Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to establish the mutual authentication using "client.cer" file

 
mojo lai
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello everyone,

I want to try "mutual authentication" by using "client-cert" method in deployment describer

I follow the Java EE 5 tutorial at
http://java.sun.com/javaee/5/docs/tutorial/doc/bnbxw.html#bnbyi

then I got the client.cer file,

How do I use this file to achieve the "mutual authentication" ?

thank you.
 
mojo lai
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

if I want to setup mutual authentication by client-cert

I must install certificate in the IE's certificate "Personal" Tab ?

Am I right ?
 
greg stark
Ranch Hand
Posts: 220
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If the client is using IE, then yes. Not everybody uses IE.
 
mojo lai
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Among Servlet, JSP, JAX-WS, EJB

which component can use "client-cert" authentication ?

only JSP and Servlet ? or ALL?

thank you.
 
greg stark
Ranch Hand
Posts: 220
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Your question is a little difficult for me to answer, because it is so broad, but I'll try.

The APIs and technologies you mention allow for a variety of security possibilities. Also, the JAX-WS tools may be used for building pieces of client-side applications, or even stand-alone applications. For example, you can use the XML schema compiler to create Java classes that are used solely for processing an XML data file. For the most part, however, these are server-side tools and APIs. There are two broad pieces of the security puzzle that are addressed in some way by all. Message security and network connection security. I forget where, but somewhere in the Sun documentation is a nice matrix summarizing these. The network connection security is what is provided by TLS/SSL, and for which the client certificates you have mentioned might by employed. TLS/SSL doesn't care about the content that goes over the connection. It only provides a secure pipe to transfer data between network peers. It will authenticate the server and optionally the client and then encrypt all the data sent. It is with client certificates that the client-side of the connection is authenticated. Message security is concerned with the contents of what is being sent, i.e. the "message". This involves the notions of a sender and a recipient, just like in e-mail. The sender applies security to the message, for example, encryption and digital signatures, and the result is a secured message. This secured message is the sent to the recipient, possibly over SSL or possibly not. It cannot be decrypted by anyone except the recipient. Message security functionality is provided by XML encryption and XML digital signature APIs and tools.

PS. The reference to the Sun docs I referred to above come from the Sun Java Web Services Tutorial, which in turn is from Security Challenges, Threats, and Countermeasures
[ December 15, 2007: Message edited by: greg stark ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic