Mutual Authentication with Client Certificate over HTTPS/SSL using Java

This blog is about SSL/TLS mutual authentication using Java. I am on the client side with a client certificate signed by an intermediate issuer and finally by Verisign. (aha, a certificate chain is here to make the situation not vanilla already.) The server requests a client certificate and recognizes Verisign as a Certification Authority (CA). You can safely ignore this blog if you have a self-certified certificate.

During the implementation, I got tripped more than a couple of times over error messages like:

403.7 Forbidden: Client Certificate Required.
javax.net.ssl.SSLException: HelloRequest followed by an unexpected  handshake message

To save somebody some time in the future, a step by step instruction is provided below:

1. I assume you have a valid certificate or a chain of certificates, whose root is acceptable by the server. The valid certificate contains its private key. Run the following command to verify:
   

   keytool -list -v -keystore "your certificate file"
   ...
   Entry type: PrivateKeyEntry

2. Import your certificate and intermediate certificates into a browser like IE or Firefox and test out the https URL. This step will validate the certificates and save you a lot of troubles down the road. Java version of the SSL implementation is not as simple/mature as the browsers'. Please make sure all the certificates have not expired.
3. Backup your keystore located at /your_home_directory/.keystore by default and the truststore located at somewhere similar to \Java\jre6\lib\security\cacerts
   
4. Use not-yet-commons-ssl utility to import your certificates into the Java keystore format. Sample command is:
   

   java -cp not-yet-commons-ssl-0.3.9.jar org.apache.commons.ssl.KeyStoreBuilder 

5. Customize the following java code, replace the static final Strings to fit in your needs. Note that this implementation forcefully use a specific alias to present the corresponding certificate/certificate chain to the server. Somehow the default KeyManager simply disqualifies my certificate to be presented to the server.
   

   public class Main {
   
   private static final Logger logger = Logger.getLogger(Main.class.getName());
   private static final String LINE_BREAKER = System.getProperty("line.separator");
   
   private static final String CERTIFACATE_FILE = "your keystore location";
   private static final String CERTIFACATE_PASS = "changeit";
   private static final String CERTIFACATE_ALIAS = "your alias";
   private static final String TARGET_URL = "https://xyz.com";
   
   
   public static void main(String[] args) {
      String targetURL = TARGET_URL;
      URL url;
      HttpsURLConnection connection = null;
      BufferedReader bufferedReader = null;
      InputStream is = null;
   
      try {
          //Create connection
          url = new URL(targetURL);
          //Uncomment this in case server demands some unsafe operations
          //System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");
          connection = (HttpsURLConnection) url.openConnection();
   
          connection.setRequestMethod("POST");
          connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
          connection.setRequestProperty("Content-Language", "en-US");
   
          SSLSocketFactory sslSocketFactory = getFactory(new File(CERTIFACATE_FILE), CERTIFACATE_PASS, CERTIFACATE_ALIAS);
          connection.setSSLSocketFactory(sslSocketFactory);
   
          //Process response
          is = connection.getInputStream();
   
          bufferedReader = new BufferedReader(new InputStreamReader(is));
          String line;
          StringBuffer lines = new StringBuffer();
          while ((line = bufferedReader.readLine()) != null) {
              lines.append(line).append(LINE_BREAKER);
          }
          logger.info("response from " + targetURL + ":" + LINE_BREAKER + lines);
   
      } catch (Exception e) {
        ...
      }
    }
   
       private static SSLSocketFactory getFactory(File pKeyFile, String pKeyPassword, String certAlias) throws Exception {
           KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
           KeyStore keyStore = KeyStore.getInstance("JKS");
   
           InputStream keyInput = new FileInputStream(pKeyFile);
           keyStore.load(keyInput, pKeyPassword.toCharArray());
           keyInput.close();
           keyManagerFactory.init(keyStore, pKeyPassword.toCharArray());
   
           //Replace the original KeyManagers with the AliasForcingKeyManager
           KeyManager[] kms = keyManagerFactory.getKeyManagers();
           for (int i = 0; i < kms.length; i++) {
               if (kms[i] instanceof X509KeyManager) {
                   kms[i] = new AliasForcingKeyManager((X509KeyManager) kms[i], certAlias);
               }
           }
   
           SSLContext context = SSLContext.getInstance("TLS");
           context.init(kms, null, null);
           return context.getSocketFactory();
       }
   
       /*
        * This wrapper class overwrites the default behavior of a X509KeyManager and
        * always render a specific certificate whose alias matches that provided in the constructor
        */
       private static class AliasForcingKeyManager implements X509KeyManager {
   
