Problem with keystore and ssl

Questions and Answers on installation, deployment, management, locking, tranasactions of Servoy Application Server

Problem with keystore and ssl

Postby swingman » Thu May 03, 2018 11:17 am

Hi, I'm running

Code: Select all
Server Information
Servoy version 8.2.2 -releaseNumber 3107
Port used by RMI Registry: 1099
Repository version 49

JVM Information
java.vm.name=Java HotSpot(TM) 64-Bit Server VM
java.version=9.0.1
java.vm.info=mixed mode
java.vm.vendor=Oracle Corporation

Operating System Information
os.name=Mac OS X
os.version=10.12.6
os.arch=x86_64


I have created a keystore inside

/application_server/server/conf

by running the following commands in the conf directory

Code: Select all
keytool -import -alias root -keystore     servoy.keystore -trustcacerts -file gdroot-g2.crt
keytool -import -alias intermed -keystore servoy.keystore -trustcacerts -file gdig2.crt
keytool -import -alias servoy -keystore   servoy.keystore -trustcacerts -file <my_ssl_certificate_name_here>.crt


specifying a keystore password, lets call it <password>.

I have added an extra bit to server.xml

Code: Select all
<Connector port="8084"
   maxThreads="500"
   connectionTimeout="60000"
   scheme="https"
   secure="true"
   SSLEnabled="true"
   keystoreFile="conf/servoy.keystore"
   keystorePass="<password>"
/>


and added the following

Code: Select all
<security-constraint>
    <web-resource-collection>
      <web-resource-name>Automatic SLL Forwarding</web-resource-name>
      <url-pattern>/</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>


to

/application_server/server/webapps/ROOT/WEB-INF/web.xml

then I go to the Network Settings in Servoy Server admin to try to set

SocketFactory.SSLKeystorePath = server/conf/servoy.keystore
SocketFactory.SSLKeystorePassphrase = <password>

Whatever I set them to I either get a message that
the keystore password was wrong or I get a green message that SSL initialised OK,
but when I look in the logs the keystore was not found and you can no longer launch Smart Clients, the fail to load with hand-shake errors.

I'm not trying to sign the code with a code-signing certificate, I just want to force all the traffic to servoy-admin and smart-clients over https.

Any ideas what I'm doing wrong?
Christian Batchelor
Certified Servoy Developer
Batchelor Associates Ltd, London, UK
http://www.batchelorassociates.co.uk

http://www.postgresql.org - The world's most advanced open source database.
User avatar
swingman
 
Posts: 1472
Joined: Wed Oct 01, 2003 10:20 am
Location: London

Re: Problem with keystore and ssl

Postby swingman » Fri May 04, 2018 10:28 am

Hi,

I tried adding a new keystore with a self-signed certificate. I did this for my Servoy Developer, so my developer admin page is now working fine on https (after accepting the warning from the browser about the self-signed certificate).

Doing the same on the server,I had to add the keystore password on the Servoy admin page, edit the servoy.preferences file to make the keystore password clear text so it is re-encrypted using the new key. After restarting the server, I get a green message about "SSL initialised OK", no errors in the logs.

Then I edit server.xml (adding the https connector) and web.xml (redirect to https, which works fine). Restarted again.

But if I launch a client it gets stuck on launch:

Code: Select all
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
   at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:440)
   at com.sebster.tunnel.impl.cb.a(cb.java:9)
   at com.sebster.tunnel.impl.bb.connect(bb.java:8)
   at com.sebster.tunnel.DelegatingTunnelClient.connect(DelegatingTunnelClient.java:2)
   at com.sebster.tunnel.impl.le.<init>(le.java:11)
   at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider$1.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:2)
   at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:11)
   at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:10)
   at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory$RmiSocketFactoryProvider.<init>(ClientTunnelRMISocketFactoryFactory.java:325)
   at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory$RmiSocketFactoryProvider.<init>(ClientTunnelRMISocketFactoryFactory.java:323)
   at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory.createFactoryProvider(ClientTunnelRMISocketFactoryFactory.java:277)
   at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory.<init>(ClientTunnelRMISocketFactoryFactory.java:265)
   at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
   at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
   at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
   at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
   at com.servoy.j2db.smart.J2DBClient.initRMISocketFactory(J2DBClient.java:850)
   at com.servoy.j2db.smart.J2DBClient.startupApplication(J2DBClient.java:786)
   at com.servoy.j2db.smart.J2DBClient$4.run(J2DBClient.java:698)
   at com.servoy.j2db.smart.J2DBClient.mainImpl(J2DBClient.java:722)
   at com.servoy.j2db.smart.J2DBClient.main(J2DBClient.java:685)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:498)
   at com.sun.javaws.Launcher.executeApplication(Unknown Source)
   at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
   at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
   at com.sun.javaws.Launcher.run(Unknown Source)
   at java.lang.Thread.run(Thread.java:748)


Any ideas?
Christian Batchelor
Certified Servoy Developer
Batchelor Associates Ltd, London, UK
http://www.batchelorassociates.co.uk

http://www.postgresql.org - The world's most advanced open source database.
User avatar
swingman
 
Posts: 1472
Joined: Wed Oct 01, 2003 10:20 am
Location: London

Re: Problem with keystore and ssl

Postby swingman » Fri May 04, 2018 10:57 am

Do I need to add the certificate or the root and intermediate certificate to the cacerts inside of my java installation (Java 9.0.1)?

As mentioned here

https://davidjb.com/blog/2012/02/java-h ... enticated/
Christian Batchelor
Certified Servoy Developer
Batchelor Associates Ltd, London, UK
http://www.batchelorassociates.co.uk

http://www.postgresql.org - The world's most advanced open source database.
User avatar
swingman
 
Posts: 1472
Joined: Wed Oct 01, 2003 10:20 am
Location: London

Re: Problem with keystore and ssl

Postby swingman » Mon Jun 04, 2018 12:09 pm

Have anybody done this successfully and can shed light on how this is done?
Christian Batchelor
Certified Servoy Developer
Batchelor Associates Ltd, London, UK
http://www.batchelorassociates.co.uk

http://www.postgresql.org - The world's most advanced open source database.
User avatar
swingman
 
Posts: 1472
Joined: Wed Oct 01, 2003 10:20 am
Location: London


Return to Servoy Server

Who is online

Users browsing this forum: No registered users and 8 guests

cron