views:

184

answers:

1

I am running JBoss with SSL, the certificate is generated with openssl:

      <Connector protocol="HTTP/1.1" SSLEnabled="true" 
       port="8443" address="${jboss.bind.address}"
       scheme="https" secure="true" clientAuth="false" 
       keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
       keystorePass="password" sslProtocol = "TLS" />

My client is an AIR application which interacts with the Java EE Server through GraniteDS. On the Flex/AIR side, I updated the channel to a SecureAMFChannel on services-config.xml:

<channel-definition id="myApp-graniteamf" class="mx.messaging.channels.SecureAMFChannel">
        <endpoint uri="https://localhost:8443/myApp/graniteamf/amf"
        class="flex.messaging.endpoints.SecureAMFEndpoint" />
    </channel-definition>

Now, when I connect from my client, AIR asks me if I want to go ahead with the connection (view certificate, etc.).

I'm new to the whole SSL/HTTPS concept, but I've read some docs. What I'm trying to figure out now, is how to make my App know that a server is safe (localhost in this case). From what I got so far, the client application should "trust the server as a CA", or just trust the certificates from a certain server.

Can you give me some clues as to where to start to implement this on my AIR client side application?

+1  A: 

If I understand correctly, you are using a self signed certificate. Going on that assumption you can't force a user to accept the certificate through your AIR app, that would be a security hole. To get a call from your AIR app to be trusted the user would need to import your certificate (or the untrusted CA you signed your certificate with) into their own keystore.

The way you do this is different for each OS, but an example of how to do it in Windows is to browse your server in IE, Get the cert warning, view the cert details and then export the cert to file (X509 iirc). Then you can right click the cert file and chose to install the certificate.

All subsequent calls to that secured server should then be trusted.

David Collie
Yes, we are using a self signed certificated. We're supposed to get a real certificate when the app goes on production, but in the meantime, we get asked for the certificate each time. So now I should look for a way to import the certificate through air, right?
Fernando
Sounds like you just have development problem the now, as when you get your real certificate it will be signed by one of the trusted CAs. For now you will need to go through the manual steps for each machine you are testing on to allow the call to work without getting the warning. You can't get AIR to import the cert into the users system for you unfortunately.
David Collie
Thanks! I've documented the whole process, and we're keeping the connection via HTTP as long as the app is on development. We'll switch it when the real certificate is bought. I've learnt a lot on SSL, HTTPS and certificates in the process. Thanks again!
Fernando