SSL and Java (ciak 2)

credits: Vagamundos (from flickr)

credits: Vagamundos (from flickr)

Last time we spoke about accessing a site via HTTPS using the pure Sun way.

Today, we see the same problem, solved with the apache HttpClient libraries. This library require a keystore specified in the code. In order to generate a keystore, you will have to download a certification file as described in the previous post and then create a keystore using the keytool program. I don’t remember well how to create a new keystore with the required certificate via keytool (I did’t write it down), but reading the help of the program it should be something like:

keytool -importcert -alias <my_alias_certificate> -file <path_to_the_cer_file> -keystore myKeystore.ks

where myKeystore.ks is the name of the file containing the keystore. The pros of using this approach is that you can provide a .ks file among with the program, in a location desired and the program will use it, avoiding post-installation procedures to register the certificate on each jvm.

So, assuming to have our keystore into a sub-directory certs the code for using the site is in the pdf as usual.

Advertisements

SSL and java

credits: ph0t0 (from flickr)

credits: ph0t0 (from flickr)

Sooner or later it happens that you have to access an https via Java. Accessing a generic http (non ssl) site is quite easy using the URL and URLConnection objects.

When you try to access a site through SSL the main problem is that most sites does not have a registration in the java’s Certificate Autorithy (CA), causing the framework to refuse connection to that site. So the main solution is to register the certificate of that site in the java’s CA.

So, the things to do are:

  1. download the site certificate
  2. register it in the java’s CA
  3. accessing the site

Downloading the certificate

In order to download the certificate we are gonna use Firefox. With firefox navigate to the site and if required accept the certificate. Double click on the icon of the certificate (1), in the screen that appear choose view certificate (2), on details tab (3) use the export button (4) and save it wherever you want (5).

screen

Register the certificate

Once downloaded the .cer file (X 509 Certificate DER), you can import it into the CA using the a command line program deployed with the j2se installation: keytool.

Java’s CA and keytool are available in the $JAVA_HOME/lib/security/ and an example of using the keytool (under windows) is the following

C:\Program Files\Java\jre6\lib\security>keytool -import -trustcacerts -alias fonsai -keystore cacerts -file fonsai.cer

where fonsai.cer the file name of the certificate just downloaded.

Maybe if you are using eclipse, you will have to restart the workbench in order to make the registration visible to the jvm.

The main counterpart of using this approach is that you have to register the certificate for each jvm running the program and since certificate can expire you should have to do this operation more than one time. I advise to automate the registration operation with a shell script to be distributed among with the program.

Accessing the site

Once registered the site’s certificate, you can access it as usual using the URL and URLConnection objects. It should be enough to tell (via System.properties) an SSL provider. Here is a PDF with the code.