I developed an application that uses Apache XML security library for xml encryption and signing. It runs on SUN's JDK without any problems, however, IBM JDK gives me tons of problems.
It doesn't sign right (validation fails), pkcs11 provider fails to encrypt.
It seems that problem is because IBM provides their own security providers.
I tried to comment out those providers (namely fips), and I almost managed to get same behaviour as on sun's jdk, except pkcs11 provider, which alwasy fails.
Any suggestions?
Does this thread help - http://www.ibm.com/developerworks/forums/message.jspa?messageID=1315965?
I had trouble in the past with an SSL enabled web application in Apache Tomcat because Tomcat defaults to using algorithm=SunX509 when you define a secure Connector. When using the IBM JDK, you must override by explicitly using algorithm=Ibmx509.
I'm guessing there's a similar issue at the root of your problem.
Related
I've started getting javax.net.ssl.SSLPeerUnverifiedException when making an HTTPS request to the Spring Boot based Java application from another Spring Boot based Java application (a test suite for the former) after upgrading Spring Boot from version 2.1.0 to 2.2.0.M3 in both applications. I can confirm that SSL certificate for the site is shown valid in a browser (Google Chrome), host name in there matches the one in HTTPS URL, and by just downgrading Spring Boot back to 2.1.0 I can access the URL without exception again. Oracle JDK 11.0.1 is used. SSL certificate is issued by Let's Encrypt, if this makes a difference. How to fix this?
Upgrading to Oracle JDK 11.0.4 solved the problem. I saw similar advice for OpenJDK in another SO question, but decided not to mix things up for the two JDKs.
In my current project, I have an Oracle Database 11g. On the database is installed Java 1.6.
My task is to connect over https to web service provider from database procedure (plsql). For this task have used Java stored procedure (rather than HTTP_UTIL plsql package) because I also need to sign XML with a certificate before sending. The whole process worked well til now (picture A).
Nowadays the web service provider has disabled the TLS1.0 and only TLS1.1 and TLS1.2 are supported. This brings me problems because Java 1.6 does not support TLS1.1 and TLS1.2 and it's impossible to upgrade Java on the database side.
The idea is to write some kind of webservice proxy.. (picture B):
My idea is to make some kind of web service proxy (Web-service to Web-service communication over SSL) but doesn't know if this is the right approach to take? Another question is what is the best (simple) way to do that? For web service deployment I have Oracle Weblogic or Tomcat container.
thank you for any info. I can't get any support from Oracle about this scenario (consuming webservice from Oracle 11g over TLS1.1/TLS1.2).
You could use Bouncy Castle as an JCE Provider, if it is possible to load additional libs into the JVM.
The you would have to use Bouncy Castle in your SSL Connection as described here.
Otherwise you could upgrade your database if you can somehow sign your XML in PL/SQL.
Else you can also go for the other alternative you mentioned, as long as it is in a secured environment it should not be a problem. Maybe this can also simplify your setup since you do not have to sign your XML in the database but can rather do it in the oracle/tomcat container.
Solved with:
SSLContext sslcontext = SSLContext.getInstance("TLS",new BouncyCastleJsseProvider());
now I have to upload libraries with loadjava to Oracle database
We still have an implementation of this running on an old Tomcat java 1.5 box. Its used to sso for our own domain email via google
https://developers.google.com/google-apps/sso/saml_reference_implementation_web#file-and-directory-structure-for-saml-reference-code
I noticed there is a warning that this is old and no longer compatible. Is there an updated how to or sample that we can implement into an Ear file for websphere with java 1.6 ? I haven't been able to find anything yet. Thanks.
I am working on creating a CAM (custom authentication module/provider) for Cognos 10.
Various encrypted information is passed into the provider from the query string. The Namespace's authentication process is then designed to talk to a web service in order to validate the encrypted information wasn't tampered with and to make sure the user's "session" in the authenticating application hasn't expired.
The authenticating application uses .NET and has the web service exposed for use with SOAP requests (1.1 and 1.2, I believe). I pointed wsimport at the wsdl and generated a set of classes that works when I build a standard Java console app and pass along debug values.
When I add this code into my Namespace class and attempt the request to the web service I am getting this error from Cognos:
com.sun.xml.internal.ws.spi.ProviderImpl (initialization failure)
I thought Cognos 10 was using JDK 1.6. I am developing my CAM code in 1.6 (64bit JDK). I should have 64bit Cognos running but I do not know if it is using a 32bit JDK. Could a possible disparity in 32bit vs. 64bit be causing the issue?
Any clue as to why the generated classes from wsimport (JAXWS) won't work in Cognos? Is there a way around this?
I'm going to mark this as answered but I'll put the caveat that I haven't tested this.
After dealing with trying to get 3rd party libraries to work with my CAP/CAM I figured that the reason JAXWS was not working correctly because Cognos didn't have that included in its Java distribution.
I got a similar error to the above when trying to use Microsoft's JDBC implementation to talk to a SQL server for namespace searches. This leads me to believe that the same situation exists with JAXWS.
I looked around for the jar file that should contain the classes that would need to be there. I didn't see any jar file that was named the same as what I have for 1.6. Unless it truly isn't supported in Cognos I think including the jar file for JAXWS in the WEB-INF/lib folder will allow webservice communications using JAXWS.
I'd like to test whether my Geneva-based fedearated security services can be consumed with NetBeans/WSIT. Is there something like step-by-step guide? Server side uses 'message credentials over HTTPS' security mode while all the examples I've seen rely on message-level encryption and focus on consuming .net STS from Java RP-service.
Here are some links.
mszCool: Identity Interoperability - Geneva Beta 1 STS with .NET Client and Netbeans 6.5 / Metro 1.3 / WSIT / Java client working..
The WSIT Tutorial.
WSIT Documentation: Security Mechanisms:
However, the message security
mechanisms require a newer version of
certificates than is available with
GlassFish. You can download valid
keystore and truststore files for the
client and server as described in To Manually Update GlassFish Certificates.
To use this mechanism, follow the steps in Configuring SSL For Your Applications.
See Also: Example: Transport Security (SSL).