Security With J2ME Question
Hello,
I am currently developing an application allowing users to purchase tickets usingJ2ME, ASP (server side JavaScript) and a SQL Server database. I wanted to find out whether there is a way to make network connections to the server side secure? I am not using sockets but standard http connections?
Is the security possible with just http? If not is the only way to have a secure application, by using sockets? Can sockets be used with a non-java server based technology such as ASP? Also what security will I be able to implement on the server side (currently using IIS to host ASP files and SQL Database).
Any help and/or guidance will be much appreciated.
Hi
You can use SSL over Http (Https) to secure the communication channel - http://developers.sun.com/techtopics/mobility/midp/articles/https/
Another way is to encrypt your data. You could use Bouncy Castle Crypto APIs (http://www.bouncycastle.org/); some sample can be found at http://www.enterprisej2me.com/pages/enterprisej2me/code.php, sample code from the Enterprise J2ME book of Michael J. Yuan, chapter 20.
Mihai
hi harry,
I want to develop the application using J2ME and ASP.can you please give me the url which were representing the subject and if possible please give me sample code to do that.
Or else please tell me, which method you have used in the MIdlet side in accepting the string and please explain me the way to do that.
It was urgent please help me
Thanks in advance
lakshman
Hi..
In two way u can achieve this security they are as follows..
1)https/ssl
2)Third party encryption/decryption APIs
Doin a https/ssl on a j2me device is not applicable to all the mobile phone since the mobile phone doesn't comes with a valid root certificate even if we try to sign it it will result in an "certification violation
error".Also using midp 2.0 device also not all device compatiable with certificate loading and code signing.Also certificate in 500kbs is an another overhead.
Its better to go for an alternate solution using encryption and decryption with lightweight apis to secure the application and data.
https/ssl only secures the connection not the content and it also doesn't provice on-device security.
But encryption provides security to what we want and provides on-device security..
with regds,
Senthil G.
Hi I have managed to set up https on my iis server and have also converted the key I created from a .pem to a .der file so that it could be read by wireless toolkit 2.2. I have successfully imported the certificate into the 'trusted' category and have signed the midlet. Yet I am getting this error message in netbeans when carrying out a network connection which has the url prefix https. The site I am trying to access works fine in Internet Explorer so the server is working correclty and I have done everything to the book in terms of importing the certificate and signing the midlet. Have I missed anything. Can someone also tell me (sorry a bit slow on this). whether the certifcate, which was created by myself for test purposes and is what the server is using, contains the key.. or do these have to be seperately imported into the wtk?
Urgent help needed!!
Thanks in advance,
Harry
Just for further information I used these two sites in creating the certificate and keys and this was done using PERL and OpenSSL:
I used these two sites in getting to the stage that I am at as explained in the forum post in the link above:
http://143.129.203.3/s/sitter/sl2nap/javaSSLprogr.htm
http://www.somacon.com/p41.php
If further information is needed I willl provide with no hesitation. Need help on this really bad!!
Thanks,
Harry
In the first web site I provided in my post, you can find all the necessary steps you have to follow in order to use https. It also shows you how to import certificates and how to use them. It should be enough for you in order to establish a communication using SSL over HTTP. Again, the website is: http://developers.sun.com/techtopics/mobility/midp/articles/https/
Mihai
Hi,
I followed every step of this article, apart from the way in which the keys were imported as I am running on a iis server and not on tomcat. But the certificate contains the public key and the import was successful in Netbeans via wtk2.2. I have signed the midlet with this imported key yet I still get the error message: javax.microedition.pki.CertificateException: Certificate was issued by an unrecognized entity.
But the certifcate I have imported, has been set in the trusted domain, and since the server is working fine off it, theres nothing wrong with it... I'm doing something wrong in Netbeans but I dont no what and its soooo frustrating....! Any ideas.. do you want me to post the certificate on here...?
