I want to make a HTTP call to server that uses TLS to authenticate. Moreover server needs my IP to be whitelisted, so with AWS Lambda I need to use proxy. What I want to achieve is HTTP POST request with TLS that goes through proxy.
To achieve TLS protocol I use KeyStore with loaded certs and private key.
Making a call without proxy (locally from whitelisted IP) works, so I assume keyStore is configured correctly.
Here is how I build httpClient (it's java.net.http.HttpClient):
var keyManagerFactory = KeyManagerFactory.getInstance("PKIX");
keyManagerFactory.init(keyStore, null);
var trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
trustManagerFactory.init(keyStore, null);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
URI proxyUri = config.getProxyUri(); // this is injected object with preloaded config parameters
HttpClient httpClient = HttpClient.newBuilder()
.sslContext(sslContext)
.proxy(
ProxySelector.of(
InetSocketAddress.createUnresolved(proxyUri.getHost(), proxyUri.getPort())))
.build();
Now making a request:
String body = createRequestBody(); // creates string with JSON
HttpRequest request = HttpRequest.newBuilder()
.uri(config.getServiceUri()) // same config as in example above
.header("Content-Type", "application/json")
.POST(BodyPublishers.ofString(body))
.build();
HttpResponse<String> response = httpClient.send(request, BodyHandlers.ofString());
Calling .send(...) causes
java.io.IOException: Tunnel failed, got: 403
# java.net.http/jdk.internal.net.http.HttpClientImpl.send(Unknown Source)
# java.net.http/jdk.internal.net.http.HttpClientFacade.send(Unknown Source)
# (method we are in above example)
Proxy doesn't need any authentication and in other AWS Lambda I've seen this proxy working with builder using only .proxy(...) method just like in the example above. So the only thing that is different is this .sslContext(...).
Do I need some more sslContext configuration? I've been searching for some examples with TLS through proxy, but I've not managed to find anything.
HttpClient.Builder Docs doesn't say anything about proxy with sslContext either.
Thanks for help!
As daniel wrote in a comment
It would seem that you have insufficient permission to access the service you're trying to use
It turned out to be proxy config that was blocking traffic to that specific host and port.
There is nothing wrong with the code above. After a change in proxy settings to it works as expected.
Thanks for help!
I’m a newbie in ES and I have a task in my new job to upgrade from 6.4.2 to 7.4.1 – From TCP client to Rest High Level API.
Previously we built the client like this:
Settings settings = Settings.builder()
.put("xpack.security.user", String.format("%s:%s",esJavaUser,esJavaPassword))
.put("cluster.name", esClusterName)
.put("xpack.security.transport.ssl.enabled", xpackSecurityTransportSslEnabled)
.put("xpack.ssl.certificate_authorities", xpackSslCertificateAuthorities)
.build();
client = new PreBuiltXPackTransportClient(settings);
Now, in rest API, it’s changed to this:
final CredentialsProvider credentialsProvider =
new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY,
new UsernamePasswordCredentials(esJavaUser, esJavaPassword));
RestClientBuilder restClientBuilder = RestClient.builder(hosts)
.setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder
.setDefaultCredentialsProvider(credentialsProvider));
restHighLevelClient = new RestHighLevelClient(restClientBuilder);
With this build I set ES user and password by CredentialsProvider but what about ssl.enabled and certificate_authorities”? how should I provided them with rest API?
I got an answer from ES forum (didn't thought to ask there first..)
Because, as developer, I always looking for answer here, in stackoverflow, I decide to not delete this question and copy TimV answer:
The documentation you are looking for is here: https://www.elastic.co/guide/en/elasticsearch/client/java-rest/7.4/_encrypted_communication.html
SSL is automatically enabled (or not) based on the scheme (protocol) in the HttpHost objects you pass to the builder.
RestClient.builder(hosts)
If you are using SSL, you want to pass "https" as the scheme (3rd argument) when you construct the HttpHost objects (hosts).
Unfortunately there is no simple means to pass certificate_authorities to the Rest client, you need to turn those certificates into a standard Java truststore.
