• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Client certificate authentication

 
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How do I go about sending a client certificate from a java program to a server ? I know that I would have to set the following parameters in system properties

1. Keystore
2. Keystore pass
3. Truststore
4. Truststore pass

Now how can I decide which certificate in my keystore to pass to the server ? Should I set a parameter that will decide this or will the SSL process automatically try to figure out which certificate to use to authenticate the client ? I am not even sure if a certificate will automatically be used from my keystore, in which case I would make sure that my keystore has only one certificate. Or would I have to load the serializable X509Certificate and send it across somehow ? Any suggestions would be great !
 
Deepak Bala
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I figured this out a while back so I am posting so others know the solution. The JVM looks for some system properties and a SSL provider to communicate with HTTPS. You need to provide the following in the system properties

1. Keystore
2. Keystore pass
3. Truststore
4. Truststore pass

You can google and find out the keys for the properties. Then you set the ssl provider

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

You then need to figure out what is happening behind the scenes when you open a URL connection to a https end point. If you are unable to communicate for some reason, the following stuff should be checked

1. Do you trust the server certificate ?
2. Does the server trust your certificate (if you provide one to the server. It should be in the server's trust store)
3. Is the JVM able to find your trust and keystores ?
4. Is the operation timing out ?

You can find the answers by turning JSSE debugging on. The following parameter will reveal all possible debugging options.

-Djava.security.debug=help

The program would quit with an output like the following



Choose the debugging options you require like so

java -Djavax.net.debug=SSL,handshake,data,trustmanager MyApp

More information here

http://java.sun.com/products/jsse/doc/guide/API_users_guide.html

If you get errors like 'No SSL provider found' in spite of doing the stuff mentioned above you should check the debug logs. For example if the keystore is not found the 'No SSL provider' error could be thrown.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic