tags:

views:

184

answers:

1
+1  Q: 

Flex/AIR + GraniteDS through SSL

I am running JBoss with SSL, the certificate is generated with openssl:

      <Connector protocol="HTTP/1.1" SSLEnabled="true" 
       port="8443" address="${jboss.bind.address}"
       scheme="https" secure="true" clientAuth="false" 
       keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
       keystorePass="password" sslProtocol = "TLS" />

My client is an AIR application which interacts with the Java EE Server through GraniteDS. On the Flex/AIR side, I updated the channel to a SecureAMFChannel on services-config.xml:

<channel-definition id="myApp-graniteamf" class="mx.messaging.channels.SecureAMFChannel">
        <endpoint uri="https://localhost:8443/myApp/graniteamf/amf"
        class="flex.messaging.endpoints.SecureAMFEndpoint" />
    </channel-definition>

Now, when I connect from my client, AIR asks me if I want to go ahead with the connection (view certificate, etc.).

I'm new to the whole SSL/HTTPS concept, but I've read some docs. What I'm trying to figure out now, is how to make my App know that a server is safe (localhost in this case). From what I got so far, the client application should "trust the server as a CA", or just trust the certificates from a certain server.

Can you give me some clues as to where to start to implement this on my AIR client side application?

+1  A: 

If I understand correctly, you are using a self signed certificate. Going on that assumption you can't force a user to accept the certificate through your AIR app, that would be a security hole. To get a call from your AIR app to be trusted the user would need to import your certificate (or the untrusted CA you signed your certificate with) into their own keystore.

The way you do this is different for each OS, but an example of how to do it in Windows is to browse your server in IE, Get the cert warning, view the cert details and then export the cert to file (X509 iirc). Then you can right click the cert file and chose to install the certificate.

All subsequent calls to that secured server should then be trusted.

David Collie  2010-06-02 21:27:46
Yes, we are using a self signed certificated. We're supposed to get a real certificate when the app goes on production, but in the meantime, we get asked for the certificate each time. So now I should look for a way to import the certificate through air, right?
Fernando  2010-06-02 22:19:10
Sounds like you just have development problem the now, as when you get your real certificate it will be signed by one of the trusted CAs. For now you will need to go through the manual steps for each machine you are testing on to allow the call to work without getting the warning. You can't get AIR to import the cert into the users system for you unfortunately.
David Collie  2010-06-02 22:32:32
Thanks! I've documented the whole process, and we're keeping the connection via HTTP as long as the app is on development. We'll switch it when the real certificate is bought. I've learnt a lot on SSL, HTTPS and certificates in the process. Thanks again!
Fernando  2010-06-03 16:59:10

related questions

Silverlight vs Flex
Executing JavaScript from Flex: Is this javascript function dangerous?
How To Get Label Of Combobox to Fade In Flex
How do I change the title bar icon in Adobe AIR?
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
SoapException: Root element is missing occurs when .NET web service called from Flex
Any recommendations for in-depth Flex training?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
How can I "unaccept" a drag in Flex?
Printing Flex components in FireFox 3
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Flex / Air obfuscation
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
How can I unit test Flex applications from within the IDE or a build script?
Best way to learn Flash?
Get the current logged in OS user in Adobe Air
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.