You can probably find some sample code on the web ("convert PEM certificates to Java truststore"), but the gist of it is:
Open the certificate authority files as an InputStream
Create a X.509 certificate factory: java.security.cert.CertificateFactory.getInstance("X.509")
Call generateCertificates on the certificate factory to read those certificate files into java Certificate objects
Construct an empty KeyStore object
Add the loaded certificates as trusted entries
Pass that to SSLContextBuilder.loadTrustMaterial
Link: https://discuss.elastic.co/t/es-7-4-1-authentication-rest-api/211969
I'm putting together a soap client to call a thirdparty soap service. I'm having issues connecting with Java. It works fine with SoapUI. This is the first time I've set up a keystore within the app. All the code I have found is the same and pretty simple but I can't figure out why the java version isn't working.. I'm using a TLS pfx file provided by the company whose service I'm trying to connect too.
I'm getting a 403 back from the server.. Here is the code
URL wsdlLocation = new URL(SECURE_INTEGRATION_WSDL);
ObjectFactory ofactory = new ObjectFactory();
HttpsURLConnection httpsConnection = (HttpsURLConnection)wsdlLocation.openConnection();
char[] password = CLIENT_KEYSTORE_PASSWORD.toCharArray();
//load keystore
FileInputStream is = new FileInputStream(new File(CLIENT_KEYSTORE_PATH));
final KeyStore keystore = KeyStore.getInstance("PKCS12");
keystore.load(is, password);
is.close();
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(keystore, password);
//set the ssl context
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(kmf.getKeyManagers(), null,
new java.security.SecureRandom());
httpsConnection.setSSLSocketFactory(sc.getSocketFactory());
SecureIntegrationServicesImap client = new SecureIntegrationServicesImap(wsdlLocation);
SesMessage message = ofactory.createSesMessage();
ReceiveRequest r = ofactory.createReceiveRequest();
r.setEmail(ofactory.createReceiveRequestEmail("<email ommitted>"));
ArrayOfMessageSummary messages = client.getWSHttpBindingSecureIntegrationServiceImap().getMessageList(r);
log.info(messages.getMessageSummary().size());
Any help with what I'm wrong is greatly appreciated..
Not sure if it matters but the server is a .NET platform
Here is the stacktrace I'm getting
javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://<host omitted>/TS?wsdl. It failed with:
Server returned HTTP response code: 403 for URL: https://<host omitted>/TS?wsdl.
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:265)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:246)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:209)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:178)
at com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:363)
at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:321)
at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:230)
at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:211)
at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:207)
at com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:114)
at javax.xml.ws.Service.<init>(Service.java:77)
at org.tempuri.SecureIntegrationServicesImap.<init>(SecureIntegrationServicesImap.java:50)
at com.wiredinformatics.utils.SecureExchange.main(SecureExchange.java:127) Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: https://host omitted/TS?wsdl
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1876)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at java.net.URL.openStream(URL.java:1045)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:999)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:400)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:231)
... 11 more
It sounds like you're using TLS based client authentication. Based on the code you posted I suspect the issue is that you're not using httpsConnection anywhere after you initialize it. Therefore it's not trying to use your client certificate as you were expecting but is instead using the default request context settings.
Assuming you're using JAX-WS you should be able to use the solution outlined in this answer to bind your certificate to your request context (instead of initializing your own HttpsURLConnection):
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
How can I make a GET call using Rest-Assured in java to a endpoint which requires certificate. I have certificate as .pem format. In PEM file there is certificate and private key.
