Several client toolkits, including Apache SOAP, enforce strict checking when validating server certificates during SSL based connections. This article will describe how to configure the client environment to allow communcation with servers using self-signed server certificates.


 

Language: Java

 

 

 

Contents


Introduction

Diagnosing the problem

Resolving the problem

Related Links


 





Introduction top

 

By default, F5 Networks controllers embed the hostname of the machine as the name in the server security certificate. This must match the hostname in the URL used to connect to the server. This means that if the server certificate was created with a hostname of server.company.com, then the url for the soap request must be http[s]://server.company.com/....

There might also be problems due to the fact that the F5 Networks controllers self sign their own certificates. This means that your browser will issue a warning that the certificate was issued by a company you have not chosen to trust. For the Apache SOAP Toolkit you must import the server certificate into the local keystore.

Refer to the keytool documentation for help on importing the server certificate into your local keystore for Apache SOAP/Java. keytool - Key and Certificate Managment Tool
 

 





Diagnosing the problem top

 

When attempting a communcation over ssl, an IllegalArgumentException is likely due to self-signed server certificates not being included in the local trust store.

'./run.sh SystemInfo 192.168.1.1 443 user_name user_password'
[SOAPException: faultCode=SOAP-ENV:Client;
    msg=Error opening socket: null;
    targetException=java.lang.IllegalArgumentException: Error opening socket: null]
        at org.apache.soap.transport.http.SOAPHTTPConnection.send(SOAPHTTPConnection.java:324)
        at org.apache.soap.rpc.Call.invoke(Call.java:205)
        at support.SOAP.java.System.SystemInfo.getSystemInfo(SystemInfo.java:112)
        at support.SOAP.java.System.SystemInfo.main(SystemInfo.java:203)

 

 

 

By adding the following javax debug flag, ssl tracing is produced, yielding the "certificate_unknown" error.

set SSL_DEBUG=-Djavax.net.debug=ssl
./run.sh SystemInfo 192.168.1.1 443 user_name user_password
...
main, SEND SSL v3.1 ALERT:  fatal, description = certificate_unknown
main, WRITE:  SSL v3.1 Alert, length = 2
[SOAPException: faultCode=SOAP-ENV:Client;
    msg=Error opening socket: null;
    targetException=java.lang.IllegalArgumentException: Error opening socket: null]
        at org.apache.soap.transport.http.SOAPHTTPConnection.send(SOAPHTTPConnection.java:324)
        at org.apache.soap.rpc.Call.invoke(Call.java:205)
        at support.SOAP.java.System.SystemInfo.getSystemInfo(SystemInfo.java:112)
        at support.SOAP.java.System.SystemInfo.main(SystemInfo.java:203)

 

 

 





Resolving the problem top

 

First step is to make sure that the client application is using the correct truststore, url handler, and ssl provider. This is demonstrated by the following code fragment.

// Location of the client keystore.
System.setProperty("javax.net.ssl.trustStore", "path_to_trust_store/.keystore");
// Use Sun's reference implementation of a URL handler for the "https" URL protocol type.
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
// dynamically register sun's ssl provider
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

 

 

 

Next, the server certificate must be stored in the local trust store. On the F5 Controllers, this file is located in the /config/bigconfig/ssl.crt directory with a format of "server_fully_qualified_host_name.crt". This must be downloaded to the client with a secure copy command (scp).

scp server_host_name:/config/bigconfig/ssl.crt/server_fully_qualified_host_name.crt .

 

 

 

Then the JDK's keytool command is used to import the certificate into the local trust store. Enter the keystore password when prompted as well as [yes] when asked to trust the certificate.

keytool -import 
        -alias hostname 
        -keystore path_to_trust_store/.keystore 
        -file server_fully_qualified_host_name.crt 
Enter keystore password: Keystore password
Owner: ...
Issuer: ...
Serial number: ...
Valid from: ...
Certificate fingerprints:
    MD5:  ...
    SHA1: ...
Trust this certificate? [no]: yes

 

 

 





Related Links top

 

iControl Developer
keytool - Key and Certificate Managment Tool
http://xml.apache.org/soap