4

our Wildfly 8.1-Server needs to establish an outbound (!) LDAPS-connection to a server within the organization's network. This connection is only used to sync various application data. Unfortunately, there's no documentation about Wildfly's outbound-only truststore. Every research I do just gives me results about enabling SSL for inbound connections.

How exactly can I add a certificate to Wildfly's truststore for outbound SSL connections? Is there any documentation about this? I'd be thankful for any help on this topic.

PeteSabacker
  • 176
  • 8
  • Do you plan on using some sort of Wildfly service to make the connection? – K.Nicholas Feb 10 '16 at 18:48
  • No, that's not necessary. A singleton bean is enough. – PeteSabacker Feb 10 '16 at 19:35
  • Perhaps put your certificate in a jar file or something? What I'm getting at is that I think that the Java SSL client just needs a property setting for where the file is. I don't think it needs to specifically interact with the container. I don't know whether the container has a "Trust Service' available to you, but I admit I never really played around with that stuff. files for you. – K.Nicholas Feb 10 '16 at 20:51
  • Thanks for your help. Found a solution; Take a look at my answer. – PeteSabacker Feb 10 '16 at 22:53
  • Looks about what I had in mind, the cert will be in you .war file somewhere and the classloader will find it. Mind you, it pays to understand when [getResourceAsStream returns null](http://stackoverflow.com/questions/16570523/getresourceasstream-returns-null?lq=1), just in case it comes up. – K.Nicholas Feb 10 '16 at 23:02
  • Sure, but thanks for the hint! – PeteSabacker Feb 11 '16 at 06:37

1 Answers1

2

Found two possible solutions. First the one i would not use:

System.setProperty("javax.net.ssl.trustStore",path_to_your_cacerts_file);

The second one I'd prefer:

public class LDAPSSocketFactory extends SSLSocketFactory {

private SSLSocketFactory actualSocketFactory;

public LDAPSSocketFactory() {

    InputStream certificateInputStream = this.getClass().getClassLoader().getResourceAsStream("yourcert.pfx");

    try {

        KeyStore pkcs12 = KeyStore.getInstance("pkcs12");

        pkcs12.load(certificateInputStream, "".toCharArray());

        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

        tmf.init(pkcs12);

        SSLContext ctx = SSLContext.getInstance("TLS");

        ctx.init(null, tmf.getTrustManagers(), null);

        actualSocketFactory = ctx.getSocketFactory();

    } catch (KeyStoreException e) {
        e.printStackTrace();
    } catch (CertificateException e) {
        e.printStackTrace();
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    } catch (IOException e) {
        e.printStackTrace();
    } catch (KeyManagementException e) {
        e.printStackTrace();
    }

}

//Override methods by simply deligating them to the actualSocketFactory

}

And pass this as an JNDI param for ldap connections:

env.put("java.naming.ldap.factory.socket", "LDAPSSocketFactory");

Found all of this on StackOverflow, but I forgot where exactly, so I basically pasted their solution here.

PeteSabacker
  • 176
  • 8
  • Either of those should be a solution for you - WildFly is not involved in managing the outbound connections for you when you are invoking the APIs directly yourselves. – Darran L Feb 17 '16 at 17:36