Forum Discussion

boo_radley_1114's avatar
boo_radley_1114
Icon for Nimbostratus rankNimbostratus
Sep 23, 2013

Handling self-signed certs with java and iControl

Hi folks -- I'd like to write a couple simple java classes to automate some tasks in our F5 LTM (such as enabling/disabling certain nodes).

 

To get started I downloaded iControlAssembly_11_3_0-Java.zip, extracted it, and added the iControl.jar and 3rd party (axis.jar,etc) to my development environment, and wrote a simple java program based on one of the examples, to get system info.

 

The problem I'm hitting is this: we are using a self-signed cert with our F5 LTM, as it's used in a test environment. When I run the java program I get this exception:

 

AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException faultSubcode: faultString: javax.net.ssl.SSLException: hostname in certificate didn't match: < myf5hostname> != faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLException: hostname in certificate didn't match: != at org.apache.axis.components.net.JSSESocketFactory.verifyHostName(JSSESocketFactory.java:351)at org.apache.axis.components.net.JSSESocketFactory.verifyHostName(JSSESocketFactory.java:287)at org.apache.axis.components.net.JSSESocketFactory.verifyHostName(JSSESocketFactory.java:270)at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:216)

 

Any thoughts on how I can easily handle this? I'm not sure how to override the Apache SSL verification process, or where to get started, even. :(

 

Thx!

 

devops
iControl

6 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 23, 2013

    You can download the certificate file off the F5 device and then import it into your test environment's keystore. I believe the command used to do this is 'keystore'

     

  • Jeff_41325's avatar
    Jeff_41325
    Icon for Nimbostratus rankNimbostratus
    Sep 23, 2013

    Another hack is to override the https implementation to not check the cert. Some of these functions are deprecated...

        Protocol easyhttps = null;
    try {
        easyhttps = new Protocol("https", new EasySSLProtocolSocketFactory(), 443);
    }
    catch (GeneralSecurityException e1) {
        throw new AsmAccessException(e1.getMessage(),e1);
    }
    catch (IOException e1) {
        throw new AsmAccessException(e1.getMessage(),e1);
    }
    Protocol.registerProtocol("https", easyhttps);
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Sep 23, 2013

    That specific error was something we put in due to an open vulnerability in Apache Axis:

     

    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5784

     

    We had many customers report this to us and were unable to deploy any iControl applications unless we patched this.

     

    The workaround is to create a local host entry to give a hostname to server hostname so the URL you requested in the connection matches what's in the certificate.

     

    You can also attempt to find an older build of Apache Axis (or download one of the older iControl libraries for Java) and use that version of axis.jar if you are willing to accept this vulnerability in the Apache code.

     

    -Joe

     

  • boo_radley_1114's avatar
    boo_radley_1114
    Icon for Nimbostratus rankNimbostratus
    Sep 23, 2013

    Thanks Joe -- I spent a couple hours down a nasty rat hole of SSL certificate importing to the eclipse client, etc.

     

    So I have to edit my 'hosts' file on the client with this line: my f5's ip address localhost.localdomain

     

    And then in the java code, the string for the F5 hostname is literally "localhost.localdomain" That does work, but looks odd.

     

  • Joe_Pruitt's avatar
    Joe_Pruitt
    Sep 23, 2013

    If only NIST hadn't been so lame in reporting that vuln, we could have all lived in peaceful existence with mismatched hostnames...

     

    Pre-11.3, the iControl library distribution included an unpatched version of axis.jar if you want to live on the wild side. I can get you a link if you can't find it on the site.

     

    -Joe

     

  • HERMANN_maurer_'s avatar
    HERMANN_maurer_
    Icon for Nimbostratus rankNimbostratus
    Feb 18, 2014

    Hi,

     

    simply renew your certificate on the load balancer itself.

     

    System ›› Device Certificates : Device Certificate ›› Device Certificate

     

    And specify the hostname or IP which does not match in your case at the "Common Name" field.

     

    That should do the job.

     

    /Hermann