0

My Need is to accept the SSL certificate enabled on REST Webservice URL ( https:/:/dctm-rest) from standalone Java application(which will be bundled as JAR).

To my knowledge best way is to create KeyStore/TrustStore using Keytool, download the certificate from browser/openssl and add it to TrustStore.With this we are creating a dependency and someone has to keep on updating the certificate for every renewal.

Can someone guide me to get this implemented by removing the manual dependency?

Santhosh
  • 23
  • 7
  • 1.After debugging I found that Documentum Connection is successful using "https" url and without adding any Truststore. 2. Exception is thrown while sending the request to Webservice using "resttemplate.exchange(). 3.I tried adding the location for TrustStore using "system.setproperty" properly but I can see below error Caused by: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null') – Santhosh Jun 28 '16 at 15:41
  • 1) if the certificate of the server is located into JRE cacerts then it is not necessary set a trustsore 2) I think that your server returns xml or html response, not json. Ensure you have set `application/json` content type in `Accept` header and log the response to view content – pedrofb Jun 28 '16 at 19:12

1 Answers1

0

You have to include the server certificate at https://dctm-rest into the whitelist of your JRE (the truststore)

Options

1) Include the server certificate in JRE trustore (jre/lib/security/cacerts) (Not recommended)

To download the server certificate, open site with browser, right-click on green lock, select 'view certificate' and download

The simplest way to explore cacerts and import trusted certificate is to use a GUI tool like portecle (http://portecle.sourceforge.net/). You can also use keytool

keytool -import -trustcacerts -keystore /opt/java/jre/lib/security/cacerts -alias mycert -noprompt -storepass changeit -file /tmp/examplecert.crt

See How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?

2) Use your own truststore and include the server certificate (recommended)

System.setProperty ("javax.net.ssl.trustStore", path_to_your_trustore_jks_file);
System.setProperty ("javax.net.ssl.trustStorePassword", "password");

You can also create an SSLSocketFactory and add to your connection before connecting or apply to all connections using the static method

HttpsURLConnection.setDefaultSSLSocketFactory(sslFactory);

This is an example to create the socket factory

//Load JKS keystore that includes the server certificate or the root
KeyStore keyStore = ... 
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, tmf.getTrustManagers(), null);
sslFactory = ctx.getSocketFactory();

3) Do not use truststore at all (Not recommended at all)

See Disable SSLHandshakeException for a single connection (I will not copy the solution)

Community
  • 1
  • 1
pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • Thanks pedrofb for detailed options, even im inclined towards options 1/2.If im correct someone has to keep on updating the TrustStore for every certificate renewal else they will end up in SSL handshake exception which inturn manual activity. My component is a Jar file which will be consumed by other web application hosted on diff env and don't want to make it complex/manual dependent based on Certificate Expiry Date. – Santhosh Jun 23 '16 at 15:16
  • really you only would need distribute the root certificate. Usually they are issued with long expiration – pedrofb Jun 23 '16 at 17:00
  • Thanks again, agree with you in consuming root chain. Just want to know can we programatically extract a certificate from a https site and add it to my keystore? This way we can avoid manual dependency? – Santhosh Jun 23 '16 at 19:21
  • It would be possible. Even just download a keystore renewal. But update a file in a external system can become a headache. Consider using a trusted CA that is currently in JDK cacerts – pedrofb Jun 23 '16 at 21:21
  • Hi @Santhost if this or any answer has solved your question please consider accepting it by clicking the check-mark. This indicates to the wider community that you've found a solution and gives some reputation to both the answerer and yourself. There is no obligation to do this. – pedrofb Jun 28 '16 at 05:58
  • Sure buddy , but i found a different issue and exception trace. Can you help? – Santhosh Jun 28 '16 at 15:44