How to use SSL with accesspoint.atmosonline.com
(port 80 is at accesspoint.emccis.com )
1. download InstallCert.java
2. Ensure you have a java compiler (jdk) installed with correct path variable/environment
3. javac InstallCert.java (creates InstallCert.class)
4. java InstallCert accesspoint.atmosonline.com:443 changeit (default JRE security keystore password)
If you attempt to connect to the Atmos REST services via Java using SSL (to accesspoint.atmosonline.com), you will likely see the following error:
{{{
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at InstallCert.main(InstallCert.java:87)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:182)
... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 15 more
}}}
This is due to the fact that the root certificate in the chain is an old ValiCert CA. Sun has declared that they will not install this certificate by default because RSA has not asked to do it:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6717199
To work around this, you will need to install the certificate yourself. You can download the following utility to load the certificates:
http://blogs.sun.com/andreas/resource/InstallCert.java
Compile it with
{{{ javac InstallCert.java }}}
and run with
{{{java InstallCert accesspoint.atmosonline.com}}}
After running, you'll see the following error:
{{{
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at InstallCert.main(InstallCert.java:87)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:182)
... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 15 more
}}}
Followed by the list of certificates in the chain:
{{{
Server sent 5 certificate(s):
1 Subject CN=accesspoint.atmosonline.com, OU=Cloud Infrastructure Group, O=EMC Corporation, L=Cambridge, ST=Massachusetts, C=US
Issuer C=US, ST=Massachusetts, L=Bedford, CN=RSA Corporate Server CA, OU=KCA Services, O=RSA Security Inc.
sha1 44 e3 bc 67 84 95 d6 38 c3 e9 4e 4a 60 4a fb 67 a3 4c 9e 5c
md5 ba af 0f 35 66 ec 81 d9 88 1c 27 de ab 52 31 b1
2 Subject C=US, ST=Massachusetts, L=Bedford, CN=RSA Corporate Server CA, OU=KCA Services, O=RSA Security Inc.
Issuer C=US, ST=Massachusetts, L=Bedford, CN=RSA Corporate, OU=KCA Services, O=RSA Security Inc.
sha1 f7 19 e9 6b db 62 ed 9f 98 36 65 e7 c8 e7 ee d5 64 39 e5 3d
md5 9c d5 4d 2e b7 f5 1f 73 86 56 5b 20 94 77 12 0a
3 Subject C=US, ST=Massachusetts, L=Bedford, CN=RSA Corporate, OU=KCA Services, O=RSA Security Inc.
Issuer EMAILADDRESS=rsakeonrootsign@rsasecurity.com, CN=RSA Public Root CA v1, O=RSA Security Inc.
sha1 1d 81 33 35 cc c3 02 2e 23 85 30 18 11 6a 24 5e 0c f2 6b b2
md5 14 c7 8f 64 cc 02 6b 55 46 15 01 66 31 86 ad 53
4 Subject EMAILADDRESS=rsakeonrootsign@rsasecurity.com, CN=RSA Public Root CA v1, O=RSA Security Inc.
Issuer EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 3 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
sha1 81 62 07 5b cd 8e 91 02 fd 66 57 80 f4 ad 36 33 5d dc cf 2a
md5 9a 02 90 26 7b f0 6e 88 4b ee 9f dc 01 04 16 da
5 Subject EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 3 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Issuer EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 3 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
sha1 69 bd 8c f4 9c d3 00 fb 59 2e 17 93 ca 55 6a f3 ec aa 35 fb
md5 a2 6f 53 b7 ee 40 db 4a 68 e7 fa 18 d9 10 4b 72
Enter certificate to add to trusted keystore or 'q' to quit: [1]
}}}
You'll need to install certificate 2 to load the chain. Answer 2 at the prompt.
If you run the program again, you should see the following message:
{{{
Loading KeyStore jssecacerts...
Opening connection to accesspoint.atmosonline.com:443...
Starting SSL handshake...
No errors, certificate is already trusted
}}}
Answer "q" at the prompt since you don't need to install any more certificates.
After this, you will have a file named 'jssecacerts' in your current directory. This file needs to be copied into your {{{$JRE_HOME/lib/security}}} directory so it will be used by all your applications.
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/lib/security/jssecacerts
...unfortunately nothing really seems to use jssecacerts, instead they use cacerts...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
keytool -list -v -keystore /usr/lib/jvm/java-6-sun-1.6.0.24/jre/lib/security/jssecacerts -storepass changeit
keytool -list -v -keystore /etc/java-6-sun/security/cacerts -storepass changeit
(USE A BROWSER TO VISIT accesspoint.atmosonline.com AND SAVE/EXPORT THE CERTIFICATE)
keytool -printcert -v -file mydomain.crt
LINUX:
keytool -import -trustcacerts -alias accesspoint.atmosonline.com -file accesspoint.atmosonline.com.crt -keystore /etc/java-6-sun/security/cacerts -storepass changeit
WINDOWS (Run cmd.exe as Administrator)
keytool -import -trustcacerts -alias accesspoint.atmosonline.com -file accesspoint.atmosonline.com.crt -keystore C:\Program Files\Java\jre7\security\cacerts -storepass changeit
keytool -list -v -keystore C:\Program Files\Java\jre7\security\cacerts -storepass changeit > c:\Users\username\Desktop\cacertlisting.txt
IF USING ECLIPSE, ENSURE THAT THE ACTUAL LIBRARY ECLIPSE IS USING IS UPDATED!
C:\Program Files\Java\jdk1.7.0\jre\lib\security