|
Replies:
12
-
Last Post:
May 4, 2007 1:23 PM
by: Jagadesh B Munta
|
|
|
|
|
|
|
SSL Mutual Authentication via JAX-WS
Posted:
Apr 26, 2007 7:49 AM
|
|
|
|
|
Hi
I am trying to setup SSL mutual authentication using JAX-WS with
glassfish UR1. I have set up everything correctly and generated a key
pair using keytool and the web service picks up the certificate fine and
everything works ok.
Now, if I convert my pem files into jks keystore format and use this,
the handshake fails. I have imported the root cert into the trusted
cacerts of glassfish and everything looks fine with the keystore with
'keytool -list -keystore mykeystore.jks -v'
Has anybody managed to get this working with a converted pem credential?
On the serverside I get :
SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520
)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:172)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHa
ndshaker.java:1206)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHands
haker.java:148)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:4
49)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java
:817)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.
java:679)
at
com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
And on the client side I get:
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC
....$S.+........
Padded plaintext before ENCRYPTION: len = 32
0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC
....$S.+........
0010: EF 68 74 7D 7B E6 54 80 E5 7C DD 52 E4 90 3B 66
.ht...T....R..;f
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 3
main, Exception while waiting for close java.net.SocketException:
Software caused connection abort: recv failed
main, handling exception: java.net.SocketException: Software caused
connection abort: recv failed
%% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
Padded plaintext before ENCRYPTION: len = 18
0000: 02 0A ED AE 45 78 72 A0 27 0C D3 2B B4 21 DA DE
....Exr.'..+.!..
0010: BA DB ..
main, WRITE: TLSv1 Alert, length = 18
main, Exception sending alert: java.net.SocketException: Software caused
connection abort: socket write error
main, called closeSocket()
main, called close()
main, called closeInternal(true)
javax.xml.ws.WebServiceException: javax.xml.ws.WebServiceException:
java.net.SocketException: Software caused connection abort: recv failed
Thanks glen
[att1.html]
|
|
|
|
|
|
|
Re: SSL Mutual Authentication via JAX-WS
Posted:
Apr 26, 2007 8:17 AM
in response to: Drinkwater, GJ ...
|
|
|
The trace below indicated that the cert is not trusted.
I notice that you are using mykeystore.jks.
The default KeyStore is keystore.jks and default TrustStore is cacerts.jks.
Please make sure that the corresponding CA certs or the cert (if it is
self-signed) is in imported into cacerts.jks.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net
|
|
|
|
|
|
|
|
|
Re: SSL Mutual Authentication via JAX-WS
Posted:
Apr 26, 2007 8:21 AM
in response to: Drinkwater, GJ ...
|
|
|
|
|
Drinkwater, GJ (Glen) wrote:
> Hi
>
> I am trying to setup SSL mutual authentication using JAX-WS with
> glassfish UR1. I have set up everything correctly and generated a key
> pair using keytool and the web service picks up the certificate fine
> and everything works ok.
>
> Now, if I convert my pem files into jks keystore format and use this,
> the handshake fails. I have imported the root cert into the trusted
> cacerts of glassfish and everything looks fine with the keystore with
> 'keytool -list -keystore mykeystore.jks -v'
>
Can you send the steps you used with keytool to generate the keypair
> Has anybody managed to get this working with a converted pem credential?
>
And what command did you use for converting pem.
Thanks.
> On the serverside I get :
>
> SSL Error getting client Certs
> javax.net.ssl.SSLHandshakeException: null cert chain
> at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520)
> at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182)
> at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:172)
> at
> com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1206)
>
> at
> com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:148)
>
> at
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511)
> at
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:449)
>
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:817)
>
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:679)
>
> at
> com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
>
> And on the client side I get:
>
> ***
> [write] MD5 and SHA1 hashes: len = 16
> 0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC ....$S.+........
> Padded plaintext before ENCRYPTION: len = 32
> 0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC ....$S.+........
> 0010: EF 68 74 7D 7B E6 54 80 E5 7C DD 52 E4 90 3B 66 .ht...T....R..;f
> main, WRITE: TLSv1 Handshake, length = 32
> main, waiting for close_notify or alert: state 3
> main, Exception while waiting for close java.net.SocketException:
> Software caused connection abort: recv failed
> main, handling exception: java.net.SocketException: Software caused
> connection abort: recv failed
> %% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
> main, SEND TLSv1 ALERT: fatal, description = unexpected_message
> Padded plaintext before ENCRYPTION: len = 18
> 0000: 02 0A ED AE 45 78 72 A0 27 0C D3 2B B4 21 DA DE ....Exr.'..+.!..
> 0010: BA DB ..
