Can I get HttpClient to use Weblogic's custom keystore / truststore settings?_问答_开发者

My application is using Apache's HttpClient 3.1 deployed on Weblogic 10.3 to perform a POST using SSL mutual authentication. I can get this to work using the following system properties to configure the keystore & truststore:-

-Djavax.net.ssl.keyStore=C:\Keystore\KEYSTORE.jks
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=C:\Truststore\TRUSTSTORE.jks
-Djavax.net.ssl.trustStorePassword=changeit

Is there any way to get HttpClient to recognize and use the Weblogic custom keystore & truststore settings (as configured in the console / config.xml). Amon开发者_JAVA百科gst other things this would provide the ability to keep the passwords "hidden" and not visible as plain text in config files / console etc.

Can anyone enlighten me?

I have been able to get HttpClient to use the custom weblogic trust store certificates for SSL connection by implementing custom TrustStrategy:

import sun.security.provider.certpath.X509CertPath;
import weblogic.security.pk.CertPathValidatorParameters;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPath;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;

public class WeblogicSSLTrustStrategy implements TrustStrategy {

  @Override
  public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    validator = CertPathValidator.getInstance("WLSCertPathValidator");
    CertPath certPath = new X509CertPath(Arrays.asList(chain));

    // supply here the weblogic realm name, configured in weblogic console
    // "myrealm" is the default one
    CertPathParameters params = new CertPathValidatorParameters("myrealm", null, null);
    try {
      validator.validate(certPath, params);
    } catch (CertPathValidatorException e) {
      throw new CertificateException(e);
    } catch (InvalidAlgorithmParameterException e) {
      throw new CertificateException(e);
    }

    return true;
  }
}

This code is based on Weblogic documentation. The strategy can be passed to HttpClient via SSLSocketFactory:

SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("http", 80, PlainSocketFactory.getSocketFactory()));

SSLSocketFactory sslSocketFactory = new SSLSocketFactory(new WeblogicSSLTrustStrategy());
schemeRegistry.register(new Scheme("https", 443, sslSocketFactory));

PoolingClientConnectionManager connectionManager = new PoolingClientConnectionManager(schemeRegistry);

DefaultHttpClient httpClient = new DefaultHttpClient(connectionManager);

The only unknown parameter is the Weblogic Realm name, which can be taken from Weblogic JMX API, or simply preconfigured. This way it does not require to instantiate the trust store or to reconfigure Weblogic startup parameters.

You might be able to obtain these values via JMX using the KeyStoreMBean. Be forewarned though, this might not be a trivial exercise due to the following:

This would require storing the keystore passwords in cleartext in your JMX client (now that you would be writing one in your application). This is insecure, and a security audit might fail due to this, depending on what the audit is meant to look for.
The MBeans might not be accessible at runtime, due to the JMX service configuration, or would have to be accessed differently in different scenarios. Assuming WebLogic 11g, the values might be made read-only, by setting the value of the EditMBeanServerEnabled attribute of the JMXMBean to false.