Axon.ivy 7.0 - the Digital Business Platform - is out now...

In my project I am forced to use a third party REST service which is only accessible over HTTPS. Unfortunately the certificate is self signed. What can I do to accept untrusted certifticates?

asked 29.08 at 07:54

SupportIvyTeam's gravatar image

SupportIvyTeam ♦♦
905445974
accept rate: 82%


You have multiple options:

  1. Put the certificate into the list of well known certificates of your JRE /jre/lib/security/cacerts by using the keytool.
  2. Use a custom connector

Use a custom connector which allows unsecure hosts:

Test with Axon.ivy 6.7.1. Currently this is a painful workaround.

  • add the jersey-apache-connector.jar to the /dropins directory of your product
  • copy the same JAR into your project as well. And add it to the classpath
  • add a java class that configures the apache-connector to allow any certificate by any host (see below)
  • use CustomRest.unsecureClient("myRestSErviceName") as entry point for your REST requests.
    package com.axonivy.connectivity;
    
    import java.security.SecureRandom;
    import java.security.cert.CertificateException;
    import java.security.cert.X509Certificate;
    
    import javax.net.ssl.HostnameVerifier;
    import javax.net.ssl.SSLContext;
    import javax.net.ssl.SSLSession;
    import javax.net.ssl.TrustManager;
    import javax.net.ssl.X509TrustManager;
    import javax.ws.rs.client.WebTarget;
    
    import org.apache.http.config.Registry;
    import org.apache.http.config.RegistryBuilder;
    import org.apache.http.conn.HttpClientConnectionManager;
    import org.apache.http.conn.socket.ConnectionSocketFactory;
    import org.apache.http.conn.socket.PlainConnectionSocketFactory;
    import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
    import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
    import org.glassfish.jersey.apache.connector.ApacheConnectorProvider;
    
    import ch.ivyteam.ivy.environment.Ivy;
    
    public class CustomRest {
    
        public static WebTarget unsecureClient(String serviceName)
        {
            Thread th = Thread.currentThread();
            ClassLoader oldCtl = th.getContextClassLoader();
            try
            {
                th.setContextClassLoader(ApacheConnectorProvider.class.getClassLoader());
    
                HttpClientConnectionManager conMan = new BasicHttpClientConnectionManager(getConnectionRegistry(), null, null, null);
                return Ivy.rest().client(serviceName)
                        .property("jersey.config.apache.client.connectionManager", conMan);
    
            }
            finally
            {
                th.setContextClassLoader(oldCtl);
            }
        }
    
        private static Registry<ConnectionSocketFactory> getConnectionRegistry() {
            SSLContext ctxt = createTrustAllContext();
            HostnameVerifier verifyAllHosts = new HostnameVerifier() {
                @Override
                public boolean verify(String hostname, SSLSession session) {
                    return true;
                }
            };
            SSLConnectionSocketFactory factory = new org.apache.http.conn.ssl.SSLConnectionSocketFactory(ctxt, verifyAllHosts);
    
            return RegistryBuilder.<ConnectionSocketFactory>create()
                    .register("http", PlainConnectionSocketFactory.getSocketFactory())
                    .register("https", factory)
                    .build();
        }
    
        private static SSLContext createTrustAllContext() {
            TrustManager[] certs = new TrustManager[]{new X509TrustManager() {
                @Override
                public X509Certificate[] getAcceptedIssuers() {
                    return null;
                }
    
                @Override
                public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                }
    
                @Override
                public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                }
    
            }};
    
            SSLContext ctx = null;
            try {
                ctx = SSLContext.getInstance("TLS");
                ctx.init(null, certs, new SecureRandom());
            } catch (java.security.GeneralSecurityException e) {
                throw new RuntimeException("failed to setup insecure ssl context", e);
            }
            return ctx;
        }
    
    }
    
link
This answer is marked "community wiki".

answered 29.08 at 07:56

Reguel%20Wermelinger's gravatar image

Reguel Werme... ♦♦
5.9k11033
accept rate: 68%

edited 29.08 at 08:12

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×15
×1

Asked: 29.08 at 07:54

Seen: 82 times

Last updated: 29.08 at 08:12