Axon.ivy 7.0 - the Digital Business Platform - is out now...

In my project I am forced to use a third party REST service which is only accessible over HTTPS. Unfortunately the certificate is self signed. What can I do to accept untrusted certifticates?

asked 29.08.2017 at 07:54

SupportIvyTeam's gravatar image

SupportIvyTeam ♦♦
975527084
accept rate: 75%


Ivy Version 7.0.2 and later

The REST Client respects the well-known ivy ssl settings. Enable your custom truststore and import the self signed certificat:

https://developer.axonivy.com/doc/latest/DesignerGuideHtml/ivy.introduction.html#ivy-introduction-preferences-sslclient

Ivy Version 7.0.1 and before

You have multiple options:

  • Put the certificate into the engines trustStore
  • Use a custom connector

Put the certificate into the engines trustStore

  1. import the certificate into the trusstore of the engine/designer under configuration/truststore.jks. I recommend to use something like the KeyStore explorer to do this. alt text
  2. activate the keystore globally for the JVM by setting system properties. You could do this either in a script/java call before the REST request is executed or in the Axon.ivy Designer.ini respectively the *.ilc file of the engine.

.

javax.net.ssl.trustStore=configuration/truststore.jks
javax.net.ssl.trustStorePassword=changeit

alt text

Use a custom connector which allows unsecure hosts:

Test with Axon.ivy 6.7.1. Currently this is a painful workaround.

  • add the jersey-apache-connector.jar to the /dropins directory of your product
  • copy the jersey-apache-connector.jar plus the jersey-commons.jar and the jersey-guava.jar into your project as well. And add them to the classpath. alt text
  • enable the apache-connector-provider via SPI.
  • -- Create a file: /src/META-INF/services/org.glassfish.jersey.client.spi.ConnectorProvider
  • -- In it paste the full qualified name of the connector: org.glassfish.jersey.apache.connector.ApacheConnectorProvider
  • alt text
  • add a java class that configures the apache-connector to allow any certificate by any host (see below)
  • use CustomRest.unsecureClient("myRestSErviceName") as entry point for your REST requests.
    package com.axonivy.connectivity;
    
    import java.security.SecureRandom;
    import java.security.cert.CertificateException;
    import java.security.cert.X509Certificate;
    
    import javax.net.ssl.HostnameVerifier;
    import javax.net.ssl.SSLContext;
    import javax.net.ssl.SSLSession;
    import javax.net.ssl.TrustManager;
    import javax.net.ssl.X509TrustManager;
    import javax.ws.rs.client.WebTarget;
    
    import org.apache.http.config.Registry;
    import org.apache.http.config.RegistryBuilder;
    import org.apache.http.conn.HttpClientConnectionManager;
    import org.apache.http.conn.socket.ConnectionSocketFactory;
    import org.apache.http.conn.socket.PlainConnectionSocketFactory;
    import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
    import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
    import org.glassfish.jersey.apache.connector.ApacheConnectorProvider;
    
    import ch.ivyteam.ivy.environment.Ivy;
    
    public class CustomRest {
    
        public static WebTarget unsecureClient(String serviceName)
        {
            Thread th = Thread.currentThread();
            ClassLoader oldCtl = th.getContextClassLoader();
            try
            {
                th.setContextClassLoader(ApacheConnectorProvider.class.getClassLoader());
    
                HttpClientConnectionManager conMan = new BasicHttpClientConnectionManager(getConnectionRegistry(), null, null, null);
                return Ivy.rest().client(serviceName)
                        .property("jersey.config.apache.client.connectionManager", conMan);
    
            }
            finally
            {
                th.setContextClassLoader(oldCtl);
            }
        }
    
        private static Registry<ConnectionSocketFactory> getConnectionRegistry() {
            SSLContext ctxt = createTrustAllContext();
            HostnameVerifier verifyAllHosts = new HostnameVerifier() {
                @Override
                public boolean verify(String hostname, SSLSession session) {
                    return true;
                }
            };
            SSLConnectionSocketFactory factory = new org.apache.http.conn.ssl.SSLConnectionSocketFactory(ctxt, verifyAllHosts);
    
            return RegistryBuilder.<ConnectionSocketFactory>create()
                    .register("http", PlainConnectionSocketFactory.getSocketFactory())
                    .register("https", factory)
                    .build();
        }
    
        private static SSLContext createTrustAllContext() {
            TrustManager[] certs = new TrustManager[]{new X509TrustManager() {
                @Override
                public X509Certificate[] getAcceptedIssuers() {
                    return null;
                }
    
                @Override
                public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                }
    
                @Override
                public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                }
    
            }};
    
            SSLContext ctx = null;
            try {
                ctx = SSLContext.getInstance("TLS");
                ctx.init(null, certs, new SecureRandom());
            } catch (java.security.GeneralSecurityException e) {
                throw new RuntimeException("failed to setup insecure ssl context", e);
            }
            return ctx;
        }
    
    }
    
link
This answer is marked "community wiki".

answered 29.08.2017 at 07:56

Reguel%20Wermelinger's gravatar image

Reguel Werme... ♦♦
6.4k11036
accept rate: 69%

edited 05.12.2017 at 10:18

Alex%20Suter's gravatar image

Alex Suter ♦♦
1.4k31530

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×16
×2

Asked: 29.08.2017 at 07:54

Seen: 377 times

Last updated: 05.12.2017 at 10:18