Friday, December 12, 2008

How to setup tomcat SSL client

1. Retrieve public key from the server certificate

openssl s_client -connect server_host_name:8443

ouput look like this
--------------------------------------------------------------
CONNECTED(00000003)
depth=0 /C=US/ST=GA/L=Atlanta/O=cdc/OU=cdc/CN=Charlie
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=GA/L=Atlanta/O=cdc/OU=cdc/CN=Charlie
verify return:1
---
Certificate chain
0 s:/C=US/ST=GA/L=Atlanta/O=cdc/OU=cdc/CN=Charlie
i:/C=US/ST=GA/L=Atlanta/O=cdc/OU=cdc/CN=Charlie
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICKzCCAZSgAwIBAgIESUKsLDANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCR0ExEDAOBgNVBAcTB0F0bGFudGExDDAKBgNVBAoTA2NkYzEM
MAoGA1UECxMDY2RjMRAwDgYDVQQDEwdDaGFybGllMB4XDTA4MTIxMjE4MjM0MFoX
DTA5MDMxMjE4MjM0MFowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkdBMRAwDgYD
VQQHEwdBdGxhbnRhMQwwCgYDVQQKEwNjZGMxDDAKBgNVBAsTA2NkYzEQMA4GA1UE
AxMHQ2hhcmxpZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnee+j8Fj5TTC
BQMVRLRWnv9zTPhJYaMYFDkZqu3PmqIdv3Nc6aNsSKwqcJG5TaM9dFhiZdhF5Glk
XaEx9ERU4fNh7NLxBHBl0g7CsjssDnLJBB/CzrDkqYUKy3+yE+cSyiOznpkYsOmH
SZYRaDNVJ7MsLQM7Tyyvks911E8ULwUCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBb
7txpYmEzQxYUX9RrckDcbcznMjao2ND89P+Ifs/3g4mWxvQz6bTBFngjihfaayzK
Zr6kYQDzgHWYa4TaRLGWL17FTrgk8obZuY84+TMCsQPOi4bim26sGDk6Kzkj1pmG
F7NBC/FSKiJDsH7M5uJLYeFNYDulP5GvfHBS//OpAg==
-----END CERTIFICATE-----
subject=/C=US/ST=GA/L=Atlanta/O=cdc/OU=cdc/CN=Charlie
issuer=/C=US/ST=GA/L=Atlanta/O=cdc/OU=cdc/CN=Charlie
---
----------------------------------------------------
save the text including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into a file, e.g. named pubkey.pem

2. import the sever ssl pubkey into JDK default cacerts file
in JDK1.6 the cacerts file is in $JAVA_HOME/jre/lib/security/cacerts
----------------------------------------------------------------------------------
$JAVA_HOME/bin/keytool -import -alias tomcat -keystore $JAVA_HOME/jre/lib/security/cacerts -file pubcert.pem
--------------------------------------------------------------
3. In development only, add the following code in your main java client program to overcome the
javax.xml.ws.WebServiceException: java.io.IOException: HTTPS
hostname wrong: should be
static {
//WORKAROUND. TO BE REMOVED.


javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(
new javax.net.ssl.HostnameVerifier(){

public boolean verify(String |hostname|,
javax.net.ssl.SSLSession sslSession) {
if (hostname.equals("mytargethostname")) {
return true;
}
return false;
}
});


}

4. Restart the app server

No comments: