restlets : communicating in SSL with tomcat

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

restlets : communicating in SSL with tomcat

Xavier Mehaut
Hello,
We use Tomcat with SSL configuration to host our restlet application. Up to now we don't succeed accessing restlets in ssl mode ; Do we need to add ssl parameters in restlets too, or is the tomcat configuration sufficient?
regards
Xavier
Reply | Threaded
Open this post in threaded view
|

Re: restlets : communicating in SSL with tomcat

Bruno Harbulot
Hi Xavier,

If you're using Restlet within a Servlet environment, it's the container
configuration that matters regarding SSL. If you have configured SSL on
your Tomcat container, this should be enough.
What kind of errors do you get (and which version of Restlet, just in case)?

Best wishes,

Bruno.

On 23/08/2010 15:39, Xavier M. wrote:
> Hello,
> We use Tomcat with SSL configuration to host our restlet application. Up
> to now we don't succeed accessing restlets in ssl mode ; Do we need to
> add ssl parameters in restlets too, or is the tomcat configuration
> sufficient?
> regards
> Xavier

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2650640
Reply | Threaded
Open this post in threaded view
|

Re: restlets : communicating in SSL with tomcat

Xavier Méhaut
We use tomcat 5.5 with SSL, and restlet 2.0... The problem occurs when trying to access through the ClientResource setted with HTTPS protocol...
regards
Xavier

24 août 2010 11:56:38 org.restlet.engine.http.connector.Connection writeMessage
ATTENTION: Exception while writing the message headers.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
    at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
    at java.io.BufferedOutputStream.flush(Unknown Source)
    at org.restlet.engine.http.connector.Connection.writeMessageHead(Connection.java:919)
    at org.restlet.engine.http.connector.Connection.writeMessageHead(Connection.java:933)
    at org.restlet.engine.http.connector.Connection.writeMessage(Connection.java:806)
    at org.restlet.engine.http.connector.ClientConnection.writeMessage(ClientConnection.java:297)
    at org.restlet.engine.http.connector.Connection.writeMessages(Connection.java:966)
    at org.restlet.engine.http.connector.Controller$1.run(Controller.java:81)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
    at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    ... 19 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)
    ... 25 more

2010/8/24 Bruno Harbulot <[hidden email]>
Hi Xavier,

If you're using Restlet within a Servlet environment, it's the container
configuration that matters regarding SSL. If you have configured SSL on
your Tomcat container, this should be enough.
What kind of errors do you get (and which version of Restlet, just in case)?

Best wishes,

Bruno.

On 23/08/2010 15:39, Xavier M. wrote:
> Hello,
> We use Tomcat with SSL configuration to host our restlet application. Up
> to now we don't succeed accessing restlets in ssl mode ; Do we need to
> add ssl parameters in restlets too, or is the tomcat configuration
> sufficient?
> regards
> Xavier

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2650640


Reply | Threaded
Open this post in threaded view
|

Re: restlets : communicating in SSL with tomcat

Bruno Harbulot
Just to clarify, if I understand well, you're using a ClientResource
from within the Restlet environment running within Tomcat (so
effectively, your server is a client in that respect)?

How do you configure SSL on the client connector?

A priori, it looks like there's something wrong with the trust store
settings: either the server to which you're trying to connect has a
certificate that's not trusted by the default trust store available (if
you haven't specified anything), or the trust store is set up for
something that doesn't have the required CA certificate.

Best wishes,

Bruno.


On 24/08/10 12:48, Xavier Méhaut wrote:

> We use tomcat 5.5 with SSL, and restlet 2.0... The problem occurs when
> trying to access through the ClientResource setted with HTTPS protocol...
> regards
> Xavier
>
> 24 août 2010 11:56:38 org.restlet.engine.http.connector.Connection
> writeMessage
> ATTENTION: Exception while writing the message headers.
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
>      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
>      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
>      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
>      at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> Source)
>      at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
>      at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
>      at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
> Source)
>      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
> Source)
>      at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
>      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown
> Source)
>      at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
>      at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
>      at java.io.BufferedOutputStream.flush(Unknown Source)
>      at
> org.restlet.engine.http.connector.Connection.writeMessageHead(Connection.java:919)
>      at
> org.restlet.engine.http.connector.Connection.writeMessageHead(Connection.java:933)
>      at
> org.restlet.engine.http.connector.Connection.writeMessage(Connection.java:806)
>      at
> org.restlet.engine.http.connector.ClientConnection.writeMessage(ClientConnection.java:297)
>      at
> org.restlet.engine.http.connector.Connection.writeMessages(Connection.java:966)
>      at
> org.restlet.engine.http.connector.Controller$1.run(Controller.java:81)
>      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
> Source)
>      at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
>      at java.lang.Thread.run(Unknown Source)
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>      at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
>      at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
>      at sun.security.validator.Validator.validate(Unknown Source)
>      at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
>      at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
> Source)
>      at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
> Source)
>      ... 19 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>      at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> Source)
>      at java.security.cert.CertPathBuilder.build(Unknown Source)
>      ... 25 more
>
> 2010/8/24 Bruno Harbulot <[hidden email]
> <mailto:[hidden email]>>
>
>     Hi Xavier,
>
>     If you're using Restlet within a Servlet environment, it's the container
>     configuration that matters regarding SSL. If you have configured SSL on
>     your Tomcat container, this should be enough.
>     What kind of errors do you get (and which version of Restlet, just
>     in case)?
>
>     Best wishes,
>
>     Bruno.
>
>     On 23/08/2010 15:39, Xavier M. wrote:
>      > Hello,
>      > We use Tomcat with SSL configuration to host our restlet
>     application. Up
>      > to now we don't succeed accessing restlets in ssl mode ; Do we
>     need to
>      > add ssl parameters in restlets too, or is the tomcat configuration
>      > sufficient?
>      > regards
>      > Xavier
>
>     ------------------------------------------------------
>     http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2650640
>     <http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2650640>
>
>

