Hitting Tomcat HTTPS URL with a Java Client
Question
I have configured my Tomcat instance to use SSL on port 8443. I've verified it's working by hitting the main tomcat page thru https:8443 on my browser.
Now I'm trying to understand what I need to do to get a Java program to read from an HTTPS URL on that tomcat server. I followed the instructions here:
I just copied the .keystore file down to my client that I generated with Java's keytool on my web server. It is self signed, just for dev work. This seemed a little weird to me since that also has the private key, right? I thought I would do something to export the public key and put that on my client, but I can't find a good guide on what steps I need to for that.
Anyway, when I tried using the .keystore generated on my server in my client, I get this error:
***
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
I've set my client up to run with these JVM args:
-Djavax.net.ssl.keyStore=.keystore -Djavax.net.ssl.keyStorePassword=changeit -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol -Djavax.net.debug=ssl
It does print out a bunch of stuff in that .keystore, so I'm sure it is reading it. But the server doesn't seem to like it when it tries to handshake.
What do I need to do to get that SSL Java client reading data from my webserver?
------- edit
Oops, I just noticed I was using the wrong JVM args for client. I changed to this and now it seems get further.
-Djavax.net.ssl.trustStore=.keystore -Djavax.net.ssl.trustStorePassword=changeit
I still haven't gotten it to read URL data yet. And I'm still wondering how to just give the client the public key so it can do its decryption instead of the entire server keystore.
---------- edit #2
Finally got it working. Had a couple of roadblocks along the way:
For some reason I had to make my URLs like this in Eclipse:
URL myurl = new URL("https", host, port, "/docs/setup.html", new sun.net.www.protocol.https.Handler());
HttpsURLConnection con = (HttpsURLConnection)myurl.openConnection();
Otherwise I'd get a class cast exception on the second line.
And, I had to regenerate my server .keystore file and copy to my client with an alternate name like this:
keytool -genkey -alias tomcat -keyalg RSA -ext san=ip:<my server ip>
I'd still like to gain a better understanding of what's needed on the client rather than the whole keystore, but at least I can play around with it now.
1 answers
solution1
1 ACCPTED 2014-08-08 23:46:46
Java "keystore" files are used to serve two conceptually different purposes. One purpose is to serve as a key store, which is where one stores key pairs used to prove the machine's own identity. The other purpose is to serve as a trust store, which is used to store information used to identify other machines that one trusts.
You shouldn't copy the server's keystore file onto a client, since as you say it contains the private key of the server, which it contains because the file is a key store for the server. Rather, you want to create your own keystore file that serves as a trust store for the client, in which you want to import the server's certificate so your client will know to trust the server. To do that, you export a certificate from the server's keystore, and then import that certificate into the client's keystore file.
Some more detailed information appears in my related answer to this question:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.