Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / October 2006

Tip: Looking for answers? Try searching our database.

ibm jsse ssl and client authentication

Thread view: 
Enable EMail AlertsStart New Thread
javerra - 14 Sep 2006 15:50 GMT
Hello all,

I have a simple servlet that I want to use to make a post via ssl to a
server.  The server requires client authentication.  The way I
understand the documentation that I have read is that the ca trust
store is defaulted to the java/lib/secuity.. cacerts file but that you
need to explicitly set the keystore if the client needs to
authenticate.  Is my understanding correct?

        System.setProperty("javax.net.ssl.keyStore","c:\\mykey.p12");
        System.setProperty("javax.net.ssl.keyStorePassword","mypassword");

The problem I am having is that I've done this and I am still getting
an I/O exception with a response code of 403 Forbidden from the server.
If I import the key database into my browser I am able to connect
fine.  If anyone could point me to some better documentation on
describe exactly how client authentication can be done I would
appreciate it.

Here is the area of my code where I am having problems

               URL myURL = new URL("serveraddress");
        HttpsURLConnection myConnection = (HttpsURLConnection)
               myURL.openConnection();
                  ......write to output stream
              BufferedReader talxResponse = new BufferedReader(new
           InputStreamReader(myConnection.getInputStream()));  <---
response error

THANKS!!!!!!!!!!
Reply to this Message
bikemh - 14 Sep 2006 16:44 GMT
> The problem I am having is that I've done this and I am still getting
> an I/O exception with a response code of 403 Forbidden from the server.

if you are indeed getting an HTTP Response Code of 403, then you have
already made the connection and successfully sent your HTTP Request.
That might mean that some other required authentication has failed.

If client cert auth fails, then the server drops the connection and you
wouldn't get to the point of receiving an HTTP response.

>If anyone could point me to some better documentation on
> describe exactly how client authentication can be done I would
> appreciate it.

have you seen this one?:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.w
ebsphere.express.doc/info/exp/ae/rsec_csiv2cca.html
Reply to this Message
javerra - 14 Sep 2006 17:36 GMT
> if you are indeed getting an HTTP Response Code of 403, then you have
> already made the connection and successfully sent your HTTP Request.
> That might mean that some other required authentication has failed.

myConnection.getResponseCode(); does in fact return 403

>If client cert auth fails, then the server drops the connection and you
>wouldn't get to the point of receiving an HTTP response.

If I understand what your saything then the certificate was in fact
sent from my app and authentication failed elsewhere.  But, I receive a
403 response if I dont' have the cert installed in my broswer.  Seems
like I get that error only when the cert is missing.  Is my thinking on
setting the default keystore within the sevlet correct or is there a
default store that jsse is using... like cacerts.  I've tried placing
the key in cacerts and that doesn't help either.. Seems like this
should be a very straight forward task Im just struggling horribly with
finding the solution.

Thanks again.
Reply to this Message
bikemh - 14 Sep 2006 18:49 GMT
> > if you are indeed getting an HTTP Response Code of 403, then you have
> > already made the connection and successfully sent your HTTP Request.
> > That might mean that some other required authentication has failed.
>
> myConnection.getResponseCode(); does in fact return 403

right, but is that indeed what the server is sending?

IOW, I don't know if we can trust Java and maybe it gets a TCP error
and tells you that it's a 403 HTTP code.

Just as, IIRC, it treats a 4xx response code as it it were an I/O
exception.

> >If client cert auth fails, then the server drops the connection and you
> >wouldn't get to the point of receiving an HTTP response.
>
> If I understand what your saything then the certificate was in fact
> sent from my app and authentication failed elsewhere.  But, I receive a
> 403 response if I dont' have the cert installed in my broswer.

Well then, that might be server specific behavior. Things aren't
standardized. IIRC, on failed client cert auth, Firefox--> Tomcat gives
a tcp error of something like 100257, while with IE--> Tomcat, you just
get the dropped connection.

(A wrinble is that Tomcat only accepts X509, not PKCS12.)

I can sympathize that most of what is happening is unseen by you. Maybe
you can trying experimenting locally. Stunnel gives good logging on
connection attempts and you can set up server sockets with it. You can
now also get pre-compiled OpenSSL for Windows. I can look that URL up
if you need it.

