Java SSL handshake errors and what they mean Some of the common SSL errors that you run into when connecting to a secure HTTP server with Javajavax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate - This happens when the server is requesting a client certificate and the client is not presenting a valid certificate. For this you need to configure your local Java Keystore, with a valid client certificatejavax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - This indicates that the client does not trust the server. This can be either due to the fact that the Java Trust Store is not configured or the Trust Store does not have the servers certificate. For this, you need to import the Server certificate into the local Java Trust Store. A quick way to trust the server is to export the servers certificate with Firefox (Here is How) and then import it using Java Keytool keytool -import -file Example.cer -keystore exampleraystore Using SSL with Axis 2 When connecting to a secure web service endpoint with an Axis 2 client, there are multiple ways to configure SSL on the client. Basically the client needs to have the public certificate of the server that its trying to connect to. Here are the different ways you can configure the client at runtime.1. Set the default Java keystore by setting system propertiesSystem.setProperty("javax.net.ssl.keyStore", keyStorePath); System.setProperty("javax.net.ssl.keyStorePassword", "password");This will set the keystore for the entire JVM, so every connection emanating from this JVM will use this keystore file to load its certificates2. Axis 2 uses Commons HTTP client. So you can configure the client directly as followsProtocol.registerProtocol("https", new Protocol("https", new CustomSSLSocketFactory(), 9443));CalculatorService service = new CalculatorService("https://localhost:9443/calculatorService);The CustomSSLSocketFactory can then load the appropriate keystore at runtime. This applies to all HTTPS connection from this Axis2 instance.3. Create a custom protocolProtocol.registerProtocol("myhttps", new Protocol("https", new CustomSSLSocketFactory(), 9443));CalculatorService service = new CalculatorService("myhttps://localhost:9443/calculatorService);This method will not change the default Protocol Handler for the HTTPS protocol but simply use our CustomSSLSocketFactory when connecting to this particular service (https://localhost: 9443/calculatorService).4. Manipulate the stub directly by doingProtocol authProtocol = new Protocol("https", new CustomSSLSocketFactory(), 9443));stub._getServiceClient().getOptions().setProperty(HTTPConstants.CUSTOM_PROTOCOL_HANDLER, authProtocol);This will set the Custom protocol handler directly on the client and does not affect other call outs from different clients/threads in the axis engine. This can be useful when you want to load different certificates for different URL’s.Method #2 and #3 are better described here. Canvas LMS Third Party Authentication with SAML We are using Canvas LMS but want to use our own existing authentication, so our users don't need a second set of credentials to login to Canvas. I struggled a little bit with this so thought of posting this for reference. To get Canvas LMS working with third party authentication, you really have two optionsHost canvas LMS yourself and just plug-in a custom authentication module. Canvas is an open source LMS solution so this should work just fine.Setup a SAML identity provider (idp) and setup your account in Canvas with SAML authenticationWe chose option #2 because we were using a hosted version of Canvas. There is some documentation here on setting up various authentication profiles in Canvas.We used SimpleSaml as our SAML Identity Provider. SimpleSaml is very easy to setup and comes pre-packaged with multiple authentication providers (local text based basic authentication, OpenId etc.). Our plan was to write a custom authentication provider within SimpleSaml which would leverage our own custom username/password database.To set all this up just do the following.Canvas for Saml authentication. If you are testing with a local deployment of Canvas, edit config/saml.yml and add the followingdevelopment:entity_id: "http://localhost:3000/saml2"tech_contact_name: "Administrator"tech_contact_email: " This e-mail address is being protected from spambots. You need JavaScript enabled to view it. "encryption: xmlsec_binary: /usr/local/bin/xmlsec1private_key: /Applications/XAMPP/simplesamlphp/cert/server.pemcertificate: /Applications/XAMPP/simplesamlphp/cert/server.crtConfigure you Canvas account (super user account under which all others users are created) to use SAML authentication. Here is a screenshot of our configuration Install SimpleSaml and enable SAML authentication by editing simplesaml/config/config.php and declaring'enable.saml20-idp' = true, Edit simplesaml/config/authsources by setting up an appropriate authentication source. For testing we just used a in-memory Map of username-passwords as follows'example-userpass' = array('exampleauth:UserPass',' This e-mail address is being