Problem: Product Name: VisiBroker for Java Product Version: 6.5 Product Component: Gatekeeper Platform/OS version: All JDK version: 1.6 When connecting a secure applet client to the server through a secure gatekeeper when using JRE 1.6, the connection does not go through and the following error is thrown. Connecting https://x.x.x.x:1443/gatekeeper_hiops.ior with proxy=DIRECT java.io.IOException: HTTPS hostname wrong: should be at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at com.inprise.vbroker.URLNaming.ResolverImpl.locate(ResolverImpl.java:50) at com.inprise.vbroker.orb.ORB.resolve_web_name(ORB.java:1756) at com.inprise.vbroker.URLNaming.URLInterceptorAdapter.resolve(URLInterceptorAdapter.java:26) at com.inprise.vbroker.orb.URLManager.resolve(URLManager.java:37) at com.inprise.vbroker.orb.ORB.string_to_ior(ORB.java:394) at com.inprise.vbroker.orb.ORB.string_to_object(ORB.java:382) at com.inprise.vbroker.firewall.BindInterceptor.login(BindInterceptor.java:148) at com.inprise.vbroker.firewall.BindInterceptor.bind(BindInterceptor.java:38) at com.inprise.vbroker.interceptor.ChainBindInterceptorImpl.bind(ChainBindInterceptorImpl.java:38) at com.inprise.vbroker.orb.DelegateImpl._bind(DelegateImpl.java:294) at com.inprise.vbroker.orb.DelegateImpl.bind(DelegateImpl.java:273) at ... Resolution: The error is caused due to the change in security behavior with the JRE 1.6 Java plug-in compared to JRE 1.5. JRE 1.6 Java plug-in block navigation to the HTTPS sites when the site present a digital certificate issued to a hostname which is not the current URL"s hostname. JRE 1.5 Java plug-in is not so strict. The Certificate used by Gatekeeper must be issued to the actual hostname (e.g. sgsgs-tss10) where Gatekeeper is hosted. i.e. the Distinguish Name of the certificate must contain the hostname (e.g. myserver). Note that IP address cannot be used. Secondly, the numerical IP address style (e.g. x.x.x.x) should not be used for the various configurations. The hostname (e.g. myserver.com) hosting thegatekeeper must be used instead. It applies to the following configuration settings too. a. The JRE java.policy file settings should use hostname. b. gatekeeper server engine host property setting should use hostname. c. The Applet HTML page should use hostname when setting the gatekeeper ior property. d. Windows Internet Explorer Address URL edit box should use hostname to access the Applet HTML page. To prove that the gatekeeper must use a certificate with Distinguish Name containing the hostname for the HIOPS testcase to work with JRE 1.6, the gatekeeper must be started as follows. Assuming that the gatekeeper is started on a machine with hostname "myserver". 1. Create a keystore (myserver_keystore) which store the certificate using the JDK"s keytool : keytool -genkey -alias aliasname -keypass password -storepass password -keystore myserver_keystore -dname "CN=myserver, OU=aaa, O=bbb, L=ccc, C=ddd" 2. Comment away the following wallet properties in gkhiops.props : #vbroker.security.wallet.identity=delta #vbroker.security.wallet.password=Delt@$$$ #vbroker.security.wallet.type=Directory:./identities 3. Use the keystore (myserver_keystore) instead when starting the gatekeeper : gatekeeper -props gkhiops.props -J-Djavax.net.ssl.keyStoreType=JKS -J-Djavax.net.ssl.keyStore=./myserver_keystore -J-Djavax.net.ssl.keyStorePassword=password
↧