UnboundId use the SSL KeyStore from Websphere

Question

I'm working on a legacy application that always used UnboundId over a none SSL connection. Our infrastructure has changed and I need to rework it to SSL. So I changed the code to the following

        KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
        trustStore.load(null);
        FileInputStream fin1 = new FileInputStream("D:/mycert.cer");
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        int i = 0;
        Certificate cert = cf.generateCertificate(fin1);
        trustStore.setCertificateEntry("cert " + i++, cert);
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustStore.load(null);
        tmf.init(trustStore);
        TrustManager[] trustManagers = tmf.getTrustManagers();

        SSLUtil sslUtil = new SSLUtil(trustManagers);
        sslUtil.setDefaultSSLProtocol("TLSv1");
        SSLSocketFactory sslServerSocketFactory = sslUtil.createSSLSocketFactory();
        LDAPConnection connection = new LDAPConnection(sslServerSocketFactory, server, port, user, password);

This code works. However we are running on a Websphere and all the certificates are located in the Websphere keystore. In this case I downloaded the cert and I'm loading it in from filesystem or resources. This is not what we want. We want to use the keystore of Websphere.

I tried this without defining thrustmanagers and keystores manually, but then I get certificate chaining errors all over the place.

Is there any way to configure UnboundId to use the websphere keystore ?

score 0 · Accepted Answer · answered Jul 24 '18 at 06:04

We had to settle in the end on a semi clean solution. We use the keystore files stored by the websphere server as input to the code.

        KeyStore trustStore = KeyStore.getInstance(trustStoreType);
        File file = new File(keystoreLocation);
        if(file.exists()){
            FileInputStream keystoreFile = new FileInputStream(keystoreLocation);
            trustStore.load(keystoreFile, keystorePassword.toCharArray());
            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            tmf.init(trustStore);
            TrustManager[] trustManagers = tmf.getTrustManagers();

            SSLUtil sslUtil = new SSLUtil(trustManagers);
            sslUtil.setDefaultSSLProtocol(sslProtocol);
            SSLSocketFactory sslServerSocketFactory = sslUtil.createSSLSocketFactory();
            LDAPConnection connection = new LDAPConnection(sslServerSocketFactory, server, port, user, password);
            return connection;
        } else {
            throw new TechnicalException("Keystore not found");
        }

notice keystoreLocation this basically is the keystore file from websphere and kesystorePassword.toCharArray() is the websphere password for that particular keystore. It's not the cleanest of solutions but it got us going again. Maybe this helps others in the future

UnboundId use the SSL KeyStore from Websphere

1 Answers1