> main, WRITE: TLSv1 Alert, length = 18
> main, Exception sending alert: java.net.SocketException: Software
> caused connection abort: socket write error
> main, called closeSocket()
> main, called close()
> main, called closeInternal(true)
> javax.xml.ws.WebServiceException: javax.xml.ws.WebServiceException:
> java.net.SocketException: Software caused connection abort: recv failed
>
> Thanks glen
>
[att1.html]
|
|
|
|
|
|
|
|
|
RE: Re: SSL Mutual Authentication via JAX-WS
Posted:
Apr 26, 2007 8:49 AM
in response to: V B Kumar Jayanti
|
|
|
|
|
Hi
And what command did you use for converting pem.
I first tried using the org.mortbay.util.PKCS12Import from
http://mark.foster.cc/kb/openssl-keytool.html
<http:// Then i tired using
utils.ImportPrivateKey from web logic.
Is there any other ways to import pem files to java jks formats?
Can you send the steps you used with keytool to generate the keypair
I did not generate the key pair that does not work, these are gererated
by my works CA Authority. When i generated the key pair using keytool
-genkey ... the system worked ok.
Please make sure that the corresponding CA certs or the cert (if it is
self-signed) is in imported into cacerts.jks.
I do have the root ca of my certificate in cacerts of glassfish.
keytool.exe -keystore glassfish\domains\domain1\config\cacerts.jks
-list -trustcacerts -alias mykey
Enter keystore password:
mykey, 26-Apr-2007, trustedCertEntry,
Certificate fingerprint (MD5):
F7:65:A8:5E:67:2B:7C:F4:90:20:38:14:BC:05:04:F6
________________________________
From: Vbkumar.Jayanti@Sun.COM [mailto:Vbkumar.Jayanti@Sun.COM]
Sent: 26 April 2007 16:21
To: users@glassfish.dev.java.net
Subject: Re: SSL Mutual Authentication via JAX-WS
Drinkwater, GJ (Glen) wrote:
Hi
I am trying to setup SSL mutual authentication using JAX-WS with
glassfish UR1. I have set up everything correctly and generated a key
pair using keytool and the web service picks up the certificate fine and
everything works ok.
Now, if I convert my pem files into jks keystore format and use
this, the handshake fails. I have imported the root cert into the
trusted cacerts of glassfish and everything looks fine with the keystore
with 'keytool -list -keystore mykeystore.jks -v'
Can you send the steps you used with keytool to generate the keypair
Has anybody managed to get this working with a converted pem
credential?
And what command did you use for converting pem.
Thanks.
On the serverside I get :
SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520
)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:172)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHa
ndshaker.java:1206)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHands
haker.java:148)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:4
49)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java
:817)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.
java:679)
at
com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
And on the client side I get:
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC
....$S.+........
Padded plaintext before ENCRYPTION: len = 32
0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC
....$S.+........
0010: EF 68 74 7D 7B E6 54 80 E5 7C DD 52 E4 90 3B 66
.ht...T....R..;f
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 3
main, Exception while waiting for close
java.net.SocketException: Software caused connection abort: recv failed
main, handling exception: java.net.SocketException: Software
caused connection abort: recv failed
%% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
Padded plaintext before ENCRYPTION: len = 18
0000: 02 0A ED AE 45 78 72 A0 27 0C D3 2B B4 21 DA DE
....Exr.'..+.!..
0010: BA DB ..
main, WRITE: TLSv1 Alert, length = 18
main, Exception sending alert: java.net.SocketException:
Software caused connection abort: socket write error
main, called closeSocket()
main, called close()
main, called closeInternal(true)
javax.xml.ws.WebServiceException:
javax.xml.ws.WebServiceException: java.net.SocketException: Software
caused connection abort: recv failed
Thanks glen
[att1.html]
|
|
|
|
|
|
|
|
|
RE: Re: SSL Mutual Authentication via JAX-WS
Posted:
Apr 26, 2007 9:26 AM
in response to: Drinkwater, GJ ...
|
|
|
|
|
Hi
I have tried with using SimpleCa and this was the process.
1) http://users.skynet.be/ballet/joris/SimpleCA/ and create a simple
root certificate and a user credential
2) Converted the pkcs12 file using globus toolkit into a java jks
keystore
$ keytool.exe" -list -keystore simple.jks -v
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: globus
Creation date: 26-Apr-2007
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=simple@s.com, CN=glen simple
Issuer: EMAILADDRESS=democa@democa.com, CN=SimpleCA Demo CA, OU=Demo CA,
O=SimpleCA, L=GB, ST=England, C=GB
Serial number: 1000
Valid from: Thu Apr 26 16:55:49 BST 2007 until: Fri Apr 25 16:55:49 BST
2008
Certificate fingerprints:
MD5: 42:7D:75:8D:AC:7C:16:EF:30:22:F8:D1:2A:65:88:22
SHA1:
76:AD:7B:63:B4:16:CA:2E:3A:F1:84:3C:C1:6B:2E:9C:03:E1:F2:55
Signature algorithm name: MD5withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
emailProtection
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BD 9D CA A5 47 D5 AC 3B 48 01 D5 F3 DF 96 46 DD
....G..;H.....F.