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2651189
Reply | Threaded
Open this post in threaded view
|

Re: restlets : communicating in SSL with tomcat

Xavier Méhaut
Hi Bruno,
Actually our architecture is the following :
A PC runs a restlet server locally (withou a servlet container); the resources served by this server call themselves other restlets which are located into another restlet serveron another PC, but this restlet server  one is hosted in Tomcat with SSL setted.
The problem occurs when trying to call these remote restlets from the first PC.
SSL is managed by tomcat and the certificate has been generated by java keygen.
regards
xavier

2010/8/25 Bruno Harbulot <[hidden email]>
Just to clarify, if I understand well, you're using a ClientResource
from within the Restlet environment running within Tomcat (so
effectively, your server is a client in that respect)?

How do you configure SSL on the client connector?

A priori, it looks like there's something wrong with the trust store
settings: either the server to which you're trying to connect has a
certificate that's not trusted by the default trust store available (if
you haven't specified anything), or the trust store is set up for
something that doesn't have the required CA certificate.

Best wishes,

Bruno.


On 24/08/10 12:48, Xavier Méhaut wrote:
> We use tomcat 5.5 with SSL, and restlet 2.0... The problem occurs when
> trying to access through the ClientResource setted with HTTPS protocol...
> regards
> Xavier
>
> 24 août 2010 11:56:38 org.restlet.engine.http.connector.Connection
> writeMessage
> ATTENTION: Exception while writing the message headers.
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
>      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
>      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
>      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
>      at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> Source)
>      at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
>      at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
>      at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
> Source)
>      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
> Source)
>      at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
>      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown
> Source)
>      at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
>      at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
>      at java.io.BufferedOutputStream.flush(Unknown Source)
>      at
> org.restlet.engine.http.connector.Connection.writeMessageHead(Connection.java:919)
>      at
> org.restlet.engine.http.connector.Connection.writeMessageHead(Connection.java:933)
>      at
> org.restlet.engine.http.connector.Connection.writeMessage(Connection.java:806)
>      at
> org.restlet.engine.http.connector.ClientConnection.writeMessage(ClientConnection.java:297)
>      at
> org.restlet.engine.http.connector.Connection.writeMessages(Connection.java:966)
>      at
> org.restlet.engine.http.connector.Controller$1.run(Controller.java:81)
>      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
> Source)
>      at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
>      at java.lang.Thread.run(Unknown Source)
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>      at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
>      at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
>      at sun.security.validator.Validator.validate(Unknown Source)
>      at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
>      at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
> Source)
>      at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
> Source)
>      ... 19 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>      at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> Source)
>      at java.security.cert.CertPathBuilder.build(Unknown Source)
>      ... 25 more
>
> 2010/8/24 Bruno Harbulot <[hidden email]
> <mailto:[hidden email]>>
>
>     Hi Xavier,
>
>     If you're using Restlet within a Servlet environment, it's the container
>     configuration that matters regarding SSL. If you have configured SSL on
>     your Tomcat container, this should be enough.
>     What kind of errors do you get (and which version of Restlet, just
>     in case)?
>
>     Best wishes,
>
>     Bruno.
>
>     On 23/08/2010 15:39, Xavier M. wrote:
>      > Hello,
>      > We use Tomcat with SSL configuration to host our restlet
>     application. Up
>      > to now we don't succeed accessing restlets in ssl mode ; Do we
>     need to
>      > add ssl parameters in restlets too, or is the tomcat configuration
>      > sufficient?
>      > regards
>      > Xavier
>
>     ------------------------------------------------------
>     http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2650640
>     <http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2650640>
>
>

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2651189


Reply | Threaded
Open this post in threaded view
|

Re: restlets : communicating in SSL with tomcat

Bruno Harbulot
On 25/08/10 13:53, Xavier Méhaut wrote:

> Hi Bruno,
> Actually our architecture is the following :
> A PC runs a restlet server locally (withou a servlet container); the
> resources served by this server call themselves other restlets which are
> located into another restlet serveron another PC, but this restlet
> server  one is hosted in Tomcat with SSL setted.
> The problem occurs when trying to call these remote restlets from the
> first PC.
> SSL is managed by tomcat and the certificate has been generated by java
> keygen.