>Seems
> like I get that error only when the cert is missing.  Is my thinking on
> setting the default keystore within the sevlet correct or is there a
> default store that jsse is using... like cacerts.

In the URL that I gave p[reviously, there's a reference to seemingly
IBM specific client-side properties:
   * com.ibm.CSI.performTransportAssocSSLTLSRequired (true or false)
   * com.ibm.CSI.performTransportAssocSSLTLSSupported (true or false)

Maybe that's the key. Since (if I'm reading you correctly) your servlet
is really the client, then the properties and keys you want to use are
part of the server's JVM, not the servlet engine.

> I've tried placing
> the key in cacerts and that doesn't help either..

yes, I'd think that the cacerts file is only for the Certificate
Authority certs

>Seems like this
> should be a very straight forward task Im just struggling horribly with
> finding the solution.
>
> Thanks again.
Reply to this Message
javerra - 15 Sep 2006 15:16 GMT
I set javax.net.debug to true just to double check that the server was
hitting the right stores

Now I am even more confused.

[9/15/06 10:11:46:468 EDT] 0000002a ServletWrappe A   SRVE0242I:
[TestConnection]: Initialization successful.
[9/15/06 10:11:46:531 EDT] 0000002a SystemOut     O   keyStore is:
c:\wn.jks
[9/15/06 10:11:46:531 EDT] 0000002a SystemOut     O   keyStore type is
: JKS
[9/15/06 10:11:46:531 EDT] 0000002a SystemOut     O   init keystore
[9/15/06 10:11:46:609 EDT] 0000002a SystemOut     O   trustStore is:
C:\Program
Files\IBM\Rational\SDP\6.0\runtimes\base_v6\java\jre\lib\security\cacerts
[9/15/06 10:11:46:609 EDT] 0000002a SystemOut     O   trustStore type
is : jks
[9/15/06 10:11:46:609 EDT] 0000002a SystemOut     O   init truststore
[9/15/06 10:11:47:421 EDT] 0000002a SystemOut     O
X509TrustManagerImpl: checkServerTrusted
[9/15/06 10:11:47:437 EDT] 0000002a SystemOut     O
X509TrustManagerImpl: Certificate [

... what follows is the certificate chain received from the server.
then.  my exception occurs.

The keystore and trust store are correct.  I can't think of any reason
why this shouldn't be working.
Reply to this Message
bikemh - 15 Sep 2006 19:00 GMT
> I set javax.net.debug to true just to double check that the server was
> hitting the right stores

Right, seemingly it's telling you:

- the Java keystores are valid, in that there are no errors extracting
keys from either
- the client accepts the cert from the server, and the signing
authority on the cert is in cacerts

but there is no info there on what happens with client cert auth,
whether a cert is sent or not; or if sent, whether it is rejected

> Now I am even more confused.
>
[quoted text clipped - 21 lines]
> The keystore and trust store are correct.  I can't think of any reason
> why this shouldn't be working.
Reply to this Message
javerra - 15 Sep 2006 19:18 GMT
Is there anything that I can do to pinpoint where this failure may be
occuring.  Like you said obviously it is occuring after my acceptance
of the servers certificate chain.  Is there some debug I can set?  Is
there a way to see what certificates the server is requesting from the
client and if they're actually being sent?  This is a bit frustrating
but Im learning a lot from the quality responses I've been getting.
Thanks!!!

> > I set javax.net.debug to true just to double check that the server was
> > hitting the right stores
[quoted text clipped - 34 lines]
> > The keystore and trust store are correct.  I can't think of any reason
> > why this shouldn't be working.
Reply to this Message
javerra - 06 Oct 2006 01:14 GMT
Found the answer to the problem.  Turns out that the certifacte the
client sent me did not include the whole certificate chain.  There was
an intermediate certificate that was missing that was causing the
handshake to fail.  I had the intermediate in internet explorer which
explains why it worked in the browser.  To get the intermediate
certificate into my keystore I imported the client cert that was sent
to me then select the option within internet explorer to export the
entire certificate chain.  I then used this new keystore in my code and
bingo.
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.