0010: B4 ED 06 02 ....
]
]
#4: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
RFC822Name: simple@s.com
]
*******************************************
*******************************************
3) Export the simple CA cert from keystore
keytool -export -alias globus -file simple.crt -keystore simple.jks
4) Import this into cacerts for glassfish
keytool -import -keystore glassfish\domains\domain1\config\cacerts.jks
-file simple.crt -trustcacerts
5) Restart glassfish
6) Run application with VM options and again i get the same error, I
then try and add the root simpleCA to cacerts and again fails.
-Djavax.net.ssl.trustStore=${truststore.location}
-Djavax.net.ssl.trustStorePassword=${ssl.password}
-Djavax.net.ssl.keyStore =${keystore.location}
-Djavax.net.ssl.keyStorePassword=${ssl.password}
I have been following this
http://java.sun.com/developer/EJTechTips/2006/tt0527.html
Has anybody had this working using a cert from simpleCA?
Glen
________________________________
From: Drinkwater, GJ (Glen) [mailto:g.j.drinkwater@dl.ac.uk]
Sent: 26 April 2007 16:49
To: users@glassfish.dev.java.net
Subject: RE: Re: SSL Mutual Authentication via JAX-WS
Hi
And what command did you use for converting pem.
I first tried using the org.mortbay.util.PKCS12Import from
http://mark.foster.cc/kb/openssl-keytool.html
<http:// Then i tired using
utils.ImportPrivateKey from web logic.
Is there any other ways to import pem files to java jks formats?
Can you send the steps you used with keytool to generate the keypair
I did not generate the key pair that does not work, these are gererated
by my works CA Authority. When i generated the key pair using keytool
-genkey ... the system worked ok.
Please make sure that the corresponding CA certs or the cert (if it is
self-signed) is in imported into cacerts.jks.
I do have the root ca of my certificate in cacerts of glassfish.
keytool.exe -keystore glassfish\domains\domain1\config\cacerts.jks
-list -trustcacerts -alias mykey
Enter keystore password:
mykey, 26-Apr-2007, trustedCertEntry,
Certificate fingerprint (MD5):
F7:65:A8:5E:67:2B:7C:F4:90:20:38:14:BC:05:04:F6
________________________________
From: Vbkumar.Jayanti@Sun.COM [mailto:Vbkumar.Jayanti@Sun.COM]
Sent: 26 April 2007 16:21
To: users@glassfish.dev.java.net
Subject: Re: SSL Mutual Authentication via JAX-WS
Drinkwater, GJ (Glen) wrote:
Hi
I am trying to setup SSL mutual authentication using JAX-WS with
glassfish UR1. I have set up everything correctly and generated a key
pair using keytool and the web service picks up the certificate fine and
everything works ok.
Now, if I convert my pem files into jks keystore format and use
this, the handshake fails. I have imported the root cert into the
trusted cacerts of glassfish and everything looks fine with the keystore
with 'keytool -list -keystore mykeystore.jks -v'
Can you send the steps you used with keytool to generate the keypair
Has anybody managed to get this working with a converted pem
credential?
And what command did you use for converting pem.
Thanks.
On the serverside I get :
SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520
)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:172)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHa
ndshaker.java:1206)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHands
haker.java:148)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:4
49)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java
:817)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.
java:679)
at
com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
And on the client side I get:
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC
....$S.+........
Padded plaintext before ENCRYPTION: len = 32
0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC
....$S.+........
0010: EF 68 74 7D 7B E6 54 80 E5 7C DD 52 E4 90 3B 66
.ht...T....R..;f
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 3
main, Exception while waiting for close
java.net.SocketException: Software caused connection abort: recv failed
main, handling exception: java.net.SocketException: Software
caused connection abort: recv failed
%% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
Padded plaintext before ENCRYPTION: len = 18
0000: 02 0A ED AE 45 78 72 A0 27 0C D3 2B B4 21 DA DE
....Exr.'..+.!..
