I'm putting together a soap client to call a thirdparty soap service. I'm having issues connecting with Java. It works fine with SoapUI. This is the first time I've set up a keystore within the app. All the code I have found is the same and pretty simple but I can't figure out why the java version isn't working.. I'm using a TLS pfx file provided by the company whose service I'm trying to connect too.
I'm getting a 403 back from the server.. Here is the code
URL wsdlLocation = new URL(SECURE_INTEGRATION_WSDL);
ObjectFactory ofactory = new ObjectFactory();
HttpsURLConnection httpsConnection = (HttpsURLConnection)wsdlLocation.openConnection();
char[] password = CLIENT_KEYSTORE_PASSWORD.toCharArray();
//load keystore
FileInputStream is = new FileInputStream(new File(CLIENT_KEYSTORE_PATH));
final KeyStore keystore = KeyStore.getInstance("PKCS12");
keystore.load(is, password);
is.close();
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(keystore, password);
//set the ssl context
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(kmf.getKeyManagers(), null,
new java.security.SecureRandom());
httpsConnection.setSSLSocketFactory(sc.getSocketFactory());
SecureIntegrationServicesImap client = new SecureIntegrationServicesImap(wsdlLocation);
SesMessage message = ofactory.createSesMessage();
ReceiveRequest r = ofactory.createReceiveRequest();
r.setEmail(ofactory.createReceiveRequestEmail("<email ommitted>"));
ArrayOfMessageSummary messages = client.getWSHttpBindingSecureIntegrationServiceImap().getMessageList(r);
log.info(messages.getMessageSummary().size());
Any help with what I'm wrong is greatly appreciated..
Not sure if it matters but the server is a .NET platform
Here is the stacktrace I'm getting
javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://<host omitted>/TS?wsdl. It failed with:
Server returned HTTP response code: 403 for URL: https://<host omitted>/TS?wsdl.
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:265)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:246)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:209)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:178)
at com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:363)
at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:321)
at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:230)
at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:211)
at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:207)
at com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:114)
at javax.xml.ws.Service.<init>(Service.java:77)
at org.tempuri.SecureIntegrationServicesImap.<init>(SecureIntegrationServicesImap.java:50)
at com.wiredinformatics.utils.SecureExchange.main(SecureExchange.java:127) Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: https://host omitted/TS?wsdl
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1876)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at java.net.URL.openStream(URL.java:1045)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:999)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:400)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:231)
... 11 more
It sounds like you're using TLS based client authentication. Based on the code you posted I suspect the issue is that you're not using httpsConnection anywhere after you initialize it. Therefore it's not trying to use your client certificate as you were expecting but is instead using the default request context settings.
Assuming you're using JAX-WS you should be able to use the solution outlined in this answer to bind your certificate to your request context (instead of initializing your own HttpsURLConnection):
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
Related
I know my way around Java but I'm fairly inexperienced when it comes to the topic of SSL certificates. So my whole approach may be complete and utter nonsense.
What I'm trying to achieve is the following: I have a webservice build with Apache CXF in a Spring Boot application. That webservice is called a x509 client certificate and I want to use that certificate to get a JWT from a Keycloak instance which I have already configured. Getting the token from keycloak works when I do it like this:
var keystore = KeyStore.getInstance("PKCS12");
keystore.load(new ClassPathResource("keystore.pfx").getInputStream(), "myPassphrase".toCharArray());
HttpClient client = HttpClients.custom().setSSLContext(new SSLContextBuilder()
.loadTrustMaterial(new ClassPathResource("truststore.jks").getFile(), "trustStorePW".toCharArray())
.loadKeyMaterial(keystore, "myPassphrase".toCharArray())
.build()
).setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).build();
var postRequest = new HttpPost("https://localhost:8443/realms/master/protocol/openid-connect/token");
postRequest.addHeader("Content-Type", "application/x-www-form-urlencoded");
var entity = new StringEntity("grant_type=password&client_id=my-client&client_secret=my-secret");
postRequest.setEntity(entity);
var response = client.execute(postRequest);
That's fine and tells me that my keycloak setup is correct. What I'm trying to do now is to extract the certificate from the SOAP request and forward it to the keycloak call. I've done this with an interceptor and pull the certificate from the request like this:
if (httpRequest instanceof HttpServletRequest request
&& request.getAttribute("javax.servlet.request.ssl_session_mgr") instanceof SSLSupport sslSupport
&& sslSupport.getLocalCertificateChain() != null
) {
for (var cert : sslSupport.getLocalCertificateChain()) {
var keystore = KeyStore.getInstance("PKCS12");
keystore.load(null, "passphrase".toCharArray());
keystore.setCertificateEntry("1", cert);
// then use the same code as before for calling keycloak
}
}
But now I get {"error_description":"X509 client certificate is missing.","error":"invalid_request"}. Looking into it I realize that the main difference between the two keystores is that the one created from the HttpRequest does not contain the private key, so I suspect that's the reasons it doesn't work. The keystore.pfx I used in the first example contains only the client certificate btw.