protected from spambots. You need JavaScript enabled to view it. :test' = array('uid' = array(' This e-mail address is being protected from spambots. You need JavaScript enabled to view it. '),'email' = ' This e-mail address is being protected from spambots. You need JavaScript enabled to view it. ','eduPersonAffiliation' = array('member', 'student'),),), Edit simplesaml/metadata/saml20-sp-remote.php and set Canvas as a remote Service Provider (Canvas deploys the SAML service provider by default)$metadata['http://localhost:3000/saml2'] = array('AssertionConsumerService' ='http://localhost:3000/saml_consume','SingleLogoutService' ='http://localhost:3000/saml_logout','NameIDFormat' = urn:oasis:names:tc:SAML:2.0:nameid-format:email','simplesaml.nameidattribute' = 'email', 'simplesaml.attributes'=FALSE,); I used the certificates that came with SimpleSaml. Just calculate the MD5 fingerprint of the certificate and use it to configure canvas (step #1). This establishes "trust" between Canvas and SimpleSamlThat should be it. Now when you try and go to the Canvas homepage at http://localhost:3000, it will forward you to the following ScreenOnce you login here (using the credentials in the example-userpass authentication provider),you should be logged in to Canvas automatically. Remember the test user ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it. ) should already exist in Canvas and have a login id of This e-mail address is being protected from spambots. You need JavaScript enabled to view it. .I will post a follow up on creating a custom authentication provider in SimpleSaml....stay tuned Using MySQL and Postgres on Mac OS X (Lion) with RoR I ran into this issue with using MySQL and Postgres drivers with a Ruby On Rails application on Mac OS X 10.7.3 (Lion). When trying to install the RoR dependency using "gem", I was getting the following error (same for MySQL)$ sudo gem install pg Building native extensions. This could take a while...ERROR: Error installing pg: ERROR: Failed to build gem native extension. /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/bin/ruby extconf.rbchecking for pg_config... yesUsing config values from /Library/PostgreSQL/8.3/bin/pg_configchecking for libpq-fe.h... yeschecking for libpq/libpq-fs.h... yeschecking for PQconnectdb() in -lpq... nochecking for PQconnectdb() in -llibpq... nochecking for PQconnectdb() in -lms/libpq... noCan't find the PostgreSQL client library (libpq)*** extconf.rb failed ***Could not create Makefile due to some reason, probably lack ofnecessary libraries and/or headers. Check the mkmf.log file for moredetails. You may need configuration options.Provided configuration options: --with-opt-dir --without-opt-dir --with-opt-include --without-opt-include=${opt-dir}/include --with-opt-lib --without-opt-lib=${opt-dir}/lib --with-make-prog --without-make-prog --srcdir=. --curdir --ruby=/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/bin/ruby --with-pg --without-pg --with-pg-dir --without-pg-dir --with-pg-include --without-pg-include=${pg-dir}/include --with-pg-lib --without-pg-lib=${pg-dir}/lib --with-pg-config --without-pg-config --with-pg_config --without-pg_config --with-pqlib --without-pqlib --with-libpqlib --without-libpqlib --with-ms/libpqlib --without-ms/libpqlibGem files will remain installed in /Library/Ruby/Gems/1.8/gems/pg-0.11.0 for inspection.Results logged to /Library/Ruby/Gems/1.8/gems/pg-0.11.0/ext/gem_make.outAfter trying a bunch of things, the solution was to install MySQL and Postgres with Homebrew Package Manager.After installing Homebrew, I simply ransudo env ARCHFLAGS="-arch i386" gem install pgand that was it. Thought this might help someone! ClearCase vs SVN Started a new gig last week. One of the first things I had to go through was a 45 minute training session on ClearCase. In case you don't know what it is (i had a vague idea till a few weeks ago), its a Version Control System (VCS) from IBM. After going through the training and playing around with ClearCase for a couple of day, its confusing why anyone in their right mind would pay money to use an inferior product. Compared to the simplicity of CVS, SVN (and perhaps GIT), ClearCase seems rather complicated for what it is trying to do. The main difference between ClearCase and SVN/CVS, is that ClearCase creates a "virtual view" (in case of Windows, a mapped drive) to the repository. Any changes you make to this view, is actually being done on the ClearCase server. This makes it a bad tool for collaborative change management and mandates that each developer create their own "virtual view" in ClearCase. As opposed to SVN, where you basically create a local snapshot of what is in the repository and then you are free to make changes to your local snapshot without affecting other people working on the same repository. This basic difference in makes a huge difference in how you interact with the VCS using ClearCase vs SVN/CVS.This makes it necessary for EACH developers to create their own personal branches to work on, and to periodically sync this branch back to trunk (or another release