The full error message reads:
javax.microedition.pki.CertificateException: Certificate was issued by an unrecognized entity
at com.sun.midp.ssl.X509Certificate.verifyChain(+67)
at com.sun.midp.ssl.Handshake.parseChain(+121)
at com.sun.midp.ssl.Handshake.rcvCert(+117)
at com.sun.midp.ssl.Handshake.doHandShake(+96)
at com.sun.midp.ssl.SSLStreamConnection.<init>(+157)
at com.sun.midp.io.j2me.https.Protocol.connect(+214)
at com.sun.midp.io.j2me.http.Protocol.streamConnect(+57)
at com.sun.midp.io.j2me.http.Protocol.startRequest(+12)
at com.sun.midp.io.j2me.http.Protocol.sendRequest(+38)
at com.sun.midp.io.j2me.http.Protocol.sendRequest(+6)
at com.sun.midp.io.j2me.http.Protocol.openInputStream(+9)
at HelloNet.readContents(+39)
at HelloNet.access$100(+5)
at HelloNet$1.run(+14)
Add the public key of the server's CA using the MEKeyTool. The CA's name will be in the exception message labeled as "Issuer".
From Sun: "The ME KeyTool manages the public keys of certificate authorities (CAs), making it functionally similar to the keytool utility that comes with the Java 2 SDK, Standard Edition. The keys can be used to facilitate secure HTTP communication over SSL (HTTPS)."
Mihai
The MEKeyTool is not server dependent. You can find it under WTK23\bin\ folder and use it as described in the web site I gave you.Mihai
Hi,
Why on earth am I getting the error message:
Error: Invalid argument for import command: -keystore
keytool argument combinations:
-help
-import [-keystore <filename>]
[-storepass <password>] -alias <key alias> [-domain <domain>]
-list
-delete (-owner <owner name> | -number <key number>)
The default for -keystore is "$HOME/.keystore".
when I am typing this perfectly good command line:
C:\Documents and Settings\Hardev\.netbeans\4.1\emulators\wtk22_win\emulator\wtk2
2\bin>mekeytool.exe -import -alias newcert -keystore "C:\Documents and Settings\
Hardev\.netbeans\4.1\emulators\wtk22_win\emulator\wtk22\appdb\.keystore"
Try like this:
C:\Documents and Settings\Hardev\.netbeans\4.1\emulators\wtk22_win\emulator\wtk2
2\bin>java -jar bin\MEKeyTool.jar -import -alias newcert -keystore "C:\Documents and Settings\
Hardev\.netbeans\4.1\emulators\wtk22_win\emulator\wtk22\appdb\.keystore"
Mihai
Sorry, without the bin in front of MEKeyTool.jar:
C:\Documents and Settings\Hardev\.netbeans\4.1\emulators\wtk22_win\emulator\wtk2
2\bin>java -jar MEKeyTool.jar -import -alias newcert -keystore "C:\Documents and Settings\
Hardev\.netbeans\4.1\emulators\wtk22_win\emulator\wtk22\appdb\.keystore"
Have tried that and get the following error:
Error: C:\Documents and Settings\Hardev\.netbeans\4.1\emulators\wtk22_win\emul
ator\wtk22\appdb\.keystore (The system cannot find the file specified)
The folder contains _main.ks and a keystore.sks amongst other files. I am running from the Windows Command Prompt window.. does this have anything to do with a syntax problem you think?
Well as far as I know, .keystore should be the key you want to import from the server. After you run the command, just list all the keys and see if the key from the server was imported. Again, all this information can be found almost at the end of the article I gave
Ahhh found its because I havent created the .keystore file in the first place...
So now I have the .keystore file created in my home directory (C:\Documents and Settings\Hardev) I have carried out the command:
C:\Documents and Settings\Hardev\.netbeans\4.1\emulators\wtk22_win\emulator\wtk2
2\bin>java -jar MEKeyTool.jar -import -alias newcert -keystore "C:\Documents and
Settings\Hardev\.keystore"
but get the following error message saying it cant find the appdb folder, what do I have to add to the command to find the appdb folder and eventually the _main.ks file...?
