• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Liutauras Vilda
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Scott Selikoff
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
  • Frits Walraven
Bartenders:
  • Stephan van Hulst
  • Carey Brown

Two-way SSL authentication

 
Greenhorn
Posts: 26
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I'm trying to call a web service run by an outside company. I've done server-side SSL authentication before, but this is the first time I've been asked to do two-say authentication, and I'm having trouble getting it to work. I'm receiving their cert properly, and I think my keystore is properly built to include both the private key and the cert (I used keytool to import them from a PKCS12 file into a JKS file). But I'm still receiving an error when I try to send information - the server folks say they're not receiving a client cert.

Here's my test code that sends the message:



Any suggestions for ways to solve this, or avenues of investigation?
 
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is there anything in the SSL debug logs (http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html)?
 
Jaikiran Pai
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Matt Dalen wrote: But I'm still receiving an error when I try to send information - the server folks say they're not receiving a client cert.



It's hard to say without looking at the actual error (if any), but I just found this long discussion thread about 2 way SSL and thought you might want to just check some of the points mentioned there https://coderanch.com/t/496594/Web-Services/java/ssl-working-bad-certificate
 
Bartender
Posts: 1166
17
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Matt Dalen wrote:and I think my keystore is properly built to include both the private key and the cert



I hope not. If they have given you their private key their site is seriously compromised! You only need their CA signed certificate.

<edit> On re-reading I may have misunderstand where the PKCS12 file comes from. If it is one you generated for the client side authentication then the above does not apply but of course the certificate contained in the PKCS12 file must be signed by a CA that the server recognises.
 
Matt Dalen
Greenhorn
Posts: 26
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Jaikiran Pai wrote:Is there anything in the SSL debug logs (http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html)?



Thanks! That helped a lot - I *think* it's actually an error in the cert file I was given. If I'm reading the logs right, the issuer on the cert file doesn't match the list of valid cert authorities they accept.

Richard Tookey wrote: <edit> On re-reading I may have misunderstand where the PKCS12 file comes from. If it is one you generated for the client side authentication then the above does not apply but of course the certificate contained in the PKCS12 file must be signed by a CA that the server recognises.



Yes, this is the pkcs12 file we generated for client-side authentication. However, I think you're right that it's an issue with the CA not matching.
 
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Thanks! That helped a lot - I *think* it's actually an error in the cert file I was given. If I'm reading the logs right, the issuer on the cert file doesn't match the list of valid cert authorities they accept.



From what I understand, one of the issuers on the cert chain is unavailable for verification on your client side trust store. For example - The root CA for github is DigiCert. If DigiCert is unavailable in the trust store, any communication between you and github will fail with a SSL error saying the CA cannot be verified.

To fix the problem (if that is the problem) import the CA's cert into your trust store. Who is the CA ? Is the certificate self signed ?

[EDIT]

My assumption here is that the error you are talking about came from not trusting the cert presented by the server. Please post the SSL debug logs and we can help you further.
 
Matt Dalen
Greenhorn
Posts: 26
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Deepak Bala wrote:

Thanks! That helped a lot - I *think* it's actually an error in the cert file I was given. If I'm reading the logs right, the issuer on the cert file doesn't match the list of valid cert authorities they accept.



From what I understand, one of the issuers on the cert chain is unavailable for verification on your client side trust store. For example - The root CA for github is DigiCert. If DigiCert is unavailable in the trust store, any communication between you and github will fail with a SSL error saying the CA cannot be verified.

To fix the problem (if that is the problem) import the CA's cert into your trust store. Who is the CA ? Is the certificate self signed ?

[EDIT]

My assumption here is that the error you are talking about came from not trusting the cert presented by the server. Please post the SSL debug logs and we can help you further.



I was able to track down the issue - I was given the wrong cert, which is why the issuer didn't match. Thanks for everyone's help!
 
Politics n. Poly "many" + ticks "blood sucking insects". Tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic