2

In the company where I work I'm developing a web app on a WebSphere 6.1 server. The web application I'm writing has to connect to an external company by using an SSL connection with mutual authentication.

First thing to say: I'm kind of a noob with such things so sorry if I'll say something stupid :)

I have both public and private certificate. I've added the private certificate to the NodeDefaultKeyStore and the public certificate chain to the NodeDefaultTrustStore. Then I've seen that the server has an SSL configuration that encapsulates both KS and TS, and this configuration is linked to the node I'm running my application on.

As a client library, I'm using HttpClient 4.2.3. I created the HttpClient like this

Security.setProperty("ssl.SocketFactory.provider", "com.ibm.jsse2.SSLSocketFactoryImpl");
Security.setProperty("ssl.ServerSocketFactory.provider", "com.ibm.jsse2.SSLServerSocketFactoryImpl");

    // e) SETUP SSL
    SSLSocketFactory sslSocketFactory = SSLSocketFactory.getSystemSocketFactory();

    Scheme httpsScheme = new Scheme("https", HTTPS_PORT, sslSocketFactory);
    Scheme httpScheme = new Scheme("http", HTTP_PORT, PlainSocketFactory.getSocketFactory());

    final SchemeRegistry schemeRegistry = new SchemeRegistry();
    schemeRegistry.register(httpScheme);
    schemeRegistry.register(httpsScheme);

    PoolingClientConnectionManager connManager = new PoolingClientConnectionManager(schemeRegistry);


    // f) CREAZIONE CLIENT HTTP
    HttpClient httpClient = new DefaultHttpClient(sslSocketFactory);


    // g) CREAZIONE DEL PROXY (possibile che venga disattivato)
    Resources res = new Resources();
    String proxyHost = res.get(PROXY_HOST);
    int proxyPort = Integer.parseInt(res.get(PROXY_PORT));

    HttpHost proxy = new HttpHost(proxyHost, proxyPort);

    httpClient.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY, proxy);
    System.setProperty("java.net.useSystemProxies", "false");

    // ######################## ==> CHIAMATA AD INPS
    HttpResponse resp = httpClient.execute(httpPost);

I've seen the SSLSocketFactory and doesn't contain the certificates I specified. I've seen that the SSLSOcketFactory.getSystemSocketFactory() just reads the javax.ssl.xxxxx properties to initialize the KS and TS to be used for the SSL connection.

So... I have to link the server configuration to my application, but I'm not sure about how to do it in a "proper" way: I could set at runtime such properties with the System.setProperty, but I think it's not a good way to do this kind of work. Is there any way to refer the SSL config (maybe via JNDI) from the application? Or the best way is to configure two URL linking to the KS and TS files and configure the SSLSocketFactory manually?

Thanks in advance for the reply! Lorenzo

Jim Garrison
  • 85,615
  • 20
  • 155
  • 190
CodingMonkey
  • 143
  • 3
  • 14

1 Answers1

1

Since you've added the certificates to the NodeDefault stores, I don't think you need to do any manual SSL setup in your code at all. The only additional thing you might need to do is add your destination host to SSL certificate and key management > Dynamic outbound endpoint SSL configurations and select the client certificate alias you want to use for that destination.

dbreaux
  • 4,982
  • 1
  • 25
  • 64
  • Probably that kind of configuration is somehow connected to incoming calls... I've tried to debug the application and the SSLSocketFactory.getSystemSocketFactory(); call gives an empty socket factory. At the moment I'm loading the KS and TS from file and manually building the sslsocketfactory. – CodingMonkey Aug 26 '13 at 07:38
  • The configuration I described is for both incoming and outgoing calls. The `Dynamic outbound endpoint SSL configurations` is specifically for indicating which certificates you want to present when initiating outgoing connections. Again, I believe that configuring WebSphere correctly, you don't need to add any SSL-aware code in your application at all. We make outbound https connections without any of that code. We haven't used client certs, but I'm pretty sure that is also handled by the steps I describe. – dbreaux Aug 26 '13 at 15:32
  • It just didn't work, it was probably due to some lack of configuration. If I had time to investigate I'd do it, but now I'm just trying to make it work in some way :) Now I load KS and TS from file and build my own SSLSocketFactory that I use only for that connection. – CodingMonkey Aug 27 '13 at 09:27