Error: appdb\_main.ks (The system cannot find the path specified)
It can't because it's looking in the bin directory; so you should try like this:
C:\Documents and Settings\Hardev\.netbeans\4.1\emulators\wtk22_win\emulator\wtk2
2>java -jar bin\MEKeyTool.jar -import -alias newcert -keystore "C:\Documents and Settings\Hardev\.keystore"
Wow the import worked thanks! Ok, so now I have a list of all the keys in the _main.ks file and the newly created one is listed right at the bottom.
Now how do I map that to be the certificate to be used on ISS? First of all where is this new certificate created? Do I have to change the extension on it to make it readable to IIS? Its getting there.. bit more help required before some big time duke points coming your way!
Run java -jar bin\MEKeyTool.jar -list and you should see it. Since you have imported the your IIS server's public key into the keystore, you should be able to connect to you server. just restart the midlet and try again.Mihai
Hi,
Tried it, still getting the same error message. i think I am doing everything right, except I think the way the key certificate has been developed on IIS is dogdy. I have come accross this site, could this be used you reckon for J2ME?
http://tjworld.net/software/codesigning/default.html
Try using this line of command when importing the key from your server:
C:\Documents and Settings\Hardev\.netbeans\4.1\emulators\wtk22_win\emulator\wtk2
2>java -jar bin\MEKeyTool.jar -import -alias newcert -keystore "C:\Documents and Settings\Hardev\.keystore" -storepass changeit
You might need to delete the last one first before generating this one.
Also, I hope that newcert is the alias of your IIS server.
I believe that after importing the key, you have to sign your application again using WTK.
Maybe the link you provided can help you, I really am not sure. You could always try using another server if all this does not work.
Mihai
Hi,
I have been working all that time on that tutorial and still Netbeans is failing me! I have found an easier way to import the certificate through Netbeans extension which opens up a utilities option for the wireless toolkit 2.2. Here you can import the certificate as I have done, I have signed the Midlet yet I still get the error message: javax.microedition.pki.CertificateException: Certificate was issued by an unrecognized entity
This is my certificate information as a result of the -list command:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Hardev\.netbeans\4.1\emulators\wtk22_win\emulator\wtk22>java -jar bin\MEKeyTool.jar -list
Key 1
Owner: C=US;O=RSA Data Security, Inc.;OU=Secure Server Certification Authority
Valid from Wed Nov 09 00:00:00 GMT 1994 to Thu Jan 07 23:59:59 GMT 2010
Security Domain: untrusted
Key 2
Owner: CN=Sun Microsystems Inc TEST CA;O=Sun Microsystems Inc
Valid from Mon Nov 20 21:20:50 GMT 2000 to Fri Nov 20 21:20:50 GMT 2009
Security Domain: trusted
Key 3
Owner: CN=thehost;OU=JCT;O=dummy CA;L=Santa Clara;ST=CA;C=US
Valid from Wed Jul 24 16:58:02 BST 2002 to Sat Jul 21 16:58:02 BST 2012
Security Domain: trusted
Key 4
Owner: C=ZA;ST=Western Cape;L=Cape Town;O=Thawte Consulting;OU=Certification Services Division;CN=Thawte Personal Freemail CA;EmailAd
dress=personal-freemail@thawte.com
Valid from Mon Jan 01 00:00:00 GMT 1996 to Thu Dec 31 23:59:59 GMT 2020
Security Domain: untrusted
Key 5
Owner: C=ZA;ST=Western Cape;L=Cape Town;O=Thawte Consulting;OU=Certification Services Division;CN=Thawte Personal Basic CA;EmailAddre
ss=personal-basic@thawte.com
Valid from Mon Jan 01 00:00:00 GMT 1996 to Thu Dec 31 23:59:59 GMT 2020
Security Domain: untrusted
Key 6
Owner: C=US;O=VeriSign, Inc.;OU=Class 3 Public Primary Certification Authority
Valid from Mon Jan 29 00:00:00 GMT 1996 to Wed Jan 07 23:59:59 GMT 2004
