Great. BTW, do you do a trust validation on the received certificate ? thanks, nandana
On Thu, Jan 29, 2009 at 6:29 PM, Sebastian Van Sande <[email protected] > wrote: > Thanks a lot, Nandana, injecting a custom socket factory to axis2 did the > job! > > This is what I did: > - I created a custom socket factory, based on the one you can find at > http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup > - I added a method in this custom socket factory to reset the sslContext. > This will result in reloading the keystore. > > The whole flow works now as following when a certificate should get renewed > in the keystore: > - The application calls a method which will call a method on a stub > - The stub method throws an exception which is catched ... > - In this catch block I try to do an SSL handshake with the keystore. > - If the SSL handshake fails, I start an update method on a keystore > manager .. > - this update method will extract all the certificates from the service and > put them in the keystore file > - then, it will re-init the sslcontext in the custom socket factory > - the flow returns to the catch block in the original called method which > will call 1 more time the method on the stub with the same parameters. If it > fails again, it will throw an exception to the caller ... > > The result is taht no operator action is needed to update the keystore > manually with new certificates and/or restart the application. Everything > goes automatically! > > Thanks again! > > Kind regards, > Sebastian > > > On Thu, Jan 29, 2009 at 11:57 AM, Nandana Mihindukulasooriya < > [email protected]> wrote: > >> >> ... will Axis2 detect this and use my custom Protocol and MySSLSocketFactory? >>> >>> >> You need to set the a property in the options [1]. >> >> thanks, >> nandana >> >> [1] - http://wso2.org/library/1646 >> >> >> >>> I see that I can use AuthSSLProtocolSocketFactory as my custom SSL Socket >>> Factory to make use of my keystore and force reloading. >>> >>> Thanks again for your help. >>> >>> Kind regards, >>> Sebastian >>> >>> >>> On Thu, Jan 29, 2009 at 9:44 AM, Nandana Mihindukulasooriya < >>> [email protected]> wrote: >>> >>>> I assume you use Axis2 as a web service client. I think better solution >>>> for you would be to use a custom SSL Socket factory to handle your >>>> scenario. >>>> You can find more information on how to implement and use a custom SSL >>>> Socket factory here [1]. You can also raise the question in commons http >>>> client list too. >>>> >>>> thanks, >>>> nandana >>>> >>>> [1] - http://hc.apache.org/httpclient-3.x/sslguide.html >>>> >>>> On Thu, Jan 29, 2009 at 1:56 PM, Sebastian Van Sande < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> Thanks for your reply, Yves Marie! >>>>> >>>>> Unfortunately, restarting the application is something we don't want >>>>> since this application will run 24/7 in a production environment. >>>>> >>>>> I'm looking for a way to let Axis2 know to reload the keystore file, at >>>>> runtime without restarting my application. >>>>> I know *when* it has to reload the keystore file, I just don't know >>>>> *how* to do this in code. >>>>> >>>>> If anyone knows how to let Axis2 reload the keystore file, let me know! >>>>> >>>>> Kind regards, >>>>> Sebastian >>>>> >>>>> >>>>> On Thu, Jan 29, 2009 at 9:11 AM, DANIEL, Yves Marie < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi ! >>>>>> >>>>>> With a Jonas application server and a mutual authentication with SSL, >>>>>> we find that we had to restart Jonas so it could see change the changes >>>>>> of >>>>>> path or content for keystores. It seems to be the same with tomcat, don't >>>>>> know if it Axis2 or the application server. >>>>>> >>>>>> Yves-Marie >>>>>> >>>>>> ------------------------------ >>>>>> *De :* Sebastian Van Sande [mailto:[email protected]] >>>>>> *Envoyé :* jeudi 29 janvier 2009 08:07 >>>>>> *À :* [email protected] >>>>>> *Objet :* Re: Reload keystore file >>>>>> >>>>>> Does anyone have a clue how I can refresh the keystore in axis2? >>>>>> Thank you. >>>>>> >>>>>> On Wed, Jan 28, 2009 at 10:56 AM, Sebastian Van Sande < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I have a problem with Axis2. >>>>>>> >>>>>>> At my project, we have an Microsoft Exchange 2007, and some other >>>>>>> project has created an API to interact with this Exchange server with >>>>>>> the >>>>>>> help of Axis2. >>>>>>> This other project uses a Websphere server to manage a keystore to do >>>>>>> basic authentication over SSL. >>>>>>> My application on the otherhand runs as a standalone application, and >>>>>>> I have to manage the keystore myself. >>>>>>> >>>>>>> Now, I managed to use this keystore to calling the Exchange 2007 Web >>>>>>> services over SSL, and it works great. >>>>>>> But, as you probably know, certificates expire ... and they have to >>>>>>> get renewed. >>>>>>> >>>>>>> So, I managed to create something a 'KeyStoreManager' that will fetch >>>>>>> the new certificates from the Exchange server and put it in the keystore >>>>>>> file. >>>>>>> And this works great as well .. *IF* I restart my application. >>>>>>> >>>>>>> When my application modifies the keystore file, it looks like Axis2 >>>>>>> is using some caching mechanism. Because when I make the web service >>>>>>> call >>>>>>> again (after inserting the new certificate in my keystore), it can't >>>>>>> authenticate because it cached the keystore file in memory. >>>>>>> >>>>>>> To specify the keystore to Axis2, I use this code: >>>>>>> >>>>>>> System.setProperty("javax.net.ssl.trustStore", >>>>>>> "/path/to/keystore.jks"); >>>>>>> System.setProperty("javax.net.ssl.trustStorePassword", >>>>>>> "thisisnottherealpassword"); >>>>>>> >>>>>>> To extract the new certificate and add it to my keystore, I use code >>>>>>> based on the one you can find at >>>>>>> http://helpdesk.objects.com.au/java/how-do-i-programatically-extract-a-certificate-from-a-site-and-add-it-to-my-keystore >>>>>>> >>>>>>> The problem is: when the keystore file is updated with the new >>>>>>> certificate, axis2 doesn't seem to know about it because it uses a >>>>>>> cached >>>>>>> version of the keystore file. >>>>>>> >>>>>>> So my question is: how can I clear this axis2 keystore cache in some >>>>>>> way so axis2 will be forced to read the keystore file again? >>>>>>> >>>>>>> Thank you for your help, >>>>>>> >>>>>>> Kind regards, >>>>>>> Sebastian >>>>>> >>>>>> >>>>>> This message contains information that may be privileged or confidential >>>>>> and is the property of the Capgemini Group. It is >>>>>> intended only for the person to whom it is addressed. If you are not the >>>>>> intended recipient, you are not authorized to >>>>>> read, print, retain, copy, disseminate, distribute, or use this message >>>>>> or any part thereof. If you receive this message >>>>>> in error, please notify the sender immediately and delete all copies of >>>>>> this message. >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Nandana Mihindukulasooriya >>>> WSO2 inc. >>>> >>>> http://nandana83.blogspot.com/ >>>> http://www.wso2.org >>>> >>> >>> >> > -- Nandana Mihindukulasooriya WSO2 inc. http://nandana83.blogspot.com/ http://www.wso2.org