           X509KeyManager baseKM = null;
           String alias = null;
   
           public AliasForcingKeyManager(X509KeyManager keyManager, String alias) {
               baseKM = keyManager;
               this.alias = alias;
           }
   
           /*
            * Always render the specific alias provided in the constructor
            */
           public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
               return alias;
           }
   
           public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
               return baseKM.chooseServerAlias(keyType, issuers, socket);
           }
   
           public X509Certificate[] getCertificateChain(String alias) {
               return baseKM.getCertificateChain(alias);
           }
   
           public String[] getClientAliases(String keyType, Principal[] issuers) {
               return baseKM.getClientAliases(keyType, issuers);
           }
   
           public PrivateKey getPrivateKey(String alias) {
               return baseKM.getPrivateKey(alias);
           }
   
           public String[] getServerAliases(String keyType, Principal[] issuers) {
               return baseKM.getServerAliases(keyType, issuers);
           }
       }
   }
   

   
   
   
6. Try to set
   

   -Dsun.security.ssl.allowUnsafeRenegotiation=true

   if you get the error message like:
   

   javax.net.ssl.SSLException: HelloRequest followed by an unexpected  handshake message

7. If anything goes wrong, turn on -Djavax.net.debug=all to debug. Verify the keystore and truststore locations. Verify the presence of the certificates. Here is a sample log file with successful connection: http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/ReadDebug.html

Grails Environment Specific Logging to a File

I need to log my Grails application across different environments. For example, a Grails embeded Jetty server in DEV environment and a Tomcat server in TEST environment. Different servers have different log directory locations. How to dynamically pick up the right location? The trick is to define the file location (a relative path in my case) as a global variable inside Config.groovy, customized it in the environment blocks, and use the variable location inside log4j closure.

The following is the Config.groovy:

def logDirectory = '.'
environments {
 development {
 }
 test {
     logDirectory = "../logs"    
 }
}

// log4j configuration
log4j = {
 appenders {
     console name:'stdout'
     rollingFile  name:'file', file: logDirectory + '/app.log', threshold: org.apache.log4j.Level.INFO, maxFileSize:"1MB", maxBackupIndex: 10, 'append':true    
 }

 error  'org.codehaus.groovy.grails.web.servlet',  //  controllers
        'org.codehaus.groovy.grails.web.pages', //  GSP
        'org.codehaus.groovy.grails.web.sitemesh', //  layouts
        'org.codehaus.groovy.grails.web.mapping.filter', // URL mapping
        'org.codehaus.groovy.grails.web.mapping', // URL mapping
        'org.codehaus.groovy.grails.commons', // core / classloading
        'org.codehaus.groovy.grails.plugins', // plugins
        'org.codehaus.groovy.grails.orm.hibernate', // hibernate integration
        'org.springframework',
        'org.hibernate',
        'org.codehaus.groovy.grails.scaffolding.view.ScaffoldingViewResolver'

 warn   'org.mortbay.log'

 root {
     info 'stdout', 'file'
     additivity = true
 }
}

It has been tested to work on Grails version is 1.1.1 with Tomcat 6.0.

Grails and Query Into Database View and Multiple Datasources

I want to bypass the Grails stack to query a database directly. It sounds silly. Anyway the very first reason why I chose Grails is to avoid that hassle. However I have a special case that it demands read-only queries into:

1. multiple databases
2. a database view
3. Netezza, a database with no hibernate dialect
   

In my opinion, the difficulties of 2) and 3) keep any Object Relational Mapping (ORM) solutions out of the game. Otherwise, the Grails plugin, datasources, will be a good candidate to resolve issue 1).

The following solution is a Groovy-style DAO query:

1. define the second datasource in grails-app/conf/spring/resources.groovy:

   
   import org.apache.commons.dbcp.BasicDataSource
   beans = {
   dataSourceNetezza(BasicDataSource) {
    driverClassName = "org.netezza.Driver"
    url = "jdbc:netezza://server:5480/database_name"
    username = "xyz"
    password = "abc"
   }
   }
   

   
   


2. Use the dataSourceNetezza defined above in a controller where the Spring application context is available. Note that the dataSourceNetezza is auto-wired by Spring and the names have to match.

import groovy.sql.Sql

class TablesController {

def dataSourceNetezza

def list = {
 if (servletContext.dbList == null)
  servletContext.dbList = new Sql(dataSourceNetezza).rows("SELECT distinct DATABASE_NAME FROM REPOSITORY")
 print servletContext.dbList
}
 ...
}

This approach looks extremely simple with less than 15 lines of code. Keep in mind that, there is no ORM.

