VMware {code} Community
schnekli
Contributor
Contributor
‎04-07-2019 09:29 PM

Securing the connection to VC STS in the vsphere-automation-sdk-java samples

I'm trying to use portions of the samples on Github for vsphere-automation-sdk-java (in particular ExternalPscSsoWorkflow.java) and I have a question about the SSL connections that are made to the VC STS to get a Saml bearer token using a username and password. The sample code just turns off certificate checking in SsoHelper.java when connecting to the STS. How can I make this connection secure by validating the certificate using a TrustStore. I cannot change the configuration at the JVM level because there are other clients in my JVM making their own TLS connections. So I don't want to do things like HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()) as in the samples, as I think that would affect all clients. Is there a way that I can create and pass an instance of SSLSocketFactory (or something similar) that will only be used by the vsphere-automation-sdk-java libraries for making TLS connections?

0 Kudos
1 Reply
tganchev
VMware Employee
VMware Employee
‎06-06-2019 01:47 AM

Hi,

You should try posting the question in the Java Automation SDK forum​ as the people frequenting the current one are mostly experts in extending the vSphere UI.

Having said that I think we can help with the general problem of how to set up SSL trust with some remote party. The Automation SDK samples will not demonstrate this as it makes the samples hard to follow.

From your question I assume you don't want to / cannot rely on full certificate chain validation i.e. the root certificate of the vCenter is not trusted. If this is the case you need to give your client process some information based on which to confirm the identity of the STS - prioviding an SSL thumbprint is a popular way of doing that.

What you have to do is implement a TrustManager that accepts the thumprint of the STS as a parameter -through a system property, command-line parameter, config file, etc. You need to past this TrustManager when configuring the SSL socket factory. I'd suggest not using the HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()) API since it applies to all opened SSL sockets that don't use a different socket factory. Instead pass a custom SSL connection factory to your HTTP client library of choice.

Both of my recommendations can be seen in the following article: How to Setup Custom SSLSocketFactory's TrustManager per Each URL Connection - DZone Java.

Let me know if I can help further or need to provide more details.

Best,

Tony

0 Kudos