Is there a way to make it work like this or is my whole approach completely wrong? Because that's what I'm starting to suspect. And if so, how could I solve this?
I want to make a HTTP call to server that uses TLS to authenticate. Moreover server needs my IP to be whitelisted, so with AWS Lambda I need to use proxy. What I want to achieve is HTTP POST request with TLS that goes through proxy.
To achieve TLS protocol I use KeyStore with loaded certs and private key.
Making a call without proxy (locally from whitelisted IP) works, so I assume keyStore is configured correctly.
Here is how I build httpClient (it's java.net.http.HttpClient):
var keyManagerFactory = KeyManagerFactory.getInstance("PKIX");
keyManagerFactory.init(keyStore, null);
var trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
trustManagerFactory.init(keyStore, null);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
URI proxyUri = config.getProxyUri(); // this is injected object with preloaded config parameters
HttpClient httpClient = HttpClient.newBuilder()
.sslContext(sslContext)
.proxy(
ProxySelector.of(
InetSocketAddress.createUnresolved(proxyUri.getHost(), proxyUri.getPort())))
.build();
Now making a request:
String body = createRequestBody(); // creates string with JSON
HttpRequest request = HttpRequest.newBuilder()
.uri(config.getServiceUri()) // same config as in example above
.header("Content-Type", "application/json")
.POST(BodyPublishers.ofString(body))
.build();
HttpResponse<String> response = httpClient.send(request, BodyHandlers.ofString());
Calling .send(...) causes
java.io.IOException: Tunnel failed, got: 403
# java.net.http/jdk.internal.net.http.HttpClientImpl.send(Unknown Source)
# java.net.http/jdk.internal.net.http.HttpClientFacade.send(Unknown Source)
# (method we are in above example)
Proxy doesn't need any authentication and in other AWS Lambda I've seen this proxy working with builder using only .proxy(...) method just like in the example above. So the only thing that is different is this .sslContext(...).
Do I need some more sslContext configuration? I've been searching for some examples with TLS through proxy, but I've not managed to find anything.
HttpClient.Builder Docs doesn't say anything about proxy with sslContext either.
Thanks for help!
As daniel wrote in a comment
It would seem that you have insufficient permission to access the service you're trying to use
It turned out to be proxy config that was blocking traffic to that specific host and port.
There is nothing wrong with the code above. After a change in proxy settings to it works as expected.
Thanks for help!
I have been trying to connect to a service endpoint which is 2 way SSL enabled. I am using Spring resttemplate. I have added the certificate in keystore, but I am getting the below mentioned error:
>org.springframework.web.client.ResourceAccessException: I/O error on POST request for "path":Received fatal alert: handshake_failure; nested exception is javax.net.ssl.SSLException: Received fatal alert: handshake_failure
I enabled the SSL debus logs and in the logs I can see the warning as well:
<BEA-000000> <Warning: no suitable certificate found - continuing without client authentication>
Same code is working fine with same implementation on my DEV server, but not working on UAT server, but on UAT server REST call on same endpoint is working fine(which is also 2 way SSL enabled). Below is the code that I am using for SOAP and REST call:
REST:
ObjectMapper mapper = new ObjectMapper();
ServReqRespLogMgr reqRespLogMgr = (ServReqRespLogMgr)UtilityMgr.getBean("servReqRespLogMgr");
SSLContext sc = SSLContext.getInstance(StringUtils.trimToEmpty(PropertyUtil.getProperty("SSL_CONTEXT")));
PasswordEncryptor pe = new PasswordEncryptor();
KeyManagerFactory factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(new FileInputStream(PropertyUtil.getProperty("JKS_LOC_VALUE")), pe.decrypt(PropertyUtil.getProperty(IConstants.JKS_PWD_VALUE)).toCharArray());
factory.init(keyStore, pe.decrypt(PropertyUtil.getProperty(IConstants.JKS_PWD_VALUE)).toCharArray());
sc.init(factory.getKeyManagers(), null, null);
CloseableHttpClient httpClient = HttpClients.custom().setSSLContext(sc).build();
ClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
RestTemplate restTemplate = new RestTemplate(requestFactory);
HttpHeaders headers = new HttpHeaders();
SOAP:
BindingProvider bindingProvider = (BindingProvider) services;
bindingProvider.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, filenetWsUrl);
Map<String, List<String>> headers = new HashMap<String, List<String>>();
headers.put("X-APPCERT", Arrays.asList(StringUtils.trimToEmpty(PropertyUtil.getProperty("FILENET_APP_CERT"))));
bindingProvider.getRequestContext().put(MessageContext.HTTP_REQUEST_HEADERS,headers);
bindingProvider.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, filenetWsUrl);
SSLContext sc = SSLContext.getInstance(StringUtils.trimToEmpty(PropertyUtil.getProperty("SSL_CONTEXT")));
KeyManagerFactory factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(new FileInputStream(PropertyUtil.getProperty("JKS_LOC_VALUE")), jksPwd);
factory.init(keyStore, jksPwd);
sc.init(factory.getKeyManagers(), null, null);
//sc.init(factory.getKeyManagers(), null, null);
//End Trust Store
((BindingProvider) services).getRequestContext().put(JAXWSProperties.SSL_SOCKET_FACTORY, sc.getSocketFactory());
I checked the permission on keystore file which looks good. If I switch to one way SSL endpoint then also its working fine. My Java run time is 1.8.0_144 and my app server is WebLogic 12.2.1.3.