Grails and Legacy Database

Recently I played around Grails with a legacy database. Here are some tips I gathered around the journey:
1. I chose to use SpringSource Tool Suite, an IDE based on Eclipse. I love its feature to bring up Grails command prompt with a convenient short cut of 'ctrl-alt-g'.
2. Google 'GRAG' and use its latest version to reverse engineer your legacy database. GRAG certainly has room for improvement but it does a decent job to create the domain objects and save you a lot of typing. BTW, it's totally fine if you don't want to use GRAG and prefer to manually generate the domain classes.
3. Refine the domain definition. Note that Grails/Hibernate uses 'id' as the default field name for primary keys. You may not wish to change this convention or define another field as existingId. Unfortunately that's just the default behavior of GRAG 1.1.

static mapping = {
 table 'Legacy_Table'
 version false
 id column:'Existing_ID'
} ...

4. If the existing primary key is in the type of a String the domain definition needs additional tweak:

static mapping = {
 table 'Legacy_Table'
 version false
 id column:'String_ID', generator:'assigned'
}
String id

An exception of 'Fail to convert to internal representation' will be thrown if you fail to declare the id as a String

5. If you are careful enough you may find that the generator is defined as 'assigned' instead of the default value. This means the application will generate the primary key. Accordingly the save() operation has to explicitly set the String 'id'. Controller's save operation will look like:

   def save = {
       def legacyTable = new legacyTable(params)
legacyTable.id = params.id
       if(!legacyTable.hasErrors() && legacyTable.save())
       ...
    }

Please let me know if it works. I will be surprised if not.

One of the limitations Grails have is that, the 'version false' statement basically turns off the versioning from Gorm and its underline Hibernate implementation. If two users update the same database entry simultaneously, the system's behavior may not be predictable. In another word, we are counting on the optimistic lock on the data integrity.

Multiple Installation Instances of IBM Websphere Commerce 6.0 Developer

Websphere Commerce Developer installation is really intensive. It's perfectly fine to have multiple Toolkit setup on the same machine for multiple profiles, for example, two different fix pack versions.

Steps:
1. Install or reuse existing installation of RAD/WAS
2. Install Commerce to a new location
3. Run setup.bat if you don't have a setup.log in ${WCToolkitEE60_ROOT}\logs
4. Run setdbtype to point the Commerce to the right database

That's it.

Spawn a Thread in a Servlet

When I search this topic on Google, the first impression is that, 'Stop! Just Don't Do It'. Threading code is error prone, not mentioning in a managed container. Additionally there are alternatives like Message Driven Beans or Java Message System, which are specially designed for this purpose. However, you may have a specific situation where threading in Servlet seems to be the only viable solution, for example the JSP page kicks off a long running process at the backend. What can you do? Fortunately it's totally doable if you are careful enough.

First, let's evaluate the risks. Obviously if your servlet is going to spawn multiple threads, this servlet cannot serve many concurrent users at the same time. Otherwise the thread pool will easily dry up and brings the server down to its knees. Concurrent access may cause race conditions and subtle synchronization problems too, especially in a load-balanced or clustered environment. Thread leak may be another risk. If not cleaned up appropriately, each leaked thread will have a reference to its classloader and prevent this classloader from being garbage collected. After enough reload of the application, you may run into out of PermGen space memory errors.

If the risks mentioned above do not apply to your particular situation or didn't scare you off, let's continue. The solution is as the following:
1. Instantiate your thread object as a daemon in your Servlet or ServletContextListener and call yourThread.start();
2. Store it as an attribute in your application context;
3. Return the HttpServletResponse;
4. Clean up the thread when the servlet or the application context is destroyed
5. Don't pass HttpservletRequest/Response/Session objects to the thread

List JNDI Names

Sometimes we need to list all the JNDI names in an application server for debugging purpose. Other times, we may wish to list available datasources in a dropdown list for end-users to choose from. How to do this? In a nutshell, the JNDI bindings are organized in a tree strucuture. The following code is a simple example to recursively exhaust this binding tree:

Context ctx = (Context)new InitialContext().lookup("java:comp/env");
listContext(ctx, "");

/**
* Recursively exhaust the JNDI tree
*/
private static final void listContext(Context ctx, String indent) {
try {
   NamingEnumeration list = ctx.listBindings("");
   while (list.hasMore()) {
       Binding item = (Binding) list.next();
       String className = item.getClassName();
       String name = item.getName();
       logger.log(Level.INFO, indent + className + " " + name);
       Object o = item.getObject();
       if (o instanceof javax.naming.Context) {
    listContext((Context) o, indent + " ");
       }
   }
} catch (NamingException ex) {
   logger.log(Level.WARNING, "JNDI failure: ", ex);
}