BlazeDS – SSL – IBM Websphere

Spread the love

No it’s not one more hate post against IBM websphere, but this time the target is BlazeDS. Few days back, we were facing problem while deploying Flex application on SSL. The environment used for the deployment was IBM websphere 6.1 with IBM JDK and windows 2008. As per BlazeDS documentation, there are very minimal configuration changes required to be done in services-config.xml and other XXX-config.xml files to use secure-amf channel.

As per the instruction the configuration was modified to use secure amf channel and the SWF files were recompiled with modified configuration settings. No error messages were displayed at the time of deployment and application startup, but we found strange error message after accessing the application URL. The browser was able to load the SWF and wrapper html file, but it was throwing an error message indicating that SunX509 trust manager is not available.
After enabling BlazeDS logging and careful observation of java stacktrace we found that the actual problem was with the TrustManager implementation of BlazeDS. The default implementation available with BlazeDS is – EasyX509TrustManager and have a look at the code defined for its constructor

public EasyX509TrustManager(KeyStore keystore)
    throws NoSuchAlgorithmException, KeyStoreException
  {
    TrustManagerFactory factory = TrustManagerFactory.getInstance("SunX509");
    factory.init(keystore);
    TrustManager[] trustmanagers = factory.getTrustManagers();
    if (trustmanagers.length == 0)
    {
      throw new NoSuchAlgorithmException("SunX509 trust manager not supported");
    }
    this.standardTrustManager = ((X509TrustManager)trustmanagers[0]);
    this.trustStore = (System.getProperty("flex.trustStore") != null);
  }

From above code it is quite clear that above code assumes that whole world uses only Sun JVM. While we found the culprit, the next step was to find a fix, so I simply googled “EasyX509TrustManager IBMX509” and Voila, google returned only one entry with link to a java code

public EasyX509TrustManager(KeyStore keystore) throws NoSuchAlgorithmException, KeyStoreException
    {
        super();
        TrustManagerFactory factory = null;
        try
        {
            factory = TrustManagerFactory.getInstance("SunX509");
        }
        catch (NoSuchAlgorithmException nsae)
        {
            // Fallback attempt - try for an IbmX509 factory in case we're running in WAS with no Sun providers registered.
            try
            {
                factory = TrustManagerFactory.getInstance("IbmX509");
            }
            catch (NoSuchAlgorithmException nsae2)
            {
                throw new NoSuchAlgorithmException("Neither SunX509 nor IbmX509 trust manager supported.");
            }
        }

This code is part of latest BlazeDS distribution, so anyone facing above problem make sure that you upgrade the BlazeDS project to latest version. Hope this helps!

1 Comments

  1. I think this is a great post, thank you for sharing. I am dealing with a similar issue with a 3rd party library. I think a better solution might be to create a variable with a default value such as SunX509 and create a method that will check to see if a property, like trustManagerAlborithm, exists and if it does exist override the default value. For example, in this case it might look like trustManagerAlgorithm=IbmX509. Just a thought. Thanks again.

    Reply

Leave a Comment.