How To: Access ArcIMS sites through a secure connection in a MapObjects-Java application
Many developers choose to distribute their applications through applets. A detailed description of this process is given in the article in the Related Information section below. However, there is sometimes a need to deploy these applets through a secure Internet/Intranet connection or to communicate with secure ArcIMS sites over the HTTPS protocol. This involves establishing an “agreement” between the client machine and the secure Web server. The agreement is made possible by the presence of a digital certificate. The same certificate must be identified and accepted as trusted by both the client machine and the server for the connection to process.
For an applet to work for the end user, the HTTPS site must maintain a trusted certificate that is exchanged with and known by each client request to that server. The server will send the certificate to the client machine when the client makes an initial attempt to connect to the server URL. The HTTPS server sends the certificate to the client and prompts it to accept the certificate. Once accepted, the server is notified and the secure communication can begin. This article will review the steps necessary to successfully complete this process.
In a MapObjects—Java application, an end user may get the following exception while trying to connect to an ArcIMS server over HTTPS:
UnableToPingEsrimapException: unable to ping ESRIMAP
This message may be followed by a series of “Certificate chaining” error messages. These exceptions might indicate that the trusted certificate exchange between the machine running the application and the machine hosting the secure ArcIMS server has not yet taken place.
The following guidelines are steps to follow from the end user point of view when such an exception occurs. This article is intended to aid internal personnel who are trying to successfully connect to an HTTPS site they have created.
- Retrieve the trusted certificate and place it into the keystore of your current JRE. This can be done by:
a. Receiving it directly from the server administrator by e-mail.
b. Using a Web browser to initially hit the HTTPS URL for the server to retrieve a certificate.· When first connecting to the HTTPS URL, Internet Explorer will prompt the user to accept the certificate or not.
· A Security Alert notice will appear that the information exchange will ONLY be viewed by you.
· A second Security Alert message will appear, giving information about the certificate: if it is valid, if it can be trusted, etc.
· Click the View Certificate button to open a dialog for viewing the information.
· On the first panel, click the Install certificate button, which will bring up another dialog, giving choices on which keystore to install the certificate to. The easiest path to take is to just accept all of the defaults. An install wizard will complete this process.
· After this, while still in the browser, open the Internet Options from the Tools menu.
· In the Internet Options dialog, go to the Content panel and press the Certificates button.
· In the Certificates dialog, press the Intermediate Certification Authorities tab. In this list of entries, there should be the certificate that was accepted. Select it and click the Export button.
· This will bring up a wizard that guides people through the export process.
· Finally, the certificate file is ready to import into the current JRE keystore.
- Use the keytool command that comes with Java 2 SDK to import the certificate information into the default keystore. This is in the lib/security location of the Java VM that the MapObjects—Java applet or application is using.
Keytool –import –trustcacerts –alias MyKeyStoreAlias –file c:\exportedcerts\cert.cer –keystore C:\j2re1.4.1\lib\security\cacerts
· alias: can be any alphanumeric value used while administering the keystore
· file: the full or relative path to the certificate file that was obtained from the HTTPS server
· keystore: in this example, it is the default keystore file path, full or relative.
If there are spaces in any of the file pathnames, the pathname MUST be in quotes.
When prompted for a keystore password, enter the default password “changeit”. If no errors occur in this process, the trusted “agreement” is ready to be established, and the MapObjects—Java applet or application can now access ArcIMS services over the HTTPS protocol.