Doorgaan naar hoofdcontent

Hermes ebXML SSL Configuration

Introduction

This blog item describes how I setup End-2-End security ebXML communication using the Hermes2 framework.
The ebMS client is on a Tomcat installation and it communicates with an Apache WebServer (running on Linux and redirecting ebms communication to Tomcat instance on the same server).


Prerequisite:
  • Hermes2 (client) and Tomcat installed
  • Hermes2 (server) and Tomcat installed
  • Server certificates generated (self signed)

Configuring Hermes2 (corvus webbapplication within Tomcat)


When you change the partner agreement to use the https:// protocol towards the receiver you will get the following error (look in the ebms.log of the ebMS sender).
hk.hku.cecid.ebms.spa.task.DeliveryException: Cannot send the message
    by hk.hku.cecid.piazza.commons.net.ConnectionException: Unable to send HTTP SOAP request
    by javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    by sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    by sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at hk.hku.cecid.ebms.spa.task.OutboxTask.sendMsgByHttp(OutboxTask.java:578)
    at hk.hku.cecid.ebms.spa.task.OutboxTask.execute(OutboxTask.java:440)
    at hk.hku.cecid.piazza.commons.module.ActiveThread.run(ActiveThread.java:90)
    at java.lang.Thread.run(Unknown Source)

  1. You need to edit the <CorvusWebApp>/WEB-INF/classes/hk/hku/cecid/piazza/corvus/core/conf/corvus.module.xml
    <module id="piazza.corvus" name="Piazza Corvus" version="1.0">

        <component id="logger" name="System Logger">
            <class>hk.hku.cecid.piazza.commons.util.LoggerLog4j</class>
            <parameter name="config" value="hk/hku/cecid/piazza/corvus/core/conf/corvus.log.properties.xml" />      
            <parameter name="category" value="hk.hku.cecid.piazza" />
        </component>

        <component id="properties" name="System Properties">
            <class>hk.hku.cecid.piazza.commons.util.PropertyTree</class>
            <parameter name="config" value="hk/hku/cecid/piazza/corvus/core/conf/corvus.properties.xml" />
        </component>

        <component id="messages" name="System Messages">
            <class>hk.hku.cecid.piazza.commons.util.MessagesTree</class>
            <parameter name="config" value="hk/hku/cecid/piazza/corvus/core/conf/corvus.messages.xml" />
        </component>

        <!-- Set up a SSL Trust Manager for SSL connection -->
        <component id="ssl-trust-manager" name="SSL Trust Manager">
            <class>hk.hku.cecid.piazza.commons.security.KeyStoreTrustManager</class>
            <parameter name="keystore-location" value="c:/program files/java/jre1.5.0_22/lib/security/cacerts" />
            <parameter name="keystore-password" value="changeit" />
        </component>

        <!-- Set up a SSL Key Manager for SSL connection, it is configured in application server most case (e.g. Tomcat server.xml) -->
        <component id="ssl-key-manager" name="SSL Key Manager">
            <class>hk.hku.cecid.piazza.commons.security.KeyStoreKeyManager</class>
            <parameter name="keystore-location" value="d:/local/programs/hermes2/plugins/hk.hku.cecid.ebms/security/corvus.p12" />
            <parameter name="keystore-password" value="password" />
            <parameter name="key-alias" value="corvus2" />
            <parameter name="key-password" value="password" />
            <parameter name="keystore-type" value="PKCS12" />
            <parameter name="keystore-provider" value="org.bouncycastle.jce.provider.BouncyCastleProvider" />
        </component>

    </module>

  2. Edit the <CorvusWebApp>/WEB-INF/classes/hk/hku/cecid/piazza/corvus/core/conf/corvus.properties.xml
    <?xml version="1.0" encoding="UTF-8"?><corvus>

        <!-- Home Directory -->
        <home>d:\local\programs\hermes2/</home>

        <!-- Plugin Registry -->
        <plugin>
            <registry>d:/local/programs/hermes2/plugins</registry>
            <descriptor>plugin.xml</descriptor>
        </plugin>

        <!-- Encoding settings -->
        <encoding>
            <servlet-request>UTF-8</servlet-request>
            <servlet-response>text/html;UTF-8</servlet-response>
        </encoding>
      
