Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Applet not selecting default Client certificate

 
santosh kulkarni
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Folks, I'd really appreciate if someone can help me solve this one.

Short Description:In my J2EE application I have SSL turned on and also "client authentication required" is turned on as well. The client side certificate is installed(imported into) the browser. Now the application works fine until I try to test a page that has an applet embedded. When this page comes the JVM(I am assuming its JVM) shows up a list of certificates to choose from. The list contains only one certificate and based on the browser option it should have skipped the dialog box. It only happens once per session but is annoying to the user and unacceptable ui behaviour.

Details:
  • The application is typical J2EE running on IBM HttpServer(1.36) & Websphere Application Server(WAS 5.12)combination.
  • The Client JRE version is Version 1.5.0 (build 1.5.0_01-b08), the latest.
  • When I used the JRE 1.42 then the applet didnt load at all(error on the server said client certificate not sent).
  • The certificates is self signed
  • The JRE plugin's Control panel's Advanced tab has an option called

  • "Use certificate and keys from browser keystore". This is turned ON.
  • I have tried turning the above off and importing the certificate into the Java plugin itself, same result.
  • The browser has an option(Tools-->Internet Options-->Security-->Pick appropriate zone-->Miscellaneous-->Don't prompt for client certificate when no certificate or only one certificate. This is enabled. Disabled causes certificate selection dialog even for normal non applet pages.


  • [ February 03, 2005: Message edited by: santosh kulkarni ]
     
    Jayesh Lalwani
    Ranch Hand
    Posts: 502
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    As far as I know, the applet will ALWAYS show a certificate. There is no way to turn it off from the browser. This certificate will popup even if you sign the applet using a certificate authority like Verisign. The certificate shows up because your signed applet is trying to do something that is out of java's sandbox. So, the certificate is asking the user whther the JRE should let your applet outside off the sandbox

    I remember that there is a way to make an applet trusted by changing the .java.security(I might have the name wrong) file in your client's JRE, I dont remember the setting either.
     
    santosh kulkarni
    Greenhorn
    Posts: 18
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Jayesh, thanks for taking the time to reply to my message.
    My problem is slightly different. The certificate I'm talking about is the one on the client side which is sent from the client to the (web) server to prove its identity(this certificate being sent to the client by other secure means in advance and installed to the browser)

    Further, the dialog box is the one asking the user which certificate it should send to the server, not whether the applet should be allowed to do anything on the client machine.

    you are right about the the signed applet dialog box always popping up, however the user does have an option to click "always" and the certificate will get installed into the clients machine and the user will be spared the trouble of clicking on the same dialog box again.

    I hope I am clear and forgive me if I misunderstood.
    Santosh
     
    santosh kulkarni
    Greenhorn
    Posts: 18
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    In case anybody is interested in this topic here is the resolution.
    The default selection of client side certification is broken in JRE's released versions(1.4.2 and 1.5).
    It is however fixed in Mustang(to be released in Spring 2006).
    Since we cannot use this bleeding edge meant for developer version in a production environment we have switched to using ActiveX control for the printing.
     
    s campbell
    Greenhorn
    Posts: 1
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    I am dealing with problems related to this Santosh. Can you please
    point me to where you got this information. Is it on Suns bug site?
    Thanks for any info you can give me !

    Sean
     
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic