Untrusted certificates support

[RPallas92]

Hello, we are trying to connect to an untrusted certificate Openstack server, but it seems the API doesn't allow untrusted certs.
Anybody knows a solution? Thanks

[gondor]

I just added this feature to the 1.0.1-SNAPSHOT. Make sure you update your dependencies for your project if your using Eclipse (sometimes you need to restart it depending on your version). If command line you can force maven dependencies by running "mvn -U clean compile"

To use non-strict/self signed SSL client you will do the following during client creation:

OSClient client = OSFactory().builder()
                              .useNonStrictSSLClient(true)
                              .endpoint(/// ... normal client stuff)
                              .authenticate();

Let me know if this works for you!

[Berbel92]

We have updated our dependencies for our project in Eclipse. That's our java source code:

try {
    OSClient os = OSFactory.builder()
                  .endpoint("ourEndPoint")
                  .credentials("username","password")
                  .tenantName("tenantName")
                  .useNonStrictSSLClient(true)
                  .authenticate();
    System.out.println("Conexion realizada con exito");
} catch (Exception e) {
    System.out.println(e);
}

When we run our Tomcat in Eclipse, we obtain the following Exception:

ConnectionException{message=javax.ws.rs.core.Response$Status$Family.familyOf(I)Ljavax/ws/rs/core/Response$Status$Family;, status=0}

Anybody knows what can we do?

Thanks

[gondor]

@Berbel92 I need more info on your configuration.

Are you using maven?
What does your dependency look like in your POM for OpenStack4j if you are?
If your not using Maven have you placed OpenStack4j in your tomcat classpath and which jar are you using? You should be using -withdeps in this scenario.

[Berbel92]

We don't use maven.
Our Openstack4j jar is "openstack4j-1.0.2-withdeps.jar"

[gondor]

@Berbel92 Did the previous 1.0.1-withdeps.jar work for you or is this your first time trying to use OpenStack4j with Tomcat, etc.

[Berbel92]

It's our first time.

[gondor]

Is there a way to test your code command line by including the jar, etc.

ie. java -cp openstack4j-1.0.2-withdeps.jar com.Main

Is there any other applications using Jersey or Jackson or are they in the common classpath within tomcat for another application? I'm wondering if there is a version conflict somewhere.

[gondor]

@berbel Read issue #16. It may be related to what your seeing. The user was also running Tomcat and figured out the root cause with the environment.

[Berbel92]

It works his solution! Thanks for your attention!

[charliemc]

@Berbel92 I'm happy it worked for you!! It took me a while to realize and make it work!! 👍 :)

[Berbel92]

@charliemc Thank you very much for your hard work!

[charliemc]

Oh! And @RPallas92 @gondor the '.useNonStrictSSLClient(true)' worked perfect for me!

[redixin]

useNonStrictSSLClient looks like unsafe workaround, because in this case client will connect to any server with any https cert.

OpenStack clients has option like "cacert" and OpenStack deployments are often using self signed certificates, so it would be great to have such option in openstack4j.

[vinodborole]

@redixin would you like to contribute a fix for this?

[redixin]

@vinodborole I just found a solution. This can be done by applying Config with custom SSLContext. Something like this:

InputStream is = new FileInputStream("/tmp/ca.pem");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate caCert = (X509Certificate) cf.generateCertificate(is);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null);
ks.setCertificateEntry("caCert", caCert);
tmf.init(ks);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
Config config = Config.newConfig();
config.withSSLContext(sslContext);
OSClient os = OSFactory.builderV3().withConfig(config)....

[vinodborole]

@redixin great, thanks for the code snippet.