0010: BA DB ..
main, WRITE: TLSv1 Alert, length = 18
main, Exception sending alert: java.net.SocketException:
Software caused connection abort: socket write error
main, called closeSocket()
main, called close()
main, called closeInternal(true)
javax.xml.ws.WebServiceException:
javax.xml.ws.WebServiceException: java.net.SocketException: Software
caused connection abort: recv failed
Thanks glen
[att1.html]
|
|
|
|
|
|
|
|
|
RE: SSL Mutual Authentication via JAX-WS
Posted:
May 2, 2007 12:48 AM
in response to: Drinkwater, GJ ...
|
|
|
|
|
Hi
I am still trying to allow mutual authenication with JAX-WS but with no
avail. I can easily have this working with a self signed certificate as
in http://java.sun.com/developer/EJTechTips/2006/tt0527.html but any
certificate that is derived from a PEM format fails, ie. SimpleCA. Has
anybody had this working with a PEM credential, if so which method did
you use to convert the PEM into JKS?
Is this a compatibility issue with java or glassfish?
Glen
________________________________
From: Drinkwater, GJ (Glen) [mailto:g.j.drinkwater@dl.ac.uk]
Sent: 26 April 2007 17:26
To: users@glassfish.dev.java.net
Subject: RE: Re: SSL Mutual Authentication via JAX-WS
Hi
I have tried with using SimpleCa and this was the process.
1) http://users.skynet.be/ballet/joris/SimpleCA/ and create a simple
root certificate and a user credential
2) Converted the pkcs12 file using globus toolkit into a java jks
keystore
$ keytool.exe" -list -keystore simple.jks -v
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: globus
Creation date: 26-Apr-2007
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=simple@s.com, CN=glen simple
Issuer: EMAILADDRESS=democa@democa.com, CN=SimpleCA Demo CA, OU=Demo CA,
O=SimpleCA, L=GB, ST=England, C=GB
Serial number: 1000
Valid from: Thu Apr 26 16:55:49 BST 2007 until: Fri Apr 25 16:55:49 BST
2008
Certificate fingerprints:
MD5: 42:7D:75:8D:AC:7C:16:EF:30:22:F8:D1:2A:65:88:22
SHA1:
76:AD:7B:63:B4:16:CA:2E:3A:F1:84:3C:C1:6B:2E:9C:03:E1:F2:55
Signature algorithm name: MD5withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
emailProtection
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BD 9D CA A5 47 D5 AC 3B 48 01 D5 F3 DF 96 46 DD
....G..;H.....F.
0010: B4 ED 06 02 ....
]
]
#4: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
RFC822Name: simple@s.com
]
*******************************************
*******************************************
3) Export the simple CA cert from keystore
keytool -export -alias globus -file simple.crt -keystore simple.jks
4) Import this into cacerts for glassfish
keytool -import -keystore glassfish\domains\domain1\config\cacerts.jks
-file simple.crt -trustcacerts
5) Restart glassfish
6) Run application with VM options and again i get the same error, I
then try and add the root simpleCA to cacerts and again fails.
-Djavax.net.ssl.trustStore=${truststore.location}
-Djavax.net.ssl.trustStorePassword=${ssl.password}
-Djavax.net.ssl.keyStore =${keystore.location}
-Djavax.net.ssl.keyStorePassword=${ssl.password}
I have been following this
http://java.sun.com/developer/EJTechTips/2006/tt0527.html
Has anybody had this working using a cert from simpleCA?
Glen
________________________________
From: Drinkwater, GJ (Glen) [mailto:g.j.drinkwater@dl.ac.uk]
Sent: 26 April 2007 16:49
To: users@glassfish.dev.java.net
Subject: RE: Re: SSL Mutual Authentication via JAX-WS
Hi
And what command did you use for converting pem.
I first tried using the org.mortbay.util.PKCS12Import from
http://mark.foster.cc/kb/openssl-keytool.html
<http:// Then i tired using
utils.ImportPrivateKey from web logic.
Is there any other ways to import pem files to java jks formats?
Can you send the steps you used with keytool to generate the keypair
I did not generate the key pair that does not work, these are gererated
by my works CA Authority. When i generated the key pair using keytool
-genkey ... the system worked ok.
Please make sure that the corresponding CA certs or the cert (if it is
self-signed) is in imported into cacerts.jks.
I do have the root ca of my certificate in cacerts of glassfish.
keytool.exe -keystore glassfish\domains\domain1\config\cacerts.jks
-list -trustcacerts -alias mykey
Enter keystore password:
mykey, 26-Apr-2007, trustedCertEntry,
Certificate fingerprint (MD5):
F7:65:A8:5E:67:2B:7C:F4:90:20:38:14:BC:05:04:F6
________________________________
From: Vbkumar.Jayanti@Sun.COM [mailto:Vbkumar.Jayanti@Sun.COM]
Sent: 26 April 2007 16:21
To: users@glassfish.dev.java.net
Subject: Re: SSL Mutual Authentication via JAX-WS
Drinkwater, GJ (Glen) wrote:
Hi
I am trying to setup SSL mutual authentication using JAX-WS with
glassfish UR1. I have set up everything correctly and generated a key
pair using keytool and the web service picks up the certificate fine and
everything works ok.