Ah, this makes sense. When you say "the certificate has been generated
by java keygen", presumably, you haven't sent the certificate request to
a Certification Authority, so you're effectively using a self-signed
certificate on your Tomcat server (presumably, you meant "keytool"
instead of "keygen" too?).
There's nothing wrong with that (although this could become an issue if
you expect other clients to connect). However, for the client to be able
to connect, you need to tell it to trust your server's certificate
explicitly. This means that the trust store you're using on the client
side needs to contain this self-signed certificate.

The default trust store in Java is usually in
$JAVA_HOME/lib/security/cacerts (and the default password is "changeme").
I wouldn't necessarily modify that file, but you can take a copy of it
and import the certificate you've generated on the server into it.

* On the server:

1. Find the alias you need from the keystore (otherwise, the default
will be "mykey":
    keytool -list -keystore keystore.jks

You should see a list like this:
Certificate fingerprint (MD5):
5B:91:3D:BB:A7:0D:04:F9:92:A0:79:0E:EA:30:45:6A
the alias name, 25-Aug-2010, PrivateKeyEntry,

2. Export the certificate:
    keytool -exportcert -keystore keystore.jks -alias "the alias name"
-file servercert.der

(Note that you only export the certificate here, not the private key,
which is not to be distributed.)


* On the client:

1. It's not strictly required, but I would copy
$JAVA_HOME/lib/security/cacerts to a file that doesn't affect the whole
system, let's say "mycacerts.jks".

2. Import the server certificate into that store:
    keytool -importcert -keystore mycacerts.jks -trustcacerts -file
servercert.der

(Optionally, use '-alias "some alias name"' if you want it to be easier
to identity later on in the list. I'd go for the host name there, but
it's just an internal indication in the store.)

3. Configure your Restlet client to use that as a trust store.

If you think it's a good idea to use this as a trust store across
everything that runs within that JVM, you can use the
javax.net.ssl.trustStore properties.

Otherwise, you can set it on a per-connector basis, using the Context
parameters:
parameters.add("truststorePath", "<path>mycacerts.jks");
parameters.add("truststorePassword", "password");
// parameters.add("truststoreType", "JKS");



Best wishes,

Bruno.

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2651208
Reply | Threaded
Open this post in threaded view
|

Re: restlets : communicating in SSL with tomcat

Xavier Méhaut
Thanks a lot for these explanations, we're going to try this right now ; it could be good to add this explanation in the SSl chapter in The Restlet in Action" book (up to now only the server side aspect is processed)...
Best regards
Xavier
ps : yes , it was keytool -genkey, which is become genkey under my fingers :)

2010/8/25 Bruno Harbulot <[hidden email]>
On 25/08/10 13:53, Xavier Méhaut wrote:
> Hi Bruno,
> Actually our architecture is the following :
> A PC runs a restlet server locally (withou a servlet container); the
> resources served by this server call themselves other restlets which are
> located into another restlet serveron another PC, but this restlet
> server  one is hosted in Tomcat with SSL setted.
> The problem occurs when trying to call these remote restlets from the
> first PC.
> SSL is managed by tomcat and the certificate has been generated by java
> keygen.

Ah, this makes sense. When you say "the certificate has been generated
by java keygen", presumably, you haven't sent the certificate request to
a Certification Authority, so you're effectively using a self-signed
certificate on your Tomcat server (presumably, you meant "keytool"
instead of "keygen" too?).
There's nothing wrong with that (although this could become an issue if
you expect other clients to connect). However, for the client to be able
to connect, you need to tell it to trust your server's certificate
explicitly. This means that the trust store you're using on the client
side needs to contain this self-signed certificate.

The default trust store in Java is usually in
$JAVA_HOME/lib/security/cacerts (and the default password is "changeme").
I wouldn't necessarily modify that file, but you can take a copy of it
and import the certificate you've generated on the server into it.

