Showing posts with label Certificate. Show all posts
Showing posts with label Certificate. Show all posts

Monday, April 28, 2014

Disabling certificate validation in Java

In case you need to disable validation of certificate here is Java snippet.
 import javax.net.ssl.*;  
 import java.security.SecureRandom;  
 import java.security.cert.X509Certificate;  
 public static void disableCertificateValidation() {  
  // Create a trust manager that does not validate certificate chains  
  TrustManager[] trustAllCerts = new TrustManager[] {   
  new X509TrustManager() {  
   public X509Certificate[] getAcceptedIssuers() {   
   return new X509Certificate[0];   
   }  
   public void checkClientTrusted(X509Certificate[] certs, String authType) {}  
   public void checkServerTrusted(X509Certificate[] certs, String authType) {}  
  }};  
  // Ignore differences between given hostname and certificate hostname  
  HostnameVerifier hv = new HostnameVerifier() {  
  public boolean verify(String hostname, SSLSession session) { return true; }  
  };  
  // Install the all-trusting trust manager  
  try {  
  SSLContext sc = SSLContext.getInstance("SSL");  
  sc.init(null, trustAllCerts, new SecureRandom());  
  HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());  
  HttpsURLConnection.setDefaultHostnameVerifier(hv);  
  } catch (Exception e) {}  
 }  
I took code from here: Java client certificates over HTTPS/SSL

Related topics:
IBM Domino Java: No trusted certificate found. Fail?
Domino and No trusted certificate found
Disabling certificate validation in Java

Tuesday, January 28, 2014

Domino and No trusted certificate found

We have few agents that communicate with other systems via and today at 13:00 we got such answer from Domino when we tried to set connection with external system. That was a huge problem for us since it affect our business.
 javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: No trusted certificate found  
  at com.ibm.jsse2.o.a(o.java:8)  
  at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:549)  
  at com.ibm.jsse2.kb.a(kb.java:355)  
  at com.ibm.jsse2.kb.a(kb.java:130)  
  at com.ibm.jsse2.lb.a(lb.java:135)  
  at com.ibm.jsse2.lb.a(lb.java:368)  
  at com.ibm.jsse2.kb.s(kb.java:442)  
  at com.ibm.jsse2.kb.a(kb.java:136)  
  at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:495)  
  at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:223)  
  at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:724)  
  at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:81)  
  at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:8)  
  at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:20)  
It took some time to fix it, but here is a solution

Problem

A Java application running on a Domino server connecting over SSL to another server may require having the SSL certificate authority of the other server imported into its JVM.

Symptom

When a Java application running on a Domino server connects over SSL to another server, but does not have that server's trusted root certificates, an error may occur. One example of such an error is: HTTP JVM: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: No trusted certificate found.

Cause

The trusted root certificates that signed the remote server's SSL certificate must be also be trusted by the Domino server's JVM if a Java application is making an SSL connection.

Resolving the problem

To add the trusted root certificates to a Domino server JVM follow these steps:

A. Obtain the Certificate to be Imported

Each browser displays certificates in different ways, but they are usually quite similar. On the browser's URL bar, there is usually a zone that you can click on to display SSL certificate information. For example, you may see a padlock in the status bar, and clicking on the padlock opens the certificate information. Once the certificate information is open, click on the "Certification Path" informatino. There normally will be a way to export each of the signing certificates (trusted roots). Export the certifiers in the "Base-64 encoded X.509 (.CER)" format. The exported file in this format will be an ASCII text file that has "BEGIN CERTIFICATE" and "END CERTIFICATE" lines at the top and bottom. Once you have exported the certificates that signed the remote server's SSL certificate you can then import them into the JVM.

B. Import the SSL certifier into the JVM.

If Domino is on a UNIX server, perform these steps on a Windows workstation, and then move the cacerts to the server after the import is completed.
Import the SSL Certificate into the JVM using these steps:
  • Open a command line and change directory to C:\Lotus\Domino\jvm\bin.
  • Run the batch file "IKEYMAN.exe" (a Java application will load).
  • Click "Key Database File" then "Open".
  • Browse to C:\Lotus\Domino\jvm\lib\security\cacerts. Note, you will have to view "All Files" to locate cacerts.
  • Supply the default password of "changeit". Note, consult your administrator if you receive an error pertaining to the password.
  • Select "Signer Certificates" in the drop-down menu.
  • Click "Add"
  • Select "Browse" and locate the .CER file you copied.
  • Click "OK" and enter a descriptive label.
  • On the Domino console issue the command "restart task http".
Original link I found on IBM Importing an SSL Certificate Authority into the JVM

Related topics:
IBM Domino Java: No trusted certificate found. Fail?
Domino and No trusted certificate found
Disabling certificate validation in Java

Monday, June 27, 2011

IBM Domino Java: No trusted certificate found. Fail?

I've faced with quite major problem when use IBM Java (the one from Domino 8.5.2 FP2). Our Domino grabs data from some webservices via 'https' (webservice does not have authentication, its free to everybody). Using simple Java Agent in Domino we grabbed data and was very happy :), here is few lines what we do
 URL url = new URL("https://here url");  
 URLConnection connection = url.openConnection();  
 HttpsURLConnection httpConn = (HttpsURLConnection) connection;  
 httpConn.setRequestMethod("POST");  
 httpConn.setDoOutput(true);  
 httpConn.setDoInput(true);  
 byte[] bytes = msg.getBytes("UTF-8");  
 httpConn.setRequestProperty("Content-length", String.valueOf(bytes.length));  
 OutputStream out = httpConn.getOutputStream(); // and on this line we now have an error: "no trusted certificate found"  
It worked fine for years but their (webservice provide) certificate has expired and they generate new one using same official CA. After they did it, Domino refuse to use new certificate and we can't grab data anymore from Domino.

We did some tests and noticed that non Domino JVM works just fine (we did tests in Eclipse with Oracles JVM) with exactly same code and it worked fine.

Of course we tried much more thing i.e.: we tried to add new certificate to cacerts storage in Domino and it did not work, we also tried to replace cacerts on Domino and use the one from Oracle JVM and lot of more things without any luck. Also when we tried to add new cert to cacerts in Domino it started to report about another issue: certificate chaining error.

Maybe Domino or Domino's JVM has problem/issue or we need to do something we just do not know. Would be nice to get more details about it because we are stacked now, does anybody know why we get this problem and if it is really problem in IBM Java?
There is also post on IBM with exactly same problem with not trusted certificates.
Would be nice if somebody share his suggestions/opinions.

Related topics:
IBM Domino Java: No trusted certificate found. Fail?
Domino and No trusted certificate found
Disabling certificate validation in Java