login button

How reference PKI enabled endpoints in the Admin console

Submitted by jdholmes1978 on May 21, 2008 - 07:21. Forums :

 

When referencing a PKI enabled published WSDL via the Source URL I get the same exception as http://wso2.org/forum/thread/3377.  From the research I’ve done and read it appears to do this because the Admin console is using the default KeyStore that comes with the JRE and it does a simple URLConnection.

 

URLConnection conn = url.openConnection();

conn.setReadTimeout(getReadTimeout());

conn.setConnectTimeout(getConnectionTimeout());

conn.setRequestProperty("Connection", "close"); // if http is being used


It fails on this line ==> InputStream urlInStream = conn.getInputStream();

 

Is there a way to enable different KeyStores per WSDL reference?

 

Thanks,

J

Bookmark/Search this post with:
  • Delicious
  • Digg
  • Reddit
  • Newsvine
  • Facebook
  • Google
  • Yahoo
  • Technorati
‹ ESBUsers Password in clear text ESB fails to start when WSDL URI is not found! ›

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Class file location

Submitted by jdholmes1978 on May 21, 2008 - 07:24.

Sorry i forgot to add the class file location.

Its in synapse-core

Package: org.apache.synapse.config

Class: SynapseConfigUtils.java

 

Thanks,

J

»

>Is there a way to enable

Submitted by asankha on May 21, 2008 - 08:56.

>Is there a way to enable different KeyStores per WSDL reference?

Not yet.. currently it uses the JRE cacerts JKS... we could prioritize for the next release, if an enhancement JIRA is raised on this..

asankha

»

Working Implementation

Submitted by jdholmes1978 on May 21, 2008 - 11:04.

I actually have methods that implement PKCS12, PKCS8 and JKS certificates because I’m using Apache HTTPD as our frontend server. I’ve connected the ESB Admin via AJP (I have this mod also if you want it) and reuse the same certificate throughout the ESB.

With that said I’ve actually just finished implementing this. It’s rough with no exception handling and hard coded but it shows a working version on how this can be done from the code. In summary I created a custom HTTPSSocketFactory that allows me to reference/connect to the external PKI enabled WSDL with the Admin application.
 
I’ve also created a new transport that allows me to reuse all the certificate mentioned above this way I’m not generating certificates all over the place.
 
Package: org.apache.synapse
Class: SynapseConfigUtils.java
Method: public static OMElement getOMElementFromURL(String urlStr)

URL url = getURLFromPath(urlStr);
        if (url == null) {
            return null;
        }
       
        //My Code
        KeyStore keyStore = null;
        KeyStore trustStore = null;
        KeyManagerFactory kmfactory = null;
        TrustManagerFactory trustManagerfactory = null;
     
        try
        {
         //KeyStore
         String location = "c:/Apache2.2/conf/serverKey.pkcs8";
         String certificateFilePath = "c:/Apache2.2/conf/serverCert.pem";
         String storePassword = "12345678";
         String keyPassword = "12345678";
         String alias = "eTest";
         
         IKeyStoreLoader pkcs8KeyStoreLoader = new PKCS8KeyStoreLoader(location, certificateFilePath, storePassword, alias);
   keyStore = pkcs8KeyStoreLoader.getKeyStore();
   
   kmfactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            kmfactory.init(keyStore, keyPassword.toCharArray());
 
            //Trust Store
            String trustLocation = "c:/Apache2.2/conf/CAs";

            ICACertsLoader caCertsLoader = new CACertsLoader();
   trustStore = caCertsLoader.loadTrustStore(trustLocation);
   
   trustManagerfactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerfactory.init(trustStore);
        }
        catch(Exception ex)
        {
         String exception = ex.getMessage();
        }
      
        InputStream urlInStream = null;
        if(url.getProtocol().equalsIgnoreCase("http"))
        {
         URLConnection conn = url.openConnection();
         conn.setReadTimeout(getReadTimeout());
         conn.setConnectTimeout(getConnectionTimeout());
         conn.setRequestProperty("Connection", "close"); // if http is being used
     
         urlInStream = conn.getInputStream();
        }
        else
        {
         HttpsURLConnectionImpl urlConnection = (HttpsURLConnectionImpl)url.openConnection();
         urlConnection.setSSLSocketFactory(new HTTPSSocketFactory(kmfactory, trustManagerfactory).getSSLContext().getSocketFactory());
       
         urlConnection.setReadTimeout(getReadTimeout());
         urlConnection.setConnectTimeout(getConnectionTimeout());
         urlConnection.setRequestProperty("Connection", "close"); // if http is being used
            urlInStream = urlConnection.getInputStream();
        }

Thanks,

J

»

Hi, If you would like to

Submitted by ruwan on May 22, 2008 - 06:54.

Hi,

If you would like to contribute this work either to apache-synapse or to wso2-esb you could create a JIRA for this and attach the code there granting the license as ASL V2.0.

Thanks

Ruwan Linton

»

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.