Skip to main content link. Accesskey S
  • Log In
  • Help
  • IBM Logo
  • Lotus Expeditor wiki
  • All Wikis
  • All Forums
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • IBM Redbooks
  • API Documentation
Search
Community Articles > Expeditor Client for Desktop > Sample: Certificate Installation
  • New Article
  • Share Show Menu▼
  • Subscribe Show Menu▼

About the Original Author

Click to view profileIBM contributorVan Staub
Contribution Summary:
  • Articles authored: 26
  • Articles edited: 13
  • Comments Posted: 4

Recent articles by this author

Sample: Toolbar and Menu Contributions

Expeditor user interface team best practices on toolbar and menu contributions

Sample: Component Properties

OverviewComponent properties allow developers to create code that at compile time has specific function but accepts flexible input at runtime. For example, a developer can create a component that uses a predefined component property to update the title tab's text within a composite ...

Sample: Multiuser Features

Overview When multiple users share the same workstation, the configuration is referred to as a multiuser installation. This means that a single Expeditor client exists and is shared among all users; however, each user has their own workspace containing configuration details specific to that ...

Sample: Starting Plugins

Overview By default, Eclipse plugins are lazy. Lazy is the technical term (located in the bundle's manifest) that means that plugins are started when a request is either directly made by the Platform to start the plugin or indirectly through class loading. For example, the latter case implies ...

Sample: HTTP Communication

Overview The enhanced HTTP client in Expeditor allows developers to quickly create code that requests data from remote servers over HTTP or HTTPS. The enhanced client wraps the standard Java URLConnectionclasses such that authenticated requests leverage the Accounts framework and HTTPS ...
Community articleSample: Certificate Installation
Added by IBM contributorVan Staub | Edited by IBM contributorVan Staub on May 4, 2011 | Version 5
  • Edit
  • More Actions Show Menu▼
Rate this article 1 starsRate this article 2 starsRate this article 3 starsRate this article 4 starsRate this article 5 stars
expanded Abstract
collapsed Abstract
No abstract provided.
Tags: samples
ShowTable of Contents
HideTable of Contents
  • 1 Overview
  • 2 Default Certificate Handling
  • 3 Obtaining the Certificate
  • 4 Installing the Certificate

Overview


It's often the case that developers must write secure code that interacts with secure resources such as sockets or web services. After creating code to communicate over the HTTPS protocol, developers are normally confronted with SSL errors. For example, the following error is typical.

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: CWPST508W: Certificate chain root is not a trusted certificate authority.

This is resolved by importing the SSL certificate used by the external resource into the Java VM's keystore. Developers may be already familiar with tools such as IKEYMAN that allow administrators to install certificates into the cacerts keystore. But assuming a new certificate - not already in Expeditor clients - has been created, how can developers deploy the new certificate to existing clients?

Default Certificate Handling


If the code is using the javax.net.ssl.HttpsURLConnection class, which is wrapped by the Expeditor client, the following message may be seen.



In some scenarios, users can elect to install the certificate themselves. For other scenarios such as web services or custom HTTPS code, the certificate may need to be added to the keystore prior to code execution.

Obtaining the Certificate


Other than having the certificate on file, the easiest way to obtain a certificate is by accessing the resource in a browser and exporting the certificate. Do the following.
  1. In the Firefox we browser, access the resource over the web using the HTTPS URL. Firefox will prompt you to make an exception provided the certificate does not already exist in the browser.
  2. Click "Add security exception" and the "Get Certificate" button.
  3. Click the "View" button to access the certificate.
  4. Finally click the "Export" button on the "Details" tab.
  5. Save the file as an X.509 Certificate (PEM) file.

Installing the Certificate


Now that you have a certificate, the file can be added to the root folder of a plugin. Using the plugin's Activator as an entry point, the following code illustrates how one might deliver the certificate via a plugin and have the plugin complete the installation.

 public void start(BundleContext context) throws Exception {
	super.start(context);
	plugin = this;

	// get the certificate file from this plugin
	String certFile = FileLocator.getBundleFile(context.getBundle())
			.toString()
			+ File.separator + "certificate.crt";

	System.out.println("Installing " + certFile);

	if (SecurePlatform.isEnabled() && SecurePlatform.isLoggedIn()) {
		// obtain the KeyStore
		KeyStore ks = SecurePlatform.getKeyStore();
		int ksSize = ks.size(); // current number of certs

		// create a certificate
		CertificateFactory fac = CertificateFactory.getInstance("X509");
		Certificate cert = fac.generateCertificate(new FileInputStream(
				certFile));
		ks.setCertificateEntry("entrust", cert); // add the cert

		// save the new keystore
		File file = new File(SecurePlatform.getKeyStoreUrl().getFile());
		SecurePlatform.getKeyStore().store(new FileOutputStream(file),
				SecurePlatform.getPBEKeySpec().getPassword());

		// check if the certificate was added
		if (SecurePlatform.getKeyStore().size() == ksSize + 1) {
			System.out.println("Successfully added certificate");
		} else {
			System.err.println("Failed to add certificate");
		}
	} else {
		System.err
				.println("Verify that the platform is running and currently logged in");
	}
}


Be mindful that the reference to the certificate is through the File handle. Deployers should add the plugin to a feature and ensure the "Unpack the plug-in archive after installation" check box on the "Plug-ins" tab is selected. If not done, the plugin will be compressed as a JAR and the certificate file unavailable. The code also assumes that it is run after the platform has been logged in (presumably by the user or via SSO). Accommodations should be made to start the plugin after this event has occurred.

  • Edit
  • More Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (5)
collapsed Versions (5)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (5)May 4, 2011, 11:40:22 AMVan Staub  IBM contributor
4May 4, 2011, 11:26:13 AMVan Staub  IBM contributor
3May 4, 2011, 11:25:40 AMVan Staub  IBM contributor
2May 4, 2011, 11:13:49 AMVan Staub  IBM contributor
1May 4, 2011, 10:47:27 AMVan Staub  IBM contributor
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedHelpAbout
  • IBM Collaboration Solutions wikis
  • IBM developerWorks
  • IBM Software support
  • Twitter LinkIBMSocialBizUX on Twitter
  • FacebookIBMSocialBizUX on Facebook
  • ForumsLotus product forums
  • BlogsIBM Social Business UX blog
  • Community LinkThe Social Lounge
  • Wiki Help
  • Forgot user name/password
  • Wiki design feedback
  • Content feedback
  • About the wiki
  • About IBM
  • Privacy
  • Accessibility
  • IBM Terms of use
  • Wiki terms of use