSLSocketFactory(sslsocketfactory);
InputStream inputstream = conn.getInputStream();
InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
BufferedReader bufferedreader = new BufferedReader(inputstreamreader);
string = null;
while ((string = bufferedreader.readLine()) != null) {
// System.out.println("Received " + string);
sb.append(string);
}
} catch (Exception exception) {
exception.printStackTrace();
}
return sb.toString();
}
Thank you, it is very helpful!
Thank you. This solved my issue between using a trust store vs. local keystore.