Can anyone help me with this please?
Here are few things you have to check.
Check if your Cert chain is properly created.
Add your certs to CACERTS file and configure weblogic to point to the CACERTS file.
This should most definitely resolve your problem.
I have been attempting to have my jersey client do a ssl client authentication with my Jersey/Grizzly Rest api. Other clients are successful handshaking with this server, but I am having trouble with my java client using Jersey client. When I run the code below, the keystore is successfully loaded and when the SslConfigurator's createSSLContext() is called, the ssl debug output shows this keystore properly being accessed and my private keys found.
However, when the Client's WebTarget is used, the ssl debug output shows the handshake is happening with the default keystore JKS. Why isn't the ClientBuilder using this keystore from the SSLContext?
File tmpConfigFile = File.createTempFile("pkcs11-", "conf");
tmpConfigFile.deleteOnExit();
PrintWriter configWriter = new PrintWriter(new FileOutputStream(tmpConfigFile), true);
configWriter.println("name=ActiveClient");
configWriter.println("library=\"C:\\\\Program Files\\\\ActivIdentity\\\\ActivClient\\\\acpkcs211.dll\"");
configWriter.println("slotListIndex=0");
SunPKCS11 provider = new SunPKCS11(tmpConfigFile.getAbsolutePath());
Security.addProvider(provider);
// KeyStore keyStore = KeyStore.getInstance("PKCS11", provider);
KeyStore keyStore = KeyStore.getInstance("PKCS11");
keyStore.load(null, null);
ClientConfig config = new ClientConfig();
SslConfigurator sslConfig = SslConfigurator.newInstance()
.keyStore(keyStore)
.keyStorePassword("mypin")
.keyStoreType("PKCS11")
.trustStoreFile(TRUSTORE_CLIENT_FILE)
.trustStorePassword(TRUSTSTORE_CLIENT_PWD)
.securityProtocol("TLS");
final SSLContext sslContext = sslConfig.createSSLContext();
Client client = ClientBuilder
.newBuilder().hostnameVerifier(new MyHostnNameVerifier())
.sslContext(sslContext)
.build();
WebTarget target = client.target("https://localhost:8443/appname/resources/employees?qparam=something");
Response res = target.request().accept(MediaType.APPLICATION_JSON).get();
This code actually worked. The problem was that my server's trust certificate wasn't available for the smart card cert that it needed to trust. I added the correct certs to the truststore on the server and then it worked. The ssl debug messages weren't very clear.
I've run into many issues this time and I found a way to achieve my goals. In your example I can not see any use of ClientConfig config instance. This worked for me:
ClientConfig config = new ClientConfig();
config.connectorProvider(new ApacheConnectorProvider());
Client client = ClientBuilder.newBuilder().hostnameVerifier(new MyHostnNameVerifier())
.sslContext(sslContext).withConfig(config).build();
I found ApacheConnectorProvider more suitable for connections using secure layers or proxies (witch was another huge problem I solved).
I have to access the webservice with 2 way authentication. Below is my approach.
Created MyCustomSSLSocketFactory class.
Loaded TrustManagers
Loaded Keystore Managers
Created SSL Context and SSL socket factory as below.
I call this class method just before calling webservice method.
Then i have done as below:-
AxisProperties.setProperty("axis.socketSecureFactory",
"com.elipva.zephyr.twofa.util.MyCustomSSLSocketFactory");
Security.setProperty("ssl.SocketFactory.provider",
"com.elipva.zephyr.twofa.util.MyCustomSSLSocketFactory");
SSLContext context = SSLContext.getInstance(protocolVersion);
context.init(keyManagers, trustManagers, null);
SSLSocketFactory socketFactory = context.getSocketFactory();
URL url = new URL(urlString);
URLConnection connection = url.openConnection();
if (connection instanceof HttpsURLConnection) {
((HttpsURLConnection) connection)
.setSSLSocketFactory(sslSocketFactory);
connection.connect();
}
when i access the webservice it gives me below error.
org.apache.axis2.AxisFault: Unconnected sockets not implemented
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:203)
at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:76)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:400)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:225)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:435)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:402)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
Please let me know if i am missing anything.
Issue got resolved, simply imported certificates in cacerts file.
I think it could be this Java bug - http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6771432
Note that this is supposedly fixed in java 1.6.0_u14