Monday, July 27, 2009

Howto: Import Certificates into a Keystore

One night, our Java application, which connects to a webservice, started failing with the following error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:2443)
at org.apache.axis.client.Call.invoke(Call.java:2366)
at org.apache.axis.client.Call.invoke(Call.java:1812)
This error meant that our application did not have a valid certificate, but since our application had been working fine for the past few months, the only plausible explanation was that the webservice that we were trying to connect to, had changed their certificate without telling us!

I then had to go about getting hold of the new certificate and importing it into my truststore, in order to get my application up and running again. This is how:

1) Save the SSL Certificate to a File
In Firefox 3.5 (it's easier):

  • Open the webservice url
  • Double-click the padlock icon (or right-click on page and select Page Info)
  • Click on the Security tab (the padlock icon)
  • Press View Certificate
  • Click on the Details tab
  • Press Export...
  • Choose a file to save to - I like to save as type: X.509 Certification (DER)
In Internet Explorer (IE 8):
  • Open the webservice url
  • Click the padlock icon and then on View Certificates
  • Click on Install Certificate, click Next
  • Choose Place all certificates in the following store and Browse to Personal
  • Click Next and run through the rest of the screens
  • Go to Start > Run > certmgr.msc
  • Select Personal
  • Right click on certificate, go to All Tasks > Export...
Once saved, you can view the certificate using Java Keytool as follows:
keytool -printcert -file mycert.cer

2) Import Certificate to Keystore
Now that we have saved the website certificate to a local file, we can use Java Keytool to import it into our keystore using the following command:

keytool -import -alias myalias -file mycert.cer \
        -keystore mytruststore
You can also display the contents of the keystore using the following command:
keytool -list -v -keystore mytruststore

Thursday, July 16, 2009

Enabling Desktop SSO in Firefox

This is how you can configure Firefox to use Desktop Single Sign On (SSO) / Kerberos authentication:
  • Go to about:config
  • Change your preference network.negotiate-auth.delegation-uris
  • to the domain you want to authenticate against, for example ".domain.com".
  • Change your preference network.negotiate-auth.trusted-uris
  • to the domain as above.
Now try going to a URL and you should be able to login automatically. This has been tried and tested with Firefox 3.5.