Now, if I convert my pem files into jks keystore format and use
this, the handshake fails. I have imported the root cert into the
trusted cacerts of glassfish and everything looks fine with the keystore
with 'keytool -list -keystore mykeystore.jks -v'
Can you send the steps you used with keytool to generate the keypair
Has anybody managed to get this working with a converted pem
credential?
And what command did you use for converting pem.
Thanks.
On the serverside I get :
SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520
)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:172)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHa
ndshaker.java:1206)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHands
haker.java:148)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:4
49)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java
:817)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.
java:679)
at
com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
And on the client side I get:
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC
....$S.+........
Padded plaintext before ENCRYPTION: len = 32
0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC
....$S.+........
0010: EF 68 74 7D 7B E6 54 80 E5 7C DD 52 E4 90 3B 66
.ht...T....R..;f
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 3
main, Exception while waiting for close
java.net.SocketException: Software caused connection abort: recv failed
main, handling exception: java.net.SocketException: Software
caused connection abort: recv failed
%% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
Padded plaintext before ENCRYPTION: len = 18
0000: 02 0A ED AE 45 78 72 A0 27 0C D3 2B B4 21 DA DE
....Exr.'..+.!..
0010: BA DB ..
main, WRITE: TLSv1 Alert, length = 18
main, Exception sending alert: java.net.SocketException:
Software caused connection abort: socket write error
main, called closeSocket()
main, called close()
main, called closeInternal(true)
javax.xml.ws.WebServiceException:
javax.xml.ws.WebServiceException: java.net.SocketException: Software
caused connection abort: recv failed
Thanks glen
[att1.html]
|
|
|
|
|
|
|
|
|
Re: SSL Mutual Authentication via JAX-WS
Posted:
May 2, 2007 3:49 AM
in response to: Drinkwater, GJ ...
|
|
|
|
|
I have had your problem and i never succeed to use my certification. in my
case glassfish reports error when it tried to load keystore.jks and
complined about incorrect file format.
meanwhile keytool shows that keystore.jks is correct.
I even send samples and screenshot to glassfish representive to check and
find the problem with no luck.
if you find a solution to use third partu certification and pk and .... with
glassfish let me know please.
On 5/2/07, Drinkwater, GJ (Glen) <g.j.drinkwater@dl.ac.uk> wrote:
>
> Hi
>
> I am still trying to allow mutual authenication with JAX-WS but with no
> avail. I can easily have this working with a self signed certificate as in
> http://java.sun.com/developer/EJTechTips/2006/tt0527.html but
> any certificate that is derived from a PEM format fails, ie. SimpleCA. Has
> anybody had this working with a PEM credential, if so which method did you
> use to convert the PEM into JKS?
>
> Is this a compatibility issue with java or glassfish?
>
> Glen
>
> ------------------------------
> *From:* Drinkwater, GJ (Glen) [mailto:g.j.drinkwater@dl.ac.uk ]
> *Sent:* 26 April 2007 17:26
> *To:* users@glassfish.dev.java.net
> *Subject: *RE: Re: SSL Mutual Authentication via JAX-WS
>
>
> Hi
>
> I have tried with using SimpleCa and this was the process.
>
> 1) http://users.skynet.be/ballet/joris/SimpleCA/ and create a simple root
> certificate and a user credential
> 2) Converted the pkcs12 file using globus toolkit into a java jks keystore
>
> $ keytool.exe" -list -keystore simple.jks -v
> Enter keystore password:
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> Alias name: globus
> Creation date: 26-Apr-2007
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> Owner: EMAILADDRESS=simple@s.com, CN=glen simple
> Issuer: EMAILADDRESS=democa@democa.com, CN=SimpleCA Demo CA, OU=Demo CA,
> O=SimpleCA, L=GB, ST=England, C=GB
> Serial number: 1000
> Valid from: Thu Apr 26 16:55:49 BST 2007 until: Fri Apr 25 16:55:49 BST
> 2008
> Certificate fingerprints:
> MD5: 42:7D:75:8D:AC:7C:16:EF:30:22:F8:D1:2A:65:88:22
> SHA1: 76:AD:7B:63:B4:16:CA:2E:3A:F1:84:3C:C1:6B:2E:9C:03:E1:F2:55
>
> Signature algorithm name: MD5withRSA
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.19 Criticality=true
> BasicConstraints:[
> CA:false
> PathLen: undefined
> ]
>
> #2: ObjectId: 2.5.29.37 Criticality=false
> ExtendedKeyUsages [
> clientAuth
> emailProtection
> ]
>
> #3: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: BD 9D CA A5 47 D5 AC 3B 48 01 D5 F3 DF 96 46 DD ....G..;H.....F.
> 0010: B4 ED 06 02 ....