Security Domain: untrusted
Key 7
Owner: C=ZA;ST=Western Cape;L=Cape Town;O=Thawte Consulting;OU=Certification Services Division;CN=Thawte Personal Premium CA;EmailAdd
ress=personal-premium@thawte.com
Valid from Mon Jan 01 00:00:00 GMT 1996 to Thu Dec 31 23:59:59 GMT 2020
Security Domain: untrusted
Key 8
Owner: C=ZA;ST=Western Cape;L=Cape Town;O=Thawte Consulting cc;OU=Certification Services Division;CN=Thawte Server CA;EmailAddress=se
rver-certs@thawte.com
Valid from Thu Aug 01 01:00:00 BST 1996 to Thu Dec 31 23:59:59 GMT 2020
Security Domain: untrusted
Key 9
Owner: C=US;O=VeriSign, Inc.;OU=Class 4 Public Primary Certification Authority
Valid from Mon Jan 29 00:00:00 GMT 1996 to Fri Dec 31 23:59:59 GMT 1999
Security Domain: untrusted
Key 10
Owner: C=US;O=VeriSign, Inc.;OU=Class 1 Public Primary Certification Authority
Valid from Mon Jan 29 00:00:00 GMT 1996 to Tue Jan 07 23:59:59 GMT 2020
Security Domain: untrusted
Key 11
Owner: C=ZA;ST=Western Cape;L=Cape Town;O=Thawte Consulting cc;OU=Certification Services Division;CN=Thawte Premium Server CA;EmailAd
dress=premium-server@thawte.com
Valid from Thu Aug 01 01:00:00 BST 1996 to Thu Dec 31 23:59:59 GMT 2020
Security Domain: untrusted
Key 12
Owner: C=US;O=VeriSign, Inc.;OU=Class 2 Public Primary Certification Authority
Valid from Mon Jan 29 00:00:00 GMT 1996 to Wed Jan 07 23:59:59 GMT 2004
Security Domain: untrusted
Key 13
Owner: O=VeriSign Trust Network;OU=VeriSign, Inc.;OU=VeriSign International Server CA - Class 3;OU=www.verisign.com/CPS Incorp.by Ref
. LIABILITY LTD.(c)97 VeriSign
Valid from Thu Apr 17 01:00:00 BST 1997 to Wed Jan 07 23:59:59 GMT 2004
Security Domain: untrusted
Key 14
Owner: C=My Company;O=myserver
Valid from Tue Mar 04 07:34:21 GMT 2003 to Tue Nov 29 07:34:21 GMT 2005
Security Domain: trusted
Key 15
Owner: CN=trusted
Valid from Fri Dec 16 13:45:42 GMT 2005 to Wed Jun 14 14:45:42 BST 2006
Security Domain: untrusted
Key 16
Owner: CN=untrusted
Valid from Fri Dec 16 13:45:46 GMT 2005 to Wed Jun 14 14:45:46 BST 2006
Security Domain: untrusted
Key 17
Owner: CN=Thawte Freemail Member;EmailAddress=hardev.bhandal@blueyonder.co.uk
Valid from Thu Mar 09 20:02:02 GMT 2006 to Fri Mar 09 20:02:02 GMT 2007
Security Domain: trusted
C:\Documents and Settings\Hardev\.netbeans\4.1\emulators\wtk22_win\emulator\wtk22>
This is my details under the 'Sign Midlet Suite' dialog box
[CODE]
Creation Date: Fri Mar 10 00:43:37 GMT 2006
Certificate chain length: 3
Certificate [1]
Subject: EMAILADDRESS=hardev.bhandal@blueyonder.co.uk, CN=Thawte Freemail Member
Issuer : CN=Thawte Personal Freemail Issuing CA, O=Thawte Consulting (Pty) Ltd., C=ZA
Serial number: 634ed8e413f09f340cdf56cdaf8ad459
Valid from Thu Mar 09 20:02:02 GMT 2006 to Fri Mar 09 20:02:02 GMT 2007
Certificate fingerprints:
MD5: 7e:30:3b:0f:c4:05:3e:59:46:fb:27:9e:e0:7e:1b:98
SHA: 16:32:80:b0:85:28:30:69:96:74:cb:40:3f:1e:29:9e:cd:e7:45:a1
Certificate [2]
Subject: CN=Thawte Personal Freemail Issuing CA, O=Thawte Consulting (Pty) Ltd., C=ZA
Issuer : EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Serial number: d
Valid from Thu Jul 17 01:00:00 BST 2003 to Wed Jul 17 00:59:59 BST 2013
Certificate fingerprints:
MD5: 7c:b3:90:05:05:ef:d7:bb:dc:bf:30:32:f9:5e:d3:f0
SHA: bc:f0:3a:b1:bd:9a:08:9b:eb:46:8d:af:99:47:5e:83:18:39:99:0f
Certificate [3]
Subject: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Issuer : EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Serial number: 0
Valid from Mon Jan 01 00:00:00 GMT 1996 to Thu Dec 31 23:59:59 GMT 2020
Certificate fingerprints:
MD5: 1e:74:c3:86:3c:0c:35:c5:3e:c2:7f:ef:3c:aa:3c:d9
SHA: 20:99:00:b6:3d:95:57:28:14:0c:d1:36:22:d8:c6:87:a4:eb:00:85
[/CODE]
I have actually signed the MIDlet suite with this key, to no avail!
