Problem with keystore and ssl

Classic Servoy
1

Hi, I’m running

Server Information
Servoy version 8.2.2 -releaseNumber 3107
Port used by RMI Registry: 1099
Repository version 49 

JVM Information
java.vm.name=Java HotSpot(TM) 64-Bit Server VM
java.version=9.0.1
java.vm.info=mixed mode
java.vm.vendor=Oracle Corporation 

Operating System Information
os.name=Mac OS X
os.version=10.12.6
os.arch=x86_64

I have created a keystore inside

/application_server/server/conf

by running the following commands in the conf directory

keytool -import -alias root -keystore     servoy.keystore -trustcacerts -file gdroot-g2.crt
keytool -import -alias intermed -keystore servoy.keystore -trustcacerts -file gdig2.crt
keytool -import -alias servoy -keystore   servoy.keystore -trustcacerts -file <my_ssl_certificate_name_here>.crt

specifying a keystore password, lets call it .

I have added an extra bit to server.xml

<Connector port="8084"
   maxThreads="500" 
   connectionTimeout="60000"
   scheme="https" 
   secure="true" 
   SSLEnabled="true"
   keystoreFile="conf/servoy.keystore" 
   keystorePass="<password>"
/>

and added the following

<security-constraint>
    <web-resource-collection>
      <web-resource-name>Automatic SLL Forwarding</web-resource-name>
      <url-pattern>/</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

to

/application_server/server/webapps/ROOT/WEB-INF/web.xml

then I go to the Network Settings in Servoy Server admin to try to set

SocketFactory.SSLKeystorePath = server/conf/servoy.keystore
SocketFactory.SSLKeystorePassphrase =

Whatever I set them to I either get a message that
the keystore password was wrong or I get a green message that SSL initialised OK,
but when I look in the logs the keystore was not found and you can no longer launch Smart Clients, the fail to load with hand-shake errors.

I’m not trying to sign the code with a code-signing certificate, I just want to force all the traffic to servoy-admin and smart-clients over https.

Any ideas what I’m doing wrong?

2

Hi,

I tried adding a new keystore with a self-signed certificate. I did this for my Servoy Developer, so my developer admin page is now working fine on https (after accepting the warning from the browser about the self-signed certificate).

Doing the same on the server,I had to add the keystore password on the Servoy admin page, edit the servoy.preferences file to make the keystore password clear text so it is re-encrypted using the new key. After restarting the server, I get a green message about “SSL initialised OK”, no errors in the logs.

Then I edit server.xml (adding the https connector) and web.xml (redirect to https, which works fine). Restarted again.

But if I launch a client it gets stuck on launch:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
	at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:440)
	at com.sebster.tunnel.impl.cb.a(cb.java:9)
	at com.sebster.tunnel.impl.bb.connect(bb.java:8)
	at com.sebster.tunnel.DelegatingTunnelClient.connect(DelegatingTunnelClient.java:2)
	at com.sebster.tunnel.impl.le.<init>(le.java:11)
	at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider$1.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:2)
	at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:11)
	at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:10)
	at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory$RmiSocketFactoryProvider.<init>(ClientTunnelRMISocketFactoryFactory.java:325)
	at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory$RmiSocketFactoryProvider.<init>(ClientTunnelRMISocketFactoryFactory.java:323)
	at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory.createFactoryProvider(ClientTunnelRMISocketFactoryFactory.java:277)
	at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory.<init>(ClientTunnelRMISocketFactoryFactory.java:265)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at com.servoy.j2db.smart.J2DBClient.initRMISocketFactory(J2DBClient.java:850)
	at com.servoy.j2db.smart.J2DBClient.startupApplication(J2DBClient.java:786)
	at com.servoy.j2db.smart.J2DBClient$4.run(J2DBClient.java:698)
	at com.servoy.j2db.smart.J2DBClient.mainImpl(J2DBClient.java:722)
	at com.servoy.j2db.smart.J2DBClient.main(J2DBClient.java:685)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.sun.javaws.Launcher.executeApplication(Unknown Source)
	at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
	at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
	at com.sun.javaws.Launcher.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:748)

Any ideas?

3

Do I need to add the certificate or the root and intermediate certificate to the cacerts inside of my java installation (Java 9.0.1)?

As mentioned here

https://davidjb.com/blog/2012/02/java-h … enticated/

4

Have anybody done this successfully and can shed light on how this is done?