HTTPS REST ClientResponse

Question

I need to make a HTTPS call from client. I do not need to send certificates to the server, just need to validate the certificate from the server.

i researched this topic and this is my understanding. Can you please confirm? I do not have a test service yet, against which to verify my code... but still need to meet deadlines.. any advice/input will be helpful.

I added this to my class:

private static String appKeyFile = "/project/src/security/cert_file.jck";  
private static String key = "password";  
static {  
    System.setProperty("javax.net.ssl.keyStore", appKeyFile);  
    System.setProperty("javax.net.ssl.keyStorePassword",key);  
    System.setProperty("javax.net.ssl.keyStoreType","JCEKS");  
}

And am making the HTTPS call as follows:

config = new DefaultClientConfig();  
client = Client.create(config);  
service = client.resource(UriBuilder.fromUri("https://localhost:8081/TestService").build());  
clientResponse = service.path("rs").path("test").path("getCustomerDetail")  
        .accept(MediaType.APPLICATION_XML)  
        .post(ClientResponse.class, customerRequestType);  

if (clientResponse.getStatus() == Response.Status.OK.getStatusCode()) {   
    custResponseType = clientResponse.getEntity(CustResponseType.class);  
    System.out.println("First Name" + 
    custResponseType.getFirstName());  
}

Is this sufficient from SSL/HTTPS/certs etc point of view (other than debugging)? Is there anything else i need to do,like loading the keystore or initializing the SSLContext?

Which REST-oriented library are you using? – Bruno Nov 09 '10 at 11:10 — Bruno, Nov 09 '10 at 11:10

score 5 · Answer 1 · answered Nov 09 '10 at 11:23

The javax.net.ssl.keyStore* properties (the keystore) are for the keys and certificates of the party using it. That is, on the server, it should contain the server certificate and its private key; on the client, it should contain the client certificates and their private keys.

In contrast the truststore (javax.net.ssl.trustStore* properties) contains the trusted certificates used to validate the remote party's certificate. On the client, it's what's used to determine whether you trust the server certificate (normally, via a chain to a CA certificate trusted by the client); on the server, it's what's used to verify a client certificate.

Both truststore and keystore are keystore files/objects (the terminology doesn't really help).

If you set javax.net.ssl.keyStore* on the client side, it will be used by the client to present its certificate (which can only be requested by the server, and which you don't seem to be using anyway). It will still use the default truststore (shipped/configured with the JRE), and it's unlikely to contain the specific certificate in cert_file.jck (which is presumably a self-signed certificate you've generated for the server). Instead, set the javax.net.ssl.trustStore* properties to point to that file.

(If you want the default CA certificates to be available too, I'd suggest copying the certificates in the default truststore, usually from $JAVA_HOME/lib/security/jssecacerts or $JAVA_HOME/lib/security/cacerts into your own truststore.)

Thank you for your response! finally i properly understand the difference between the truststore and keystore. now am more confident of the solution ... — bad potato, Nov 09 '10 at 23:06

score 0 · Accepted Answer · edited May 23 '17 at 11:46

0

In case you are using self-signed certificate, you may face issues related to SSL Certificate validation. This link discusses this.

edited May 23 '17 at 11:46

Community

1
1

answered Nov 09 '10 at 04:26

Raghuram

51,854
11
110
122

yes, i went through that link, and made a note to import the certificate .. any other issues you forsee? – bad potato Nov 09 '10 at 05:04

HTTPS REST ClientResponse

2 Answers2

Linked