Page 1 of 1

Problem with keystore and ssl

PostPosted: Thu May 03, 2018 11:17 am
by swingman
Hi, I'm running

Code: Select all
Server Information
Servoy version 8.2.2 -releaseNumber 3107
Port used by RMI Registry: 1099
Repository version 49

JVM Information
java.vm.name=Java HotSpot(TM) 64-Bit Server VM
java.version=9.0.1
java.vm.info=mixed mode
java.vm.vendor=Oracle Corporation

Operating System Information
os.name=Mac OS X
os.version=10.12.6
os.arch=x86_64


I have created a keystore inside

/application_server/server/conf

by running the following commands in the conf directory

Code: Select all
keytool -import -alias root -keystore     servoy.keystore -trustcacerts -file gdroot-g2.crt
keytool -import -alias intermed -keystore servoy.keystore -trustcacerts -file gdig2.crt
keytool -import -alias servoy -keystore   servoy.keystore -trustcacerts -file <my_ssl_certificate_name_here>.crt


specifying a keystore password, lets call it <password>.

I have added an extra bit to server.xml

Code: Select all
<Connector port="8084"
   maxThreads="500"
   connectionTimeout="60000"
   scheme="https"
   secure="true"
   SSLEnabled="true"
   keystoreFile="conf/servoy.keystore"
   keystorePass="<password>"
/>


and added the following

Code: Select all
<security-constraint>
    <web-resource-collection>
      <web-resource-name>Automatic SLL Forwarding</web-resource-name>
      <url-pattern>/</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>


to

/application_server/server/webapps/ROOT/WEB-INF/web.xml

then I go to the Network Settings in Servoy Server admin to try to set

SocketFactory.SSLKeystorePath = server/conf/servoy.keystore
SocketFactory.SSLKeystorePassphrase = <password>

Whatever I set them to I either get a message that
the keystore password was wrong or I get a green message that SSL initialised OK,
but when I look in the logs the keystore was not found and you can no longer launch Smart Clients, the fail to load with hand-shake errors.

I'm not trying to sign the code with a code-signing certificate, I just want to force all the traffic to servoy-admin and smart-clients over https.

Any ideas what I'm doing wrong?

Re: Problem with keystore and ssl

PostPosted: Fri May 04, 2018 10:28 am
by swingman
Hi,

I tried adding a new keystore with a self-signed certificate. I did this for my Servoy Developer, so my developer admin page is now working fine on https (after accepting the warning from the browser about the self-signed certificate).

Doing the same on the server,I had to add the keystore password on the Servoy admin page, edit the servoy.preferences file to make the keystore password clear text so it is re-encrypted using the new key. After restarting the server, I get a green message about "SSL initialised OK", no errors in the logs.

Then I edit server.xml (adding the https connector) and web.xml (redirect to https, which works fine). Restarted again.

But if I launch a client it gets stuck on launch:

Code: Select all
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
   at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:440)
   at com.sebster.tunnel.impl.cb.a(cb.java:9)
   at com.sebster.tunnel.impl.bb.connect(bb.java:8)
   at com.sebster.tunnel.DelegatingTunnelClient.connect(DelegatingTunnelClient.java:2)
   at com.sebster.tunnel.impl.le.<init>(le.java:11)
   at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider$1.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:2)
   at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:11)
   at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:10)
   at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory$RmiSocketFactoryProvider.<init>(ClientTunnelRMISocketFactoryFactory.java:325)
   at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory$RmiSocketFactoryProvider.<init>(ClientTunnelRMISocketFactoryFactory.java:323)
   at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory.createFactoryProvider(ClientTunnelRMISocketFactoryFactory.java:277)
   at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory.<init>(ClientTunnelRMISocketFactoryFactory.java:265)
   at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
   at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
   at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
   at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
   at com.servoy.j2db.smart.J2DBClient.initRMISocketFactory(J2DBClient.java:850)
   at com.servoy.j2db.smart.J2DBClient.startupApplication(J2DBClient.java:786)
   at com.servoy.j2db.smart.J2DBClient$4.run(J2DBClient.java:698)
   at com.servoy.j2db.smart.J2DBClient.mainImpl(J2DBClient.java:722)
   at com.servoy.j2db.smart.J2DBClient.main(J2DBClient.java:685)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:498)
   at com.sun.javaws.Launcher.executeApplication(Unknown Source)
   at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
   at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
   at com.sun.javaws.Launcher.run(Unknown Source)
   at java.lang.Thread.run(Thread.java:748)


Any ideas?

Re: Problem with keystore and ssl

PostPosted: Fri May 04, 2018 10:57 am
by swingman
Do I need to add the certificate or the root and intermediate certificate to the cacerts inside of my java installation (Java 9.0.1)?

As mentioned here

https://davidjb.com/blog/2012/02/java-h ... enticated/

Re: Problem with keystore and ssl

PostPosted: Mon Jun 04, 2018 12:09 pm
by swingman
Have anybody done this successfully and can shed light on how this is done?