Re: Trouble setting up ssl cert authentication from java/hibernate

Hello,

I am one of the guys who worked on the cert auth. I wasn't integrated in
the canonical driver because of lack of testing. Thanks for giving your
experience report.

Also, +1 for merging with canonical driver :)

> Hi!
>
> Well, I was able to connect using a CertAuthfactory method copied from
> http://postgresql.1045698.n5.nabble.com/attachment/4405851/0/CertAuthFactory.java
> Should I consider it a workaround or the canonical solution?
> It WORKSFORME, but I have seen mentioned that the driver supports
> certificate authentication out of the box by just configuring the
> underlying ssl.
> Solution is in commit 21a2edb4e43be142a70493bd4041eb64678faa32.
>
> On 2011-11-02 14:45, Magosányi Árpád wrote:
>> Hi!
>>
>> I have a server which authenticates with ssl certificates. I have no
>> trouble using it with psql.
>>
>> However I cannot figure out how to do the same with java. I have added
>> my private key and cert along with the CA cert to my keystore.
>> I set the javax.net.ssl.trustStore and
>> javax.net.ssl.trustStorePassword properties. But it seems that the
>> underlying ssl does not use my certificate/key.
>> Both the server and client reports "FATAL: connection requires a
>> valid client certificate"
>> What am I doing wrong?
>>
>> The juice of my hibernate config is:
>> <property
>> name="hibernate.connection.url">jdbc:postgresql://localhost:5433/archi?sslmode=required&amp;ssl=true&amp;</property>
>> <property name="hibernate.connection.username">mag</property>
>> <property
>> name="hibernate.dialect">org.hibernate.dialect.PostgreSQLDialect</property>
>>
>> The juice of my test case:
>> String password = new PasswordDialog(new Shell()).ask();
>> System.out.println("keystore
>> path="+System.getProperty("javax.net.ssl.trustStore"));
>> File keystorepath = new
>> File(System.getProperty("user.home"),".keystore");
>>
>> System.setProperty("javax.net.ssl.trustStore",keystorepath.getAbsolutePath());
>> System.setProperty("javax.net.ssl.trustStorePassword",
>> password);
>> System.out.println("keystore
>> path="+System.getProperty("javax.net.ssl.trustStore"));
>> System.out.println("keystore
>> pwd="+System.getProperty("javax.net.ssl.trustStorePassword"));
>>
>> Session session = getSessionFactory().getCurrentSession();
>> System.out.println("session="+session);
>> session.beginTransaction(); // dies here
>>
>> You can find the full code at commit
>> 8c35c887d973fed1ba6eccdcc7726a11ebfe0612 of
>> git(at)github(dot)com:magwas/org.rulez.magwas.styledhtml.git
>> org.rulez.magwas.enterprise/src/org/rulez/magwas/enterprise/repository/RepoFactoryTest.java
>>
>>
>> And the stack trace:
>>
>> org.hibernate.exception.GenericJDBCException: Cannot open connection
>> at
>> org.hibernate.exception.SQLStateConverter.handledNonSpecificException(SQLStateConverter.java:140)
>> at
>> org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:128)
>> at
>> org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:66)
>> at
>> org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:52)
>> at
>> org.hibernate.jdbc.ConnectionManager.openConnection(ConnectionManager.java:449)
>> at
>> org.hibernate.jdbc.ConnectionManager.getConnection(ConnectionManager.java:167)
>> at org.hibernate.jdbc.JDBCContext.connection(JDBCContext.java:142)
>> at
>> org.hibernate.transaction.JDBCTransaction.begin(JDBCTransaction.java:85)
>> at
>> org.hibernate.impl.SessionImpl.beginTransaction(SessionImpl.java:1463)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:616)
>> at
>> org.hibernate.context.ThreadLocalSessionContext$TransactionProtectionWrapper.invoke(ThreadLocalSessionContext.java:344)
>> at $Proxy5.beginTransaction(Unknown Source)
>> at
>> org.rulez.magwas.enterprise.repository.RepoFactoryTest.test(RepoFactoryTest.java:28)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:616)
>> at
>> org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:44)
>> at
>> org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
>> at
>> org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:41)
>> at
>> org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
>> at
>> org.junit.runners.BlockJUnit4ClassRunner.runNotIgnored(BlockJUnit4ClassRunner.java:79)
>> at
>> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:71)
>>
>> at
>> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:49)
>> at org.junit.runners.ParentRunner$3.run(ParentRunner.java:193)
>> at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:52)
>> at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:191)
>> at org.junit.runners.ParentRunner.access$000(ParentRunner.java:42)
>> at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:184)
>> at org.junit.runners.ParentRunner.run(ParentRunner.java:236)
>> at
>> org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
>> at
>> org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
>> at
>> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
>> at
>> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
>> at
>> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
>> at
>> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
>> Caused by: org.postgresql.util.PSQLException: FATAL: connection
>> requires a valid client certificate
>> at
>> org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:291)
>> at
>> org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:108)
>> at
>> org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:66)
>> at
>> org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:125)
>> at
>> org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:30)
>> at
>> org.postgresql.jdbc3.Jdbc3Connection.<init>(Jdbc3Connection.java:24)
>> at org.postgresql.Driver.makeConnection(Driver.java:393)
>> at org.postgresql.Driver.connect(Driver.java:267)
>> at java.sql.DriverManager.getConnection(DriverManager.java:620)
>> at java.sql.DriverManager.getConnection(DriverManager.java:169)
>> at
>> org.hibernate.connection.DriverManagerConnectionProvider.getConnection(DriverManagerConnectionProvider.java:133)
>> at
>> org.hibernate.jdbc.ConnectionManager.openConnection(ConnectionManager.java:446)
>> ... 34 more
>>
>>
>>
>>
>
>
>
> --
> Sent via pgsql-jdbc mailing list (pgsql-jdbc(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-jdbc
>

--
Marc-André Laverdière
Software Security Researcher
Innovation Labs, Tata Consultancy Services
Montréal, Québec, Canada