> ]
>
> ]
>
> #4: ObjectId: 2.5.29.17 Criticality=false
> SubjectAlternativeName [
> RFC822Name: simple@s.com
> ]
>
>
>
> *******************************************
> *******************************************
> 3) Export the simple CA cert from keystore
>
> keytool -export -alias globus -file simple.crt -keystore simple.jks
>
> 4) Import this into cacerts for glassfish
>
> keytool -import -keystore glassfish\domains\domain1\config\cacerts.jks
> -file simple.crt -trustcacerts
>
> 5) Restart glassfish
>
> 6) Run application with VM options and again i get the same error, I then
> try and add the root simpleCA to cacerts and again fails.
>
>
> -Djavax.net.ssl.trustStore=${truststore.location}
> -Djavax.net.ssl.trustStorePassword=${ssl.password}
> -Djavax.net.ssl.keyStore =${keystore.location}
> -Djavax.net.ssl.keyStorePassword=${ssl.password}
>
>
> I have been following this
> http://java.sun.com/developer/EJTechTips/2006/tt0527.html
>
> Has anybody had this working using a cert from simpleCA?
>
> Glen
>
>
> ------------------------------
> *From:* Drinkwater, GJ (Glen) [mailto:g.j.drinkwater@dl.ac.uk]
> *Sent:* 26 April 2007 16:49
> *To:* users@glassfish.dev.java.net
> *Subject:* RE: Re: SSL Mutual Authentication via JAX-WS
>
>
> Hi
>
>
> And what command did you use for converting pem.
> I first tried using the org.mortbay.util.PKCS12Import from
> http://mark.foster.cc/kb/openssl-keytool.html Then i tired using
> utils.ImportPrivateKey from web logic.
>
> Is there any other ways to import pem files to java jks formats?
>
> Can you send the steps you used with keytool to generate the keypair
>
> I did not generate the key pair that does not work, these are gererated
> by my works CA Authority. When i generated the key pair using keytool
> -genkey ... the system worked ok.
>
>
> Please make sure that the corresponding CA certs or the cert (if it is self-signed)
> is in imported into cacerts.jks.
>
> I do have the root ca of my certificate in cacerts of glassfish.
>
>
> keytool.exe -keystore glassfish\domains\domain1\config\cacerts.jks -list
> -trustcacerts -alias mykey
> Enter keystore password:
> mykey, 26-Apr-2007, trustedCertEntry,
> Certificate fingerprint (MD5):
> F7:65:A8:5E:67:2B:7C:F4:90:20:38:14:BC:05:04:F6
>
> ------------------------------
> *From:* Vbkumar.Jayanti@Sun.COM [mailto:Vbkumar.Jayanti@Sun.COM]
> *Sent:* 26 April 2007 16:21
> *To:* users@glassfish.dev.java.net
> *Subject:* Re: SSL Mutual Authentication via JAX-WS
>
>
> Drinkwater, GJ (Glen) wrote:
>
> Hi
>
> I am trying to setup SSL mutual authentication using JAX-WS with glassfish
> UR1. I have set up everything correctly and generated a key pair using
> keytool and the web service picks up the certificate fine and everything
> works ok.
>
> Now, if I convert my pem files into jks keystore format and use this, the
> handshake fails. I have imported the root cert into the trusted cacerts of
> glassfish and everything looks fine with the keystore with 'keytool -list
> -keystore mykeystore.jks -v'
>
> Can you send the steps you used with keytool to generate the keypair
>
> Has anybody managed to get this working with a converted pem credential?
>
> And what command did you use for converting pem.
>
> Thanks.
>
> On the serverside I get :
>
> SSL Error getting client Certs
> javax.net.ssl.SSLHandshakeException: null cert chain
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException (
> Alerts.java:174)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(
> SSLSocketImpl.java:1520)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE (
> Handshaker.java:182)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java
> :172)
> at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(
> ServerHandshaker.java:1206)
> at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(
> ServerHandshaker.java:148)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop (
> Handshaker.java:511)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(
> Handshaker.java:449)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord (
> SSLSocketImpl.java:817)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(
> SSLSocketImpl.java:679)
> at com.sun.net.ssl.internal.ssl.AppInputStream.read (
> AppInputStream.java:75)
>
> And on the client side I get:
>
> ***
> [write] MD5 and SHA1 hashes: len = 16
> 0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC ....$S.+........
> Padded plaintext before ENCRYPTION: len = 32
> 0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC ....$S.+........