In my case using "relaxed HTTPs validation" fixed my problem:
given().relaxedHTTPSValidation().when().post("https://my_server.com")
Got it working with following code -
KeyStore keyStore = null;
SSLConfig config = null;
try {
keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(
new FileInputStream("certs/client_cert_and_private.p12"),
password.toCharArray());
} catch (Exception ex) {
System.out.println("Error while loading keystore >>>>>>>>>");
ex.printStackTrace();
}
if (keyStore != null) {
org.apache.http.conn.ssl.SSLSocketFactory clientAuthFactory = new org.apache.http.conn.ssl.SSLSocketFactory(keyStore, password);
// set the config in rest assured
config = new SSLConfig().with().sslSocketFactory(clientAuthFactory).and().allowAllHostnames();
RestAssured.config = RestAssured.config().sslConfig(config);
RestAssured.given().when().get("/path").then();
I am new to rest-assured but I know this kind of problems using digital certificates for client authentication
In rest-assured doc is only an option to configure certificate: JKS
RestAssured.config = RestAssured.newConfig().sslConfig(new SSLConfig("/truststore_javanet.jks", "test1234");
Convert your PEM to JKS. Open it with portecle and ensure that the password is right and you have the certificate loaded and all the certification chain to CA root. Portecle simplify the command-line using a GUI and also allows you to create the JKS
http://portecle.sourceforge.net/
This error occurs ALWAYS when your java client do not trust in server certificate
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The easiest way to fix this is include the server certificate chain in your jdk keystore.
First, download the server certificates opening an https connection with your browser, for example with chrome. It does not matter it fails. Click on the green lock in the toolbar>Detail>See server certicate and download as PEM. It is best to download it yourself to make sure you are using the correct. Download all certificates of certification chain
Then, open jdk cacerts at JDK_HOME/jre/lib/security with portecle. Password will be 'changeit'. Add the server certificates as 'trusted'
Now, PKIX path building failed will dissapear. If not, check the certificates and the JDK you are using
Using RestAssured 3.0 I took #rohitkadam19's code and got it working so:
#Before
public void setUp() throws Exception {
try {
RestAssured.port = port;
RestAssured.useRelaxedHTTPSValidation();
RestAssured.config().getSSLConfig().with().keyStore("classpath:keystore.p12", "password");
} catch (Exception ex) {
System.out.println("Error while loading keystore >>>>>>>>>");
ex.printStackTrace();
}
}
The method using org.apache.http.conn.ssl.SSLSocketFactory is now deprecated. If you are using the latest version of RestAssured from io then the best method is to set your authentication using:
RestAssured.authentication =
RestAssured.certificate(
"/path/to/truststore",
"trust store password",
"/path/to/p12",
"p12 password",
CertificateAuthSettings.certAuthSettings());
Note, CertificateAuthSettings.certAuthSettings() uses default KeyStore settings, so be aware of this.
The code mentioned below just works,
public static void getArtifactsHttps(String args) {
String username = "username";
String password1 = "password";
StringBuilder authorization = new StringBuilder();
authorization.append(username).append(":").append(password);
String authHeader = "Basic " + Base64.getEncoder().encodeToString(authorization.toString().getBytes());
String response = RestAssured
.given()
.trustStore("D:\\workspace\\DemoTrust.jks", "DemoTrustKeyStorePassPhrase")
.when()
.contentType(MediaType.APPLICATION_JSON)
.accept(MediaType.APPLICATION_JSON)
.header("Authorization", authHeader)
.baseUri("https://server.us.oracle.com:55898")
.queryParam("name", args)
.get("/validendpoint").prettyPrint();
System.out.println("RESPONSE" + response);
}
You need to allow self-signed certificate for RestAssured client. To do so, you need to place your certificate (public key) to the truststore (not keystore).
RestAssured
.config()
.sslConfig(
sslConfig().with().trustStoreType("PKCS12").and()
.trustStore(ResourceUtils.getFile("classpath:keystore/keystore.p12"), "password"));
//headerMap is map of header
Get
Response response = given().headers(headerMap)
.config(RestAssuredConfig.config().decoderConfig(DecoderConfig.decoderConfig().defaultContentCharset("UTF-8")).and().sslConfig(new SSLConfig().relaxedHTTPSValidation())) .contentType(ContentType.JSON).when().get(url).then().extract().response();
Post
response = given().headers(headerMap) .config(RestAssuredConfig.config().decoderConfig(DecoderConfig.decoderConfig().defaultContentCharset("UTF-8")).and().sslConfig(new SSLConfig().relaxedHTTPSValidation()))
.contentType(ContentType.JSON).body(body).when().post(url).then().extract().response();
This worked for me, thank you everyone. I am using RestAssured v 3.0, this is for Post but we can just change that to .get() and removed .body(...)
