[MOBY-dev] Java tools and BioMOBY over HTTPS?

Pieter Neerincx Pieter.Neerincx at wur.nl
Thu Jul 14 14:02:34 UTC 2005 

Hi Tom,

Thanks for the reply. No I at least knew it should be possible :).  
After googeling for days I finally got it to work. Maybe you can add  
a small addition for HTTPS to the configuration part of the Taverna  
manual. If anyone else ever runs into the same problem here is how I  
got it to work:

I did find a lot of posts mentioning compatibility problems when  
importing openssl generated certificates in a java keystore with  
keytool. So I was converting my certificates in probably every  
certificate format known to man, but that was not the solution. In  
order to make the Java client accept a  self-signed certificate from  
you webserver this is what needs to be done.

Generate a self-signed certificate. If you use openssl this step is  
pretty well documented. The default output will be a certificate in  
pem format. The default extension for such a certificate is *.crt.  
This file can contain both a human readable form of the certificate  
and an encoded one. So it might look something like this:

Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 0 (0x0)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: C=NL, ST=Gelderland, L=Wageningen, O=WUR,  
OU=Bioinformatics, CN=dev.bioinformatics.nl/ 
emailAddress=jack.leunissen at wur.nl
         Validity
             Not Before: Jul  8 16:27:14 2005 GMT
             Not After : Aug  7 16:27:14 2005 GMT
         Subject: C=NL, ST=Gelderland, L=Wageningen, O=WUR,  
OU=Bioinformatics, CN=dev.bioinformatics.nl/ 
emailAddress=jack.leunissen at wur.nl
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
                     00:a1:e2:f2:20:3c:17:da:c1:2c:d9:89:4b:9d:16:
....<snip>....
                     80:a9:e4:02:72:3c:1f:b3:3d
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier:
                 87:F7:8D:B6:63:C1:F9:4D:
             X509v3 Authority Key Identifier:
                 keyid:87:F7:8D:B6:63:C1:F9:
                 DirName:/C=NL/ST=Gelderland/L=Wageningen/O=WUR/ 
OU=Bioinformatics/CN=dev.bioinformatics.nl/ 
emailAddress=jack.leunissen at wur.nl
                 serial:00

             X509v3 Basic Constraints:
                 CA:TRUE
     Signature Algorithm: md5WithRSAEncryption
         6e:5c:27:f4:b4:bd:1e:32:c0:ee:03:ce:76:43:c3:e8:3a:50:
....<snip>....
         0c:e8:f6:98:10:2d:ac:ff:99:3a:5c:f5:f8:66:27:a5:53:c6:
         5a:0b
-----BEGIN CERTIFICATE-----
MIIDxzCCAzCgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBpDELMAkGA1UEBhMCTkwx
EzARBgNVBAgTCkdlbGRlcmxhbmQxEzARBgNVBAcTCldhZ2VuaW5nZW4xDDAKBgNV
BAoTA1dVUjEXMBUGA1UECxMOQmlvaW5mb3JtYXRpY3MxHjAcBgNVBAMTFWRldi5i
....<snip>....
bDEkMCIGCSqGSIb3DQEJARYVamFjay5sZXVuaXNzZW5Ad3VyLm5sggEAMAwGA1Ud
EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAblwn9LS9HjLA7gPOdkPD6DpQUBHF
L/4Ihx+J6Y1PVr5NSgWLz5emr0wSqV+adjfYm/+OMV0AkYVQptlm2N61xX7YDbkL
mEBS8n22L43f2WU4SP7J24kmhllet56QaS3ImfECP40RwvC+I+26DOj2mBAtrP+Z
Olz1+GYnpVPGWgs=
-----END CERTIFICATE-----

The human readable part is a problem for keytool which you use to  
import the certificate in your Java keystore. You can convert the  
certificate in another format that is keytool compatible, but the  
easiest solution is to strip the human readable part from the  
certificate. Hence, simply copy -----BEGIN CERTIFICATE-----[encoded  
certificate]-----END CERTIFICATE----- to a new file. Make sure there  
are no blank lines left before -----BEGIN CERTIFICATE----- or after  
-----END CERTIFICATE-----.

Now import the certificate in your keystore:

     keytool -import -trustcacerts -v -alias [some name for your  
cert.] -file [the cert. without the human readable part]

I figured that since the certificate is self-signed, I wouldn't need  
another certificate authority to make java apps to validate the  
certificate, but that
was wrong. You need to import the same self-signed certificate into  
your cacerts keystore as well:

     as root: keytool -import -v -storetype jks -keystore $JAVA_HOME/ 
lib/security/cacerts -file [the cert. without the human readable part]

Now it should work.

Cheers,

Pieter

On 13-Jul-2005, at 6:05 PM, Tom Oinn wrote:

> Hi all,
>
> We've had Taverna working for HTTPS web services so it should be  
> fine for the MOBY operations. You need to check that the  
> certificate has a valid signature chain and that the name of the  
> entity in the certificate matches the hostname - we had issues with  
> a certificate from a server in china that the java security  
> framework rejected because the (I think) CN part of the DN in the  
> cert wasn't the same as the hostname of the endpoint.
>
> Tom
>
> Pieter Neerincx wrote:
>
>> Hi all,
>> Is there anyone out there that was able to make BioMOBY  
>> (realated)  Java tools like Yan's Moby Object Browser or Taverna  
>> work with MOBY  Centrals and/or services over HTTPS? I'm having  
>> trouble with the  server's certificate. I used keytool to import  
>> the server's  certificate client-side, but the Java tools keep on  
>> complaining:  "unknown certificate"...
>> Cheers,
>> Pieter _______________________________________________
>> MOBY-dev mailing list
>> MOBY-dev at biomoby.org
>> http://www.biomoby.org/mailman/listinfo/moby-dev
>>
>
> _______________________________________________
> MOBY-dev mailing list
> MOBY-dev at biomoby.org
> http://www.biomoby.org/mailman/listinfo/moby-dev
>


Wageningen University and Research centre (WUR)
Laboratory of Bioinformatics
Transitorium (building 312) room 1038
Dreijenlaan 3
6703 HA Wageningen
phone: 0317-484 706
fax: 0317-483 584
mobile: 06-143 66 783
pieter.neerincx at wur.nl

More information about the MOBY-dev mailing list