> 0010: EF 68 74 7D 7B E6 54 80 E5 7C DD 52 E4 90 3B 66 .ht...T....R..;f
> main, WRITE: TLSv1 Handshake, length = 32
> main, waiting for close_notify or alert: state 3
> main, Exception while waiting for close java.net.SocketException: Software
> caused connection abort: recv failed
> main, handling exception: java.net.SocketException : Software caused
> connection abort: recv failed
> %% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
> main, SEND TLSv1 ALERT: fatal, description = unexpected_message
> Padded plaintext before ENCRYPTION: len = 18
> 0000: 02 0A ED AE 45 78 72 A0 27 0C D3 2B B4 21 DA DE ....Exr.'..+.!..
> 0010: BA DB ..
> main, WRITE: TLSv1 Alert, length = 18
> main, Exception sending alert: java.net.SocketException : Software caused
> connection abort: socket write error
> main, called closeSocket()
> main, called close()
> main, called closeInternal(true)
> javax.xml.ws.WebServiceException: javax.xml.ws.WebServiceException:
> java.net.SocketException: Software caused connection abort: recv failed
>
> Thanks glen
>
>
>
[att1.html]
|
|
|
|
|
|
|
|
|
RE: Re: SSL Mutual Authentication via JAX-WS
Posted:
May 2, 2007 6:37 AM
in response to: Legolas Woodland
|
|
|
|
|
Hi
Is there a bug/issue number for this??
Glen
________________________________
From: Legolas Woodland [mailto:legolas.w@gmail.com]
Sent: 02 May 2007 11:49
To: users@glassfish.dev.java.net
Subject: Re: SSL Mutual Authentication via JAX-WS
I have had your problem and i never succeed to use my certification. in
my case glassfish reports error when it tried to load keystore.jks and
complined about incorrect file format.
meanwhile keytool shows that keystore.jks is correct.
I even send samples and screenshot to glassfish representive to check
and find the problem with no luck.
if you find a solution to use third partu certification and pk and ....
with glassfish let me know please.
On 5/2/07, Drinkwater, GJ (Glen) <g.j.drinkwater@dl.ac.uk > wrote:
Hi
I am still trying to allow mutual authenication with JAX-WS but
with no avail. I can easily have this working with a self signed
certificate as in
http://java.sun.com/developer/EJTechTips/2006/tt0527.html but any
certificate that is derived from a PEM format fails, ie. SimpleCA. Has
anybody had this working with a PEM credential, if so which method did
you use to convert the PEM into JKS?
Is this a compatibility issue with java or glassfish?
Glen
________________________________
From: Drinkwater, GJ (Glen) [mailto:g.j.drinkwater@dl.ac.uk ]
Sent: 26 April 2007 17:26
To: users@glassfish.dev.java.net
Subject: RE: Re: SSL Mutual Authentication via JAX-WS
Hi
I have tried with using SimpleCa and this was the process.
1) http://users.skynet.be/ballet/joris/SimpleCA/ and create a
simple root certificate and a user credential
2) Converted the pkcs12 file using globus toolkit into a java
jks keystore
$ keytool.exe" -list -keystore simple.jks -v
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: globus
Creation date: 26-Apr-2007
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=simple@s.com, CN=glen simple
Issuer: EMAILADDRESS=democa@democa.com, CN=SimpleCA Demo CA,
OU=Demo CA, O=SimpleCA, L=GB, ST=England, C=GB
Serial number: 1000
Valid from: Thu Apr 26 16:55:49 BST 2007 until: Fri Apr 25
16:55:49 BST 2008
Certificate fingerprints:
MD5: 42:7D:75:8D:AC:7C:16:EF:30:22:F8:D1:2A:65:88:22
SHA1:
76:AD:7B:63:B4:16:CA:2E:3A:F1:84:3C:C1:6B:2E:9C:03:E1:F2:55
Signature algorithm name: MD5withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 <http:// Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#2: ObjectId: 2.5.29.37 <http:// Criticality=false
ExtendedKeyUsages [
clientAuth
emailProtection
]
#3: ObjectId: 2.5.29.35 <http:// Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BD 9D CA A5 47 D5 AC 3B 48 01 D5 F3 DF 96 46 DD
....G..;H.....F.
0010: B4 ED 06 02 ....
]
]
#4: ObjectId: 2.5.29.17 <http:// Criticality=false
SubjectAlternativeName [
RFC822Name: simple@s.com
]
*******************************************
*******************************************
3) Export the simple CA cert from keystore
keytool -export -alias globus -file simple.crt -keystore
simple.jks
4) Import this into cacerts for glassfish
keytool -import -keystore
glassfish\domains\domain1\config\cacerts.jks -file simple.crt
-trustcacerts
5) Restart glassfish
6) Run application with VM options and again i get the same
error, I then try and add the root simpleCA to cacerts and again fails.
