M100550: Behavior explanation: Configuring JRE 1.3.1 environments for HTTPS support

By default JRE 1.3.1 does not include JSSE (Java Security Socket Extension) due to export regulations when JRE 1.3.1 was released. It's now included by default in JRE 1.4.x, and available for JRE 1.3.1 as a separate package.

Because of this, HTTPS support in the ManageSoft Linux client will not work unless JSSE is installed and configured properly on the client machine, and HTTPS support is enabled inside of ManageSoft itself.

To install and configure JSSE on a JRE 1.3.1 environment, download the Sun JSSE reference implementation from:
http://java.sun.com/products/jsse/index-103.html

(go to the bottom of the page and click on 'continue' under 'JSSE 1.0.2 software...')

Save the archive and unzip it in a directory somewhere.

Copy the files jnet.jar, jcert.jar and jsse.jar to your JRE's extension directory, ie:

$&ampgt cp jnet.jar jcert.jar jsse.jar $JAVA_HOME/jre/lib/ext 

and edit the $JAVA_HOME/jre/lib/securit/java.security file.

Search for the security provider lines:

# # List of providers and their preference orders (see above): # security.provider.1=sun.security.provider.Sun security.provider.2=com.ibm.crypto.provider.IBMJCA #security.provider.3= 

and add the following classname as a provider appropriately adjusting the provider number:

security.provider.3=com.sun.net.ssl.internal.ssl.Provider 

This adds JSSE support to your JRE.

Now enable HTTPS support inside of ManageSoft. To do this, open the ManageSoft configuration file /etc/managesoft/managesoft.xconf in an editor and make sure the following lines in the <https-source .../> declaration are not commented out.

 <httpsclient-source id="https" logger="resolver.https"> <!-- Optional JSSE provider specification <tparameter name="provider" value="some.jsse.Provider"/ --> <!-- Note, if you wish to use self-signed/untrusted certificates uncomment the appropriate custom socket factory below. To enforce CA verified certificates, uncomment all --> <!-- Use this for IBM JRE 1.4.1 <tparameter name="socket-factory" value="com.managesoft.networking.ssl.ibmjsse.EasySSLProtocolSocketFactory"/--> <!-- Use this for all JRE 1.3.x vendors <parameter name="socket-factory" value="com.managesoft.networking.ssl.sunjsse.EasySSLProtocolSocketFactory"/--> </httpsclient-source> 

The optional JSSE provider' XML fragment can generally be left as is.

If by chance the customer has a custom or commercial JSSE implementation which needs to be registered with ManageSoft dynamically, uncomment this and specify the provider class name in the 'value' field, otherwise leave it commented out.)

If you are using an IBM JDK 1.4.x environment, ensure that the ibmjsse socket factory is uncommented.

If you are using a Sun 1.3.x or Sun 1.4.x environment, ensure that the sunjsse socket factory is uncommented.

Make sure only one socket factory is uncommented.

(Unfortuntely this last step is required as IBM and Sun have differing JSSE provider classnames. Later versions of the ManageSoft Linux client till determine this dynamically and remove the need for this manual configuration step.)

This enables HTTPS support in ManageSoft. Ensure that a HTTPS location is specified in the /var/lib/managesoft/etc/download.xconf (or upload.xconf file), and all should be done.

Note, by default JSSE does not allow untrusted/self-signed certificates - this last configuration line actually specifies a socket factory implementation that relaxes this to allow customers to use ManageSoft with an internal HTTPS server that doesn't have a publicly certified certificate.

If a customer has a certifying authority (CA) signed certificate and would like the default JSSE behavior, then uncomment both 'socket-factory' lines above. Depending on which CA they've contacted the JRE might require further configuration, but the customer should receive details about how to do this from their CA.

If they would like to enforce further restrictions upon the creation of secure sockets then a custom socket factory needs to be written that implements the following Java interface:
http://jakarta.apache.org/commons/httpclient/apidocs/org/apache/commons/httpclient/protocol/SecureProtocolSocketFactory.html

Comments

Powered by Zendesk