Using SSL with httpunit FAQ

Where can I get information on SSL?

from Sun on SSL
from Thawte, a certificate vendor
from the JSSE part of Sun's site

What are some tools for creating and modifying certificates?

openssl which is also described at pseudonym.org
keytool for java  

How do I create a certificate?

Create a self-signed cert via openssl, given an existing key and openssl config file:

    openssl req -new -out output.pem -key my_key.pem -days 9999 -x509 -config openssl.cnf

There's also a way to do this with the java "keytool" application.
 

How can I make my certificate trusted by the JVM?


If you purchased your SSL certificate from Verisign or Thawte, then it should be automatically trusted by the "trust file" within the JVM (Sun seems to ship JVMs with certs from these two suppliers).  If you created your own certificate, you'll need to import that cert into cacerts.

How can I import my existing certificate into the "trust file" for a JVM?


1.  Find the trusted file "cacerts" in your JRE, e.g.
    find /java_install -name "cacerts"

2. Copy that file to a backup
    cp cacerts cacerts.bak

3. Install your certificate into the trust file (note: the file cacerts ships from Sun with password "changeit")
    keytool -import -alias <mycompany> -file mycert.pem -keystore $JAVA_HOME/jre/lib/security/cacerts

4. Verify that your cert was imported:
    keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts

How can I use SSL in httpunit?

1. You need an SSL certificate intalled into the web server to be tested. That certificate must be trusted by the JVM of the test rig (httpunit). That certificate must have, as its Common Name, the exact domain name of the web server you want to secure (e.g. "www.foo.com" or "secure.foo.com". I have not had luck with certs like *.foo.com.)

2.  You must enable SSL support (i.e., support for URLs that start with "https") in your test rig's JVM. Some environments like Weblogic offer native SSL support, which is fast compared to pure java.  For Weblogic, set the property weblogic.security.ssl.enable=true in the config file and just start using URLs like "https://myhost".  Also, there is at least one free SSL implementation in java.
 

How can I use a free SSL implementation?

There is a free SSL implementation available in pure java from Sun , although it is relatively slow, especially in its creation of the random key to start an SSL connection (about 3 seconds on a 600Mz PIII).  To use this implementation, download the JSSE package from the Sun URL above, then:

1. Add the three key jars to your JVM's "ext" (extentions) directory; e.g.
    cp jcert.jar jnet.jar jsse.jar $JAVA_HOME/jre/lib/ext/

2. After the jars are in place, you must modify the file "java.security" to allow usage of the providers found within the jars. Find the file
   find $JAVA_HOME -name "java.security"

3.  Add the following line to the file java.security:
    security.provider.2=com.sun.net.ssl.internal.ssl.Provider

Then start using URLs like "https://myhost" within the test rig.  The HTTPS protocol will automatically cause new provider classes within the extention jars to be employed for a java.net.URL class and its related connections. Note that you should NOT add these jars to the CLASSPATH.  Javax jars are accessed by the JVM by their inclusion in the magic "ext" folder.
 

How do I solve a javax.net.ssl.SSLException: untrusted server cert chain?


See how to make your certificate trusted.
 

Compiled 12 Mar 2001 by larry hamel.  Please post corrections/comments to the httpunit discussion list.