views:

569

answers:

3

Hello everyone. I'm creating a Java client program that will be sending sensitive information to a Tomcat server. So I need to use SSL Connection so information will be encrypted.

I need to use self-signed untrusted certificate but having problems making connection from java client.

I have successfully setup Tomcat 5.5 to use SSL and tested it through Firefox, which displays warning of self-signed certificate.

I followed the Tomcat 5.5 SSL setup and they mentioned to create a keystore:

keytool -genkey -alias tomcat -keyalg RSA

Then I did an export of the above:

keytool -export -keystore .keystore -alias tomcat -file localhost.cer

Then I did an import of the above certificate into client machine:

keytool -import -alias tomcat -file localhost.cer -keystore "C:\Program Files"\Java\jdk1.6.0_17\jre\lib\security\cacerts"

But when running client I get:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This is the client code:

URL url = new URL("https://localhost:8443");
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
conn.setSSLSocketFactory(sslsocketfactory);
InputStream inputstream = conn.getInputStream();

Now I just started playing with these certificates today and I'm new to keystores, so please be patient.

Can someone please explain how to export and import the certificate created in Tomcat to client machine?

Thank you.

+1  A: 

Atlassian has good instructions on how to fix this.

http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services

Another approach is to install less unforgiving certificate validators, but that should only be done as a last resort.

Thorbjørn Ravn Andersen
The problem is it appears he has done those steps.
GregS
If I disable SSL certification validation altogether will the data sent to server still be encrypted?I found an example that does not validate SSL certs but want to make sure if the transmission of data will still be encrypted.
Marquinio
If you disable SSL validation the SSL tunnel will still exist and the data will still be encrypted. **BUT** you will no longer know where that tunnel is terminated! An attacker could do something like this to break your security: poison your DNS with an arbitrary IP address, generate a self-signed SSL cert for the FQDN you are connecting, listen for SSL on poison IP address and respond with fake SSL cert. Without validation your SSL client will trust the server's SSL cert, regardless of the CA it came from.
Ryan Fisher
A: 

Use Apache HTTP Cleint jar and follow this SSL Guide.

EasySSLProtocolSocketFactory can be used to create SSL connections that allow the target server to authenticate with a self-signed certificate.

Gladwin Burboz
Can the person who marked negative explain why so? I have used this solution and it works very fine.
Gladwin Burboz
+1  A: 

Owner: CN=localhost,.....
Issuer: CN=localhost,....
Serial number: 4b736566 Valid from: Wed Feb 10 21:03:18 EST 2010 until: Tue May 11 22:03:18 EDT 2010 Certificate fingerprints: MD5: 8E:56:AF:94:2E:C7:14:35:F4:6A:8D:05:EF:77:B9:17 SHA1: 2C:E9:88:32:D8:05:3D:50:57:B3:C1:A7:0C:A7:41:21:17:52:E3:E3 Signature algorithm name: SHA1withRSA Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore

The keystore is located at - C:\Program Files\Java\jdk1.6.0_17\jre\lib\security\cacerts

When I run the client once again I still get: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

So I added this to my code:

System.setProperty("javax.net.ssl.trustStore","C:\\Program Files\\Java\\jdk1.6.0_17\\jre\\lib\\security\\cacerts");
System.setProperty("javax.net.ssl.trustStore","changeit");

And now I get this error:

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:183) at java.security.cert.PKIXParameters.(PKIXParameters.java:103) at java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:87) at sun.security.validator.PKIXValidator.(PKIXValidator.java:57)

Any clues by anyone would be greatly appreciated.

Marquinio