Is there anything I am missing out? I have even ticked the option in the project properties folder under 'Build/Signing' and have ticked the 'Sign Distribution' box. Please help! I no the certificate is ok now as I am running it fine on my iis server.... and I can connect through https to it, with a dialog box asking if I accept the certificate...
Have you tried with the last command I have given you?
Still I think that the problem lies elsewhere. I can't seem to put my finger on it. If you have imported the public key of your IIS server into your keystore and signed the midlet with it, I don't understand why it's not working.
I am curious if you try with the example on the web site I have given you, does it work?
Mihai
Yes, the only thing I can think of is that by importing the key using the GUI interface of the wtk2.2, the key is imported into the _main.ks and not the .keystore.
But the only way to import a key into the .keystore is to create it first, but by doing this I am in fact creating a new key. I dont want this. i want to use the certificate/key that I have running on iss to be imported to the .keystore...
How do I do this then?
Is it possible for you to email on hardev.bhandal@blueyonder.co.uk?Thanks,Harry
Yipeeeeeeee, it worked! I managed to follow the article, but in order to map the certificate key in the .keystore I had to use http://tjworld.net/software/codesigning/JKS2PFX.html and that great mans code to convert into a pfx file before putting that on ISS, then importing the key from the .keystore to the _main.ks.
So now when I type in https in the url, the page is displayed correctly. A quick question, how come the emulator does not display a padlock or something to indicate this is a secure site being accessed? Also what is the funny little icon on the left of the battery icon in the top right hand corner of the emulator.. looks like a wrist watch face?
Thanks for all the help,
Harry
hi harrycan you please tell me the way to configure IIS for HTTPS.I am unable to Configure that.facing so many problems.Thanks in advance lakshman
hi,
MY heartly thanks to you both guys.Because i am able to resolve the problem i am facing up to now with the security.
Thankyou very very much.
Please tell me the way to Configure the IIS , I am using WindowsXP OS.Please help in that.
Once again thank you very much
lakshman
hi harry,
I am developing the Ticketing application with the same specificaton.I did the IIS configuration for https also.I have created an self signed application for testing purpose with the help of the makecert.exe.I can able to import the certificate to IIS and it was working in the IE.
Now can you please help in importing the certificate to wtk23 trusted category.
I need your help badly please help me
Thanks in advance
lakshman
hi harry,
I have registered the my certificate with the MEKeytool.jar.I can able to see the certificate in the list also.now the certificate was in the trusted list even then i am facing the problem.
I am getting the javax.microedition.pki.certificateException.
Please tell me what went wrong in my process.The same procedure that is after the certificate was in the trusted list i can able to see the output in the Emulator.What is the problem in this IIS.
Please help in this
Thanks in advance
lakshman
Hi,
But, sometimes it is not within our control especially if you have to work with external vendor that requires https connection. Take for an instance, visa. Most of visa components require https connection. How do we resolve this if we have to work with them?
I am still trying to figure out how https works?
Any help will be greatly appreciated!
Thanks,
Tina
