self signed certificate for java program

Question

i have one java program that connects to one server and interacts with that server and does (say hello world) simple task.

my java program is to interact with vmware esxi server. with the following code.

ServiceInstance si = new ServiceInstance(new URL("https://10.100.13.36/sdk"), "root", "teamw0rk", true)

true parameter indicates that the ignore certificate to true.

even it is a vmware interaction the library it is purely a problem with certificate.Because when i put false for ignore certificate. i got the general certificate expectation from the library files.

the program is as follows.

package com.vmware.vim25.mo.samples;

import java.net.URL;
import com.vmware.vim25.*;
import com.vmware.vim25.mo.*;

public class HelloVM 
{
    public static void main(String[] args) throws Exception
    {
        long start = System.currentTimeMillis();
        ServiceInstance si = new ServiceInstance(new URL("https://10.100.13.36/sdk"), "root", "teamw0rk", false);
        long end = System.currentTimeMillis();
        System.out.println("time taken:" + (end-start));
        Folder rootFolder = si.getRootFolder();
        String name = rootFolder.getName();
        System.out.println("root:" + name);
        ManagedEntity[] mes = new InventoryNavigator(rootFolder).searchManagedEntities("VirtualMachine");
        if(mes==null || mes.length ==0)
        {
            return;
        }

        VirtualMachine vm = (VirtualMachine) mes[0]; 

        VirtualMachineConfigInfo vminfo = vm.getConfig();
        VirtualMachineCapability vmc = vm.getCapability();

        vm.getResourcePool();
        System.out.println("Hello " + vm.getName());
        System.out.println("GuestOS: " + vminfo.getGuestFullName());
        System.out.println("Multiple snapshot supported: " + vmc.isMultipleSnapshotsSupported());

        si.getServerConnection().logout();
    }

}

the error is related to expecting the ssl certificate.

Exception in thread "main" java.rmi.RemoteException: VI SDK invoke exception:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 10.100.13.36 found
    at com.vmware.vim25.ws.WSClient.invoke(WSClient.java:182)
    at com.vmware.vim25.ws.WSClient.invoke(WSClient.java:124)
    at com.vmware.vim25.ws.VimStub.retrieveServiceContent(VimStub.java:1521)
    at com.vmware.vim25.mo.ServiceInstance.<init>(ServiceInstance.java:85)
    at com.vmware.vim25.mo.ServiceInstance.<init>(ServiceInstance.java:69)
    at com.vmware.vim25.mo.samples.HelloVM.main(HelloVM.java:16)

As i confirmed the program error is no relation to vmware and it is related to certificate.

the first step i have done is creating the jks file using the following command

c:/java/jre/bin>keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

it creates the keystore.jks in the bin folder.

i have to understand how to refer this keystore.jks in the java program.(i am having less knowledge on this...sorry)

how to generate the certificate and what is the meaning of importing the certificate and exporting the certificate.

In my case do i need to import or export..

Initially i posted the question one person..

he answered as " At high level, you will need the server certificate into your keystore and include the keystore in the JVM parameter"

Please clarify my doubts and throw some light on this..

thank you.

Answer 1

Try adding -dname CN=10.100.13.36 when you generate the certificate. I don't think you even need to use subject alternate names. The common name (CN) should be equal to the domain name you used in the URL to connect.

Answer 2

The certificate is used by Tomcat, not your client. See the Tomcat SSL documentation.

Answer 3

Short answer:

First test using DNS name of the server instead of IP (long explanation here).

Second if you want to use the certificate, you will have to import the server certificate, not to generate one by yourself...

Answer 4

The error you are getting is complaining that the host name in the URL (10.100.13.36) does not match the any of the server names contained in the server's SSL certificate.

CertificateException: No subject alternative names matching IP address 10.100.13.36 found

Can you retry using the actual server name in your URL request? You may need to use the fully qualified name of the server. As you need to match the name of the server that is contained in the SSL certificate that the server is using.

You can use the curl command to take a look at the server's certificate, for example:

curl -v https://10.100.13.36/sdk

Here's what Microsoft's SSL certificate contains:

C:\>curl -v https://www.microsoft.com
* About to connect() to www.microsoft.com port 443 (#0)
*   Trying 64.4.11.20... connected
* Connected to www.microsoft.com (64.4.11.20) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: c:\tpf$\bin\curl-ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-MD5
* Server certificate:
*        subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; OU=MSCOM; CN=
www.microsoft.com
*        start date: 2012-03-29 19:29:53 GMT
*        expire date: 2014-03-29 19:29:53 GMT
*        common name: www.microsoft.com (matched)
*        issuer: DC=com; DC=microsoft; DC=corp; DC=redmond; CN=Microsoft Secure
Server Authority
*        SSL certificate verify ok.
> GET / HTTP/1.1