1
votes

I am running JBoss with SSL, the certificate is generated with openssl:

      <Connector protocol="HTTP/1.1" SSLEnabled="true" 
       port="8443" address="${jboss.bind.address}"
       scheme="https" secure="true" clientAuth="false" 
       keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
       keystorePass="password" sslProtocol = "TLS" />

My client is an AIR application which interacts with the Java EE Server through GraniteDS. On the Flex/AIR side, I updated the channel to a SecureAMFChannel on services-config.xml:

<channel-definition id="myApp-graniteamf" class="mx.messaging.channels.SecureAMFChannel">
        <endpoint uri="https://localhost:8443/myApp/graniteamf/amf"
        class="flex.messaging.endpoints.SecureAMFEndpoint" />
    </channel-definition>

Now, when I connect from my client, AIR asks me if I want to go ahead with the connection (view certificate, etc.).

I'm new to the whole SSL/HTTPS concept, but I've read some docs. What I'm trying to figure out now, is how to make my App know that a server is safe (localhost in this case). From what I got so far, the client application should "trust the server as a CA", or just trust the certificates from a certain server.

Can you give me some clues as to where to start to implement this on my AIR client side application?

1

1 Answers

2
votes

If I understand correctly, you are using a self signed certificate. Going on that assumption you can't force a user to accept the certificate through your AIR app, that would be a security hole. To get a call from your AIR app to be trusted the user would need to import your certificate (or the untrusted CA you signed your certificate with) into their own keystore.

The way you do this is different for each OS, but an example of how to do it in Windows is to browse your server in IE, Get the cert warning, view the cert details and then export the cert to file (X509 iirc). Then you can right click the cert file and chose to install the certificate.

All subsequent calls to that secured server should then be trusted.