• Post Reply Bookmark Topic Watch Topic
  • New Topic

Ejb3 Consuming Web Services over SSL-(JBoss) certificate_unknown

 
Dejan Mratinkovic
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
App sever jboss-4.2.3.GA - Ejb is consuming Web services using @WebServiceRef (from another application @WebServces bean, I am not sure is it relevant).

1)I have both keystore and truststore set up in server.xml (clientauth=true)
2)Communication with Web browsers works as expected
3)Communication with java desktop application consuming web services started with -Djavax.net.ssl.keyStore ... works as expected
4)Communication works fine over HTTP. But, when I switch WSDL address to https, I got error:

...
SEND TLSv1 ALERT:
[STDOUT] fatal,
[STDOUT] description = certificate_unknown
...

On "client" side log files I see (-Djavax.net.debug=ssl,handshake) "server" certificates as expected, but for for some reason they do not get authenticated.

My latest tests are with running both "client" and "server" application on SAME jboss instance (so they are using the same trust/key stores, as they share server.xml), with the same result - "Client" does not trust "server" (itself?!)

Does someone have similar configuration working? Any clue what might be wrong with my setup?
 
Dejan Mratinkovic
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If I run Jboss with:
-Djavax.net.ssl.keyStore=...


I got service working. However, there are no certificates in request. Same code triggered from desktop application brings results:
MessageContext context = wsContext.getMessageContext();


fires:
No valid security context for the caller identit
y

1)Why should I (again) provide the very same data to Jboss start up as I did on service.xml

2)Why is there no certificate data?
 
Peer Reynders
Bartender
Posts: 2968
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Dejan Mratinkovic:
If I run Jboss with:


I got service working. However, there are no certificates in request.


You can associate a truststore programmatically through the setting of some system properties.

Of course on an application server you should be able to simply configure the "javax.net.ssl.trustStore", and "javax.net.ssl.trustStorePassword" properties.

The certificate of the server that the client is connecting to has to be in the client's truststore to assert that the client "trusts" the server that presents that certificate. The server certificate alone is sufficient to establish transport level security in TLS/SSL that HTTP is running on top of.

The client only has to provide a client certificate if the server requires it for authentication.

"javax.servlet.request.X509Certificate" as far as I know carries the client certificate if there is one in the client request.
 
Dejan Mratinkovic
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Peer,

Thanks for the quick answer.

The client only has to provide a client certificate if the server requires it for authentication.

"javax.servlet.request.X509Certificate" as far as I know carries the client certificate if there is one in the client request.


It does so fine when triggered from Browser, or when client is another ( deskttop) Java application. However, when client is another Ejb3 running on JBoss, there seem to be problems.
[ December 25, 2008: Message edited by: Dejan Mratinkovic ]
 
Dejan Mratinkovic
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Problem is (partially) solved.

Cause was WSDL issue Jboss has, actually me using WSDL over https. As WSDL was fetched using WSDL, this initiated secure communication, and therefore og files were full of certificate authentication data.

However, soap:address location was HTTP, causing no certificates to be in request. This is common JBOSS issue, and I see number of people are complaining about the same stuff.
 
Dejan Mratinkovic
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Http/Https issue can be overridden by following instructions on:

http://jbossws.jboss.org/mediawiki/index.php?title=Secure_transport
 
Kevin Ng Kai Man
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dejan, i faced the same problem as you do previously.

But your link to jbossws.jboss.org/mediawiki/index.php?title=Secure_transport
doesn't seem to be working. can you give me another 1?
I'm new to Server configuration, so, I dont know what to search for.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!