ResponseSpecification responseSpec = null;
Response response123 = null;
RestAssured.config = RestAssured.config().sslConfig(
new SSLConfig().keystore("app trust.jks", password)
.keystore("key trust.jks", password));
responseSpec = given()
.urlEncodingEnabled(Encode url = true or false)
.body(BodyToPOST)
.config(RestAssured.config())
.contentType("application/json")
.headers(appropriate headers)
.expect()
.statusCode(200);
response123 = responseSpec.when()
.post(url)
.then()
.extract()
.response();
I had no luck with pretty much any of these answers on 4.3.3 version of RestAssured.
I finally discovered this: RestAssured.trustStore(truststoreFilePath, password)
Usage:
String truststore = Props.getStringProperty("truststore", ""); // truststore in jks format
if (StringUtils.isNotBlank(truststore)) {
File truststoreFile = new File(truststore);
if (!truststoreFile .exists()) {
throw new RuntimeException("Could not initialize the truststore
because file specified does not exist: " + truststore);
}
String password = Props.getStringProperty("truststorePassword", "changeit");
RestAssured.trustStore(truststoreFile.getAbsolutePath(), password);
}
Now
RestAssured.given()
.auth().basic(Props.getStringProperty("user"), Props.getStringProperty("authToken"))
.with().config(RestAssured.config().connectionConfig(new ConnectionConfig())).when().get("/my-service")
Has no more SSL handshake issues.
To understand the scenario, you must be looking into this answer if the server, which you are making a request to, is configured with a self-signed SSL certificate. Trust SSL certificates are automatically validated by the browser with the help of CA(Certificate Authorities), but if it is a self-signed SSL we must configure truststore to the rest client(rest assured in this case).
What is the truststore?
Truststore is kind of vault in which you place certificates which you believe are valid, to explain further, the process involved in https validation is similar to the following steps,
You make request to the server
Server sends a certificate
Now it is clients responsibility to validate the certificate, if it was trust SSL, then browser/ http client approaches CA to validate certificate's authenticity, but since it is self signed SSL, we have to configure the http client that whom it should approach for validating certificate and that configuration is truststore's configuration
Now to complete the configuration and make the http call, follow these steps
Create a truststore file with extension "jks" in your project, have to configure the password while creating the jks file.
Download the certificate from the browser or use the created certificate(both are same), certificate extension is usually "pem" or "crt"
Now we need to import the certificate into the truststore(*.jks file), run the below command in the terminal
keytool -importcert -alias "[[alias for certificate]]" -file
[[Certificate name]].pem -keystore [[truststore name]].jks -storepass
[[truststore password]]
Now we need to configure Rest assured that it should use this truststore for https validation
given().config(newConfig().sslConfig(new SSLConfig("/truststore.jks", "truststorepassword")))
We could use the above instance to perform http get request,
given().config(newConfig().sslConfig(new SSLConfig("/truststore.jks", "truststorepassword"))).get("URL")
I'm developing a java web service, with client certificate security enabled.
I don't want to add a parameter to each method with a user ID. Since the user is already authenticating through the soap header with his client certificate, is it possible to fetch the user data (common name, email, etc) from his certificate?
Thanks!
This is how you can retrieve DN from the request,
Object certChain = request.getAttribute(
"javax.servlet.request.X509Certificate");
if (certChain != null) {
X509Certificate certs[] = (X509Certificate[])certChain;
X509Certificate cert = certs[0];
String n = cert.getSubjectDN().getName();
}
For this to work, you have to configure the HTTPS connector properly. If AJP is used, you have to configure the AJP connector so the certificate is passed from Apache to Tomcat.
Cast your java.security.cert.Certificate to java.security.cert.X509Certificate and check the methods you have available on it - like getSubjectDN()