-Djavax.net.ssl.trustStore=${truststore.location}
-Djavax.net.ssl.trustStorePassword=${ssl.password}
-Djavax.net.ssl.keyStore =${keystore.location}
-Djavax.net.ssl.keyStorePassword=${ssl.password}
I have been following this
http://java.sun.com/developer/EJTechTips/2006/tt0527.html
Has anybody had this working using a cert from simpleCA?
Glen
________________________________
From: Drinkwater, GJ (Glen) [mailto:g.j.drinkwater@dl.ac.uk]
Sent: 26 April 2007 16:49
To: users@glassfish.dev.java.net
Subject: RE: Re: SSL Mutual Authentication via JAX-WS
Hi
And what command did you use for converting pem.
I first tried using the org.mortbay.util.PKCS12Import from
http://mark.foster.cc/kb/openssl-keytool.html
<http:// Then i tired using
utils.ImportPrivateKey from web logic.
Is there any other ways to import pem files to java jks formats?
Can you send the steps you used with keytool to generate the
keypair
I did not generate the key pair that does not work, these are
gererated by my works CA Authority. When i generated the key pair using
keytool -genkey ... the system worked ok.
Please make sure that the corresponding CA certs or the cert (if
it is self-signed) is in imported into cacerts.jks.
I do have the root ca of my certificate in cacerts of glassfish.
keytool.exe -keystore
glassfish\domains\domain1\config\cacerts.jks -list -trustcacerts -alias
mykey
Enter keystore password:
mykey, 26-Apr-2007, trustedCertEntry,
Certificate fingerprint (MD5):
F7:65:A8:5E:67:2B:7C:F4:90:20:38:14:BC:05:04:F6
________________________________
From: Vbkumar.Jayanti@Sun.COM [mailto:Vbkumar.Jayanti@Sun.COM]
Sent: 26 April 2007 16:21
To: users@glassfish.dev.java.net
Subject: Re: SSL Mutual Authentication via JAX-WS
Drinkwater, GJ (Glen) wrote:
Hi
I am trying to setup SSL mutual authentication using
JAX-WS with glassfish UR1. I have set up everything correctly and
generated a key pair using keytool and the web service picks up the
certificate fine and everything works ok.
Now, if I convert my pem files into jks keystore format
and use this, the handshake fails. I have imported the root cert into
the trusted cacerts of glassfish and everything looks fine with the
keystore with 'keytool -list -keystore mykeystore.jks -v'
Can you send the steps you used with keytool to generate the
keypair
Has anybody managed to get this working with a converted
pem credential?
And what command did you use for converting pem.
Thanks.
On the serverside I get :
SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException (Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520
)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE (Handshaker.java:182)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:172)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate
(ServerHandshaker.java:1206)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHands
haker.java:148)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop
(Handshaker.java:511)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:4
49)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord
(SSLSocketImpl.java:817)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.
java:679)
at
com.sun.net.ssl.internal.ssl.AppInputStream.read
(AppInputStream.java:75)
And on the client side I get:
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC
....$S.+........
Padded plaintext before ENCRYPTION: len = 32
0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC
....$S.+........
0010: EF 68 74 7D 7B E6 54 80 E5 7C DD 52 E4 90 3B 66
.ht...T....R..;f
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 3
main, Exception while waiting for close
java.net.SocketException: Software caused connection abort: recv failed
main, handling exception: java.net.SocketException :
Software caused connection abort: recv failed
%% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
main, SEND TLSv1 ALERT: fatal, description =
unexpected_message
Padded plaintext before ENCRYPTION: len = 18
0000: 02 0A ED AE 45 78 72 A0 27 0C D3 2B B4 21 DA DE
....Exr.'..+.!..
0010: BA DB
..
main, WRITE: TLSv1 Alert, length = 18
main, Exception sending alert: java.net.SocketException
: Software caused connection abort: socket write error
main, called closeSocket()
main, called close()
main, called closeInternal(true)
javax.xml.ws.WebServiceException:
javax.xml.ws.WebServiceException: java.net.SocketException: Software
caused connection abort: recv failed
Thanks glen
[att1.html]
|
|
|
|
|
|
|
|
|
Re: SSL Mutual Authentication via JAX-WS
Posted:
May 2, 2007 9:40 AM
in response to: Drinkwater, GJ ...
|
|
|
I think the error in the stack trace mentioned means that the cert is
not trusted.
What CA do you use? Does the corresponding CA has the root CA cert
installed in cacerts.jks?
Note that when you install the certs or keys, we need to make sure that
the key/cert password
is the same as keystore password.
If you want more debug info, try to put the JVM option
-Djavax.net.debug=ssl,handshake
and restart the server.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net
|
|
|
|
|
|
|
|
|
Re: SSL Mutual Authentication via JAX-WS
Posted:
May 2, 2007 11:21 AM
in response to: Shing Wai Chan
|
|
|
I have confirmed from testing team that JAX-WS mutual