It's all about the answers!

Ask a question

OSLC Workshop with RTC 5.0 (SSLPeerUniverifiedException)


Tayaka Mizushima (622016) | asked Jun 04 '14, 2:20 a.m.
Hello, I'm trying to run OSLC workshop example.

Open Services for Lifecycle Collaboration Workshop

https://jazz.net/library/article/635

https://jazz.net/wiki/bin/view/Main/OSLCWorkshopDownload


With RTC 4.0.2, it worked.
But with RTC 5.0 , I got SSLPeerUnverifiedException (detail see below).
 ・Server: RTC 5.0 (Express Setup)
   - recreated self-certification after installed
 ・Client: RTC IDE Client

Is there any information about this error?
Is OSLC workshop example compatible with CLM 5.0?
If it isn't compatible, is there any OSLC java sample for CLM 5.0?

SSLPeerUnverifiedException  detail:
>> Example01: Accessing Root Services document with HttpClient
    - Root Services URI: https://jazz-server:9443/ccm/rootservices
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at com.ibm.jsse2.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:177)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:108)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
    at net.jazz.oslc.consumer.examples.Example01.main(Example01.java:52)

Accepted answer


permanent link
Donald Nong (14.4k314) | answered Jul 24 '14, 4:54 a.m.
Well I figured it out after some debugging and mucking around. It seems that the CLM 5.0 server (with the bundled Tomcat anyway) no longer allows SSL connection with SSLv3 protocol, and TLSv1 is the only one supported in the default configuration. Due to the mismatched protocol, the SSL handshake will fail and no connection can be established. To make the sample code work, you need to modify the net/jazz/oslc/utils/HttpUtils.java file by changing
            sc = SSLContext.getInstance("SSL"); //$NON-NLS-1$
to
            sc = SSLContext.getInstance("TLSv1"); //$NON-NLS-1$
With this change, the code should still work with CLM 4.0.x server since it supports both SSLv3 and TLSv1.

Rosa Naranjo selected this answer as the correct answer

2 other answers



permanent link
Donald Nong (14.4k314) | answered Jun 05 '14, 1:06 a.m.
I ran the same sample code against my own RTC 4.0.6 environment and jazz.net (5.0) and did not have any problems. The error that you got occurred when the HttpClient first connected to the Jazz server and failed to establish an SSL connection, so it has nothing to do with RTC versions or OSLC. It appears that the code "HttpUtils.setupLazySSLSupport(httpclient);" did not work in your case.
The sample code bundles Apache HTTP Client library 4.0.1 and works for me. Did you use a different version of that library?

Comments
Tayaka Mizushima commented Jun 05 '14, 9:06 p.m.

Thank you for your response.
>The sample code bundles Apache HTTP Client library 4.0.1 and works for me. Did you use a different version of that library?

I also use Apache HTTP Client library 4.0.1 bundled with workshop.


Donald Nong commented Jun 05 '14, 9:43 p.m.

That's a bit strange. You can use another HTTPS connection for testing. It does not need to be Jazz server. Just pick a secure connection with an unverified certificate (most self-signed certificates fall into this category). If the problem can still be reproduced, you have to debug a bit further, probably on Appache HTTP Client.


Mustafa Askin commented Jul 23 '14, 2:52 a.m. | edited Jul 23 '14, 2:56 a.m.

@Dnong I tried with CLM 4.0.2 and 4.0.6 no problem. but CLM 5.0 have still same error.  I am also using  Apache HTTP Client library 4.0.1 bundled with workshop.





Donald Nong commented Jul 23 '14, 3:26 a.m.

I can actually see the same error in my CLM 5.0 environment now for some reason. I analyzed the network trace using Wireshark and found out that the Java application actually communicated with the CLM 5.0 server (GET versionCompatibility) before being kicked out by the server (it seems).
The curious thing is CLM 4.0.6 and CLM 5.0 actually use the same certificate if the bundled Tomcat is used.
Some more digging is still required.


permanent link
Naoto Sano (212) | answered Jun 19 '14, 10:46 p.m.
Import your server's self-signed certificate to the client JDK's key store, and comment out the line which calls "net.jazz.oslc.utils.HttpUtils.setupLazySSLSupport()".

At first, you export a key by using your browser, or by executing keytool on the server side.

To import a server's key to the client key store using keytool, here is the sample command;
keytool -import -trustcacerts -file <your-server's-certificate-pass> -alias clm50ca -keystore ..\lib\security\cacerts
Note that backing up the key store is recommended, and default key store password is "changeit".

Your answer


Register or to post your answer.