branch). This explains why at a previous assignment the CM team presented a similar approach, but using SVN, where a release branch was created on Day 1, and each developer had their own SVN branch to work on. When I questioned this approach as being unnecessarily complex, I was told that this was "Standard CM practice in the industry" :-(In my opinion SVN is clearly a superior product becauseHas less overhead for developers in setting up, checking in and merging their changes(SVN) Needs a light weight client and is easily and more readily integrated into a variety of tools - IDE's, Continuous Integration servers etc.ClearCase is SLOW and as the repository grows, it gets slower still. SVN on the other hand has no performance degradation over time or with increased actvityClearCase considers each file as an atmoic check-in, which means when checking in a bunch of files (which is often the case), the check-in can fail in between with no way to automatically revert the partial check-inThis might be minor for some but it seems like a HUGE deal to me. With the amount of interaction you have with the VCS on multi developer software projects, even minor inconveniences such as these (above) seem to have a big impact on productivity. Why is IBM sticking with this antiquated technology? Why is it in such widespread use? Have i missed some major advantages of ClearCase? http://invaconsult.com.ua/ http://invaconsult.com.ua/
System.setProperty("javax.net.ssl.keyStore", keyStorePath); System.setProperty("javax.net.ssl.keyStorePassword", "password");
Protocol.registerProtocol("https", new Protocol("https", new CustomSSLSocketFactory(), 9443));CalculatorService service = new CalculatorService("https://localhost:9443/calculatorService);
Protocol.registerProtocol("myhttps", new Protocol("https", new CustomSSLSocketFactory(), 9443));CalculatorService service = new CalculatorService("myhttps://localhost:9443/calculatorService);
Protocol authProtocol = new Protocol("https", new CustomSSLSocketFactory(), 9443));stub._getServiceClient().getOptions().setProperty(HTTPConstants.CUSTOM_PROTOCOL_HANDLER, authProtocol);
development:entity_id: "http://localhost:3000/saml2"tech_contact_name: "Administrator"tech_contact_email: " This e-mail address is being protected from spambots. You need JavaScript enabled to view it. "encryption: xmlsec_binary: /usr/local/bin/xmlsec1private_key: /Applications/XAMPP/simplesamlphp/cert/server.pemcertificate: /Applications/XAMPP/simplesamlphp/cert/server.crt
'enable.saml20-idp' = true,
'example-userpass' = array('exampleauth:UserPass',' This e-mail address is being protected from spambots. You need JavaScript enabled to view it. :test' = array('uid' = array(' This e-mail address is being protected from spambots. You need JavaScript enabled to view it. '),'email' = ' This e-mail address is being protected from spambots. You need JavaScript enabled to view it. ','eduPersonAffiliation' = array('member', 'student'),),),
$metadata['http://localhost:3000/saml2'] = array('AssertionConsumerService' ='http://localhost:3000/saml_consume','SingleLogoutService' ='http://localhost:3000/saml_logout','NameIDFormat' = urn:oasis:names:tc:SAML:2.0:nameid-format:email','simplesaml.nameidattribute' = 'email', 'simplesaml.attributes'=FALSE,);
$ sudo gem install pg Building native extensions. This could take a while...ERROR: Error installing pg: ERROR: Failed to build gem native extension. /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/bin/ruby extconf.rbchecking for pg_config... yesUsing config values from /Library/PostgreSQL/8.3/bin/pg_configchecking for libpq-fe.h... yeschecking for libpq/libpq-fs.h... yeschecking for PQconnectdb() in -lpq... nochecking for PQconnectdb() in -llibpq... nochecking for PQconnectdb() in -lms/libpq... noCan't find the PostgreSQL client library (libpq)*** extconf.rb failed ***Could not create Makefile due to some reason, probably lack ofnecessary libraries and/or headers. Check the mkmf.log file for moredetails. You may need configuration options.Provided configuration options: --with-opt-dir --without-opt-dir --with-opt-include --without-opt-include=${opt-dir}/include --with-opt-lib --without-opt-lib=${opt-dir}/lib --with-make-prog --without-make-prog --srcdir=. --curdir --ruby=/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/bin/ruby --with-pg --without-pg --with-pg-dir --without-pg-dir --with-pg-include --without-pg-include=${pg-dir}/include --with-pg-lib --without-pg-lib=${pg-dir}/lib --with-pg-config --without-pg-config --with-pg_config --without-pg_config --with-pqlib --without-pqlib --with-libpqlib --without-libpqlib --with-ms/libpqlib --without-ms/libpqlibGem files will remain installed in /Library/Ruby/Gems/1.8/gems/pg-0.11.0 for inspection.Results logged to /Library/Ruby/Gems/1.8/gems/pg-0.11.0/ext/gem_make.out
sudo env ARCHFLAGS="-arch i386" gem install pg
This e-mail address is being protected from spambots. You need JavaScript enabled to view it. This e-mail address is being protected from spambots. You need JavaScript enabled to view it.
Voice: 240-668-4287 Fax: 301-747-3025
