2

I use AdminClient for secure connection to local websphere server:

    java.util.Properties props = new java.util.Properties();
    props.setProperty(AdminClient.CONNECTOR_TYPE, AdminClient.CONNECTOR_TYPE_SOAP);
    props.setProperty(AdminClient.CONNECTOR_HOST, "localhost");
    props.setProperty(AdminClient.CONNECTOR_PORT, "8880");
    props.setProperty(AdminClient.CONNECTOR_SECURITY_ENABLED, "true");
    props.setProperty(AdminClient.USERNAME, "admin");
    props.setProperty(AdminClient.PASSWORD, "111111");

    props.setProperty("javax.net.ssl.trustStore", "C:/WAS/AppServer/profiles/AppSrv01/etc/DummyClientTrustFile.jks");
    props.setProperty("javax.net.ssl.keyStore", "C:/WAS/AppServer/profiles/AppSrv01/etc/DummyClientKeyFile.jks");
    props.setProperty("javax.net.ssl.trustStorePassword", "WebAS");
    props.setProperty("javax.net.ssl.keyStorePassword", "WebAS");
    client = AdminClientFactory.createAdminClient(props);

It's work perfect. But if i try secure connect to remote url (ip or hostname), this code does not work, such SSL exaptions. I think, problem in cert files:

  props.setProperty("javax.net.ssl.trustStore", "C:/WAS/AppServer/profiles/AppSrv01/etc/DummyClientTrustFile.jks");
    props.setProperty("javax.net.ssl.keyStore", "C:/WAS/AppServer/profiles/AppSrv01/etc/DummyClientKeyFile.jks");

How i can retrive this certificates from remote server using JAVA and make secure connection with AdminClient?

vicvtor
  • 53
  • 1
  • 4

2 Answers2

3

You will need to extract the remote signer certificate and import it into the local WebSphere trust keystore. To do this you can use ikeyman utility to open the remote keystore and export the certificate, and then use the same utility to import the cert into the local Websphere trust store.

The SSL exception should give a clue as to what signer certificate you need to extract from the remote server and import into the local trust store.

Have a look at the http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9atikeyu.htm (Exporting Keys and Importing Keys section)

Also, the similar question has already been addressed here:

telling java to accept self-signed ssl certificate

Community
  • 1
  • 1
Nick Vasic
  • 1,826
  • 1
  • 8
  • 6
  • Don't understand, how i can integrate it in java code. I think it's not for my situation. – vicvtor Jan 28 '15 at 12:45
  • 1
    I suggest you read up on how the SSL handshake works. You have a trust store that your AdminClient uses to determine whether to trust the remote certificate (in your case C:/WAS/AppServer/profiles/AppSrv01/etc/DummyClientTrustFile.jks). If your local trust store does not have the remote server's signer certificate installed, then your AdminClient will not be able to verify or 'trust' the identity of the remote server and will thus fail the SSL handshake. – Nick Vasic Jan 28 '15 at 22:02
  • @vicvtor You don't integrate it into your Java code. You do what this answer says. – user207421 Jan 29 '15 at 03:31
1

I'd suggest not to put it in your code, but add WebSphere certificate to the Glassfish trusted certs. So you need to perform the following steps:

  • Extract certificate from WebSphere - the easiest is to access via https using browser any application running on WAS and save certificate to file.
  • Import that certificate using keytool to the Glassfish trusted store. It should be domains/domain1/config/cacerts.jks (I'm not Glassfish expert, so the path might be different).

Then you should no longer need to set all these javax.net.ssl.* properties.

Gas
  • 16,202
  • 4
  • 36
  • 78