        <!-- Environment settings -->
        <environment>
            <properties>
                <http.proxyHost/>
                <http.proxyPort/>
                <https.proxyHost/>
                <https.proxyPort/>
                <sun.net.client.defaultConnectTimeout>30000</sun.net.client.defaultConnectTimeout>
                <sun.net.client.defaultReadTimeout>300000</sun.net.client.defaultReadTimeout>
                <file.encoding>UTF-8</file.encoding>
                <javax.net.ssl.keystore>d:/local/programs/hermes2/plugins/hk.hku.cecid.ebms/security/corvus.p12</javax.net.ssl.keystore>
                <javax.net.ssl.keyStorePassword>password</javax.net.ssl.keyStorePassword>
                <javax.net.ssl.keyStoreType>PKCS12</javax.net.ssl.keyStoreType>
                <javax.net.ssl.trustStore>c:/program files/java/jre1.5.0_22/lib/security/cacerts</javax.net.ssl.trustStore>
                <javax.net.ssl.trustStorePassword>changeit</javax.net.ssl.trustStorePassword>
                <javax.net.ssl.trustStoreType>PKCS12</javax.net.ssl.trustStoreType>
            </properties>
        </environment>
      
    </corvus>

    Notes:
    * Be sure to use absolute paths for the keystore locations
    * The Keymanager store is used to store the Certificate for this ebMS instance
    * The Trust Manager is used to upload the Certificates this ebMS instance can trust. When sender ebMS try to establish a secure connection, the receiver ebMS will provide a public certificate to sender ebMS to identify its identity. If this certificate is self-signed, it should be added to the truststore defined on the sender side.


When you send a message again now to the https endpoint I got the error:
hk.hku.cecid.ebms.spa.task.DeliveryException: Cannot send the message
    by hk.hku.cecid.piazza.commons.net.ConnectionException: Unable to send HTTP SOAP request
    by javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate chain not trusted
    by java.security.cert.CertificateException: Certificate chain not trusted
    at hk.hku.cecid.ebms.spa.task.OutboxTask.sendMsgByHttp(OutboxTask.java:578)
    at hk.hku.cecid.ebms.spa.task.OutboxTask.execute(OutboxTask.java:440)
    at hk.hku.cecid.piazza.commons.module.ActiveThread.run(ActiveThread.java:90)
    at java.lang.Thread.run(Unknown Source)

This is because I did not import the certificate of the Receiver yet into the Java TrustStore as defined above (In this case the server certificate was self signed).
  1. Import the server certificate in the trust store (be sure the certificate is X.501):
    keytool -import -alias tomcat -keystore <your_keystore_filename> -trustcacerts -file <your_certificate_filename>

When I imported the server.crt and ca.crt (both generated on the Linux server with OpenSSL).

Reacties

Een reactie posten

Populaire posts van deze blog

Microservices mindmap

"The tree" - See also   my photo page When you are fairly new within the Microservices land, there are a lot of terms fired at you. So also for my own understanding i have made a mindmap. I think it has a good status now, so that i can share it with you. As always feedback is very welcome ! You can download the mindmap here .

OSB 10gR3 and SWA and MTOM

This blog is about using soap with attachments and the use of MTOM within the OSB (10gR3). A service is created that accepts a soap with attachment (DocumentService) and translates it to a service that accepts a binary element. MTOM is used for performance reasons for the second. Some notes: * For the use of attachments you need RPC-style document instead of the usual document-style. This due to the fact that the document-style limits a message to a single . * A service can not have both SWA and MTOM within OSB. First a WSDL is setup for the DocumentService: The $attachments variable holds the attachments and the body holds the attachment data. Also other data is stored within the attachment element (see h

Installing Oracle SOA Suite/JDeveloper 11g

This post guides you through the installation of the Oracle SOA Suite 11g with JDeveloper 11 with the use of Oracle XE database (for Windows). Note: It is assumed that Oracle XE database is already installed. Required downloads Oracle Weblogic Server 10.3.1   SOA Suite   Repository Creation Utility JDeveloper Studio The detailed steps are nicely described here . The next picture gives a nice overview of the directory structure created. Step1 -  Create Schemas for Oracle SOA Suite and Oracle BAM (RCU) Unzip the files Run bin/rcu.bat At the Database Connection Details fill in the XE details. If you encounter the next fault you have probably not started the XE database.   Ignore all warnings Click OK Select all components I ran into the following problem: When you click Ok you see the following error: And this is about the Processes DB Init parameter that is wrong. To fix this goto the Database Home page, Sql Editor and execute the following statements: a