* On the server:

1. Find the alias you need from the keystore (otherwise, the default
will be "mykey":
   keytool -list -keystore keystore.jks

You should see a list like this:
Certificate fingerprint (MD5):
5B:91:3D:BB:A7:0D:04:F9:92:A0:79:0E:EA:30:45:6A
the alias name, 25-Aug-2010, PrivateKeyEntry,

2. Export the certificate:
   keytool -exportcert -keystore keystore.jks -alias "the alias name"
-file servercert.der

(Note that you only export the certificate here, not the private key,
which is not to be distributed.)


* On the client:

1. It's not strictly required, but I would copy
$JAVA_HOME/lib/security/cacerts to a file that doesn't affect the whole
system, let's say "mycacerts.jks".

2. Import the server certificate into that store:
   keytool -importcert -keystore mycacerts.jks -trustcacerts -file
servercert.der

(Optionally, use '-alias "some alias name"' if you want it to be easier
to identity later on in the list. I'd go for the host name there, but
it's just an internal indication in the store.)

3. Configure your Restlet client to use that as a trust store.

If you think it's a good idea to use this as a trust store across
everything that runs within that JVM, you can use the
javax.net.ssl.trustStore properties.

Otherwise, you can set it on a per-connector basis, using the Context
parameters:
parameters.add("truststorePath", "<path>mycacerts.jks");
parameters.add("truststorePassword", "password");
// parameters.add("truststoreType", "JKS");



Best wishes,

Bruno.

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2651208


Reply | Threaded
Open this post in threaded view
|

Re: restlets : communicating in SSL with tomcat

Xavier Méhaut
In reply to this post by Bruno Harbulot
Hi Bruno,
It's well working , thanx...
To complete your post, below is a client code for the example we made :

Context ctx = new Context();
        Client client = new Client(ctx, Protocol.HTTPS);
         
        ClientResource service =  new ClientResource("https://192.168.2.199/........./status");
        ctx.getParameters().add("truststorePath","C:/Program Files/Java/jre6/lib/security/mycacerts.jks");
        ctx.getParameters().add("truststorePassword","<our pswd>");
        ctx.getParameters().add("truststoreType","JKS");
        service.setNext(client);
        Representation rep = service.get();

regards
Xavier

2010/8/25 Bruno Harbulot <[hidden email]>
On 25/08/10 13:53, Xavier Méhaut wrote:
> Hi Bruno,
> Actually our architecture is the following :
> A PC runs a restlet server locally (withou a servlet container); the
> resources served by this server call themselves other restlets which are
> located into another restlet serveron another PC, but this restlet
> server  one is hosted in Tomcat with SSL setted.
> The problem occurs when trying to call these remote restlets from the
> first PC.
> SSL is managed by tomcat and the certificate has been generated by java
> keygen.

Ah, this makes sense. When you say "the certificate has been generated
by java keygen", presumably, you haven't sent the certificate request to
a Certification Authority, so you're effectively using a self-signed
certificate on your Tomcat server (presumably, you meant "keytool"
instead of "keygen" too?).
There's nothing wrong with that (although this could become an issue if
you expect other clients to connect). However, for the client to be able
to connect, you need to tell it to trust your server's certificate
explicitly. This means that the trust store you're using on the client
side needs to contain this self-signed certificate.

The default trust store in Java is usually in
$JAVA_HOME/lib/security/cacerts (and the default password is "changeme").
I wouldn't necessarily modify that file, but you can take a copy of it
and import the certificate you've generated on the server into it.

* On the server:

1. Find the alias you need from the keystore (otherwise, the default
will be "mykey":
   keytool -list -keystore keystore.jks

You should see a list like this:
Certificate fingerprint (MD5):
5B:91:3D:BB:A7:0D:04:F9:92:A0:79:0E:EA:30:45:6A
the alias name, 25-Aug-2010, PrivateKeyEntry,

2. Export the certificate:
   keytool -exportcert -keystore keystore.jks -alias "the alias name"
-file servercert.der

(Note that you only export the certificate here, not the private key,
which is not to be distributed.)


* On the client:

1. It's not strictly required, but I would copy
$JAVA_HOME/lib/security/cacerts to a file that doesn't affect the whole
system, let's say "mycacerts.jks".

2. Import the server certificate into that store:
   keytool -importcert -keystore mycacerts.jks -trustcacerts -file
servercert.der

(Optionally, use '-alias "some alias name"' if you want it to be easier
to identity later on in the list. I'd go for the host name there, but
it's just an internal indication in the store.)

3. Configure your Restlet client to use that as a trust store.

If you think it's a good idea to use this as a trust store across
everything that runs within that JVM, you can use the
javax.net.ssl.trustStore properties.

Otherwise, you can set it on a per-connector basis, using the Context
parameters:
parameters.add("truststorePath", "<path>mycacerts.jks");
parameters.add("truststorePassword", "password");
// parameters.add("truststoreType", "JKS");



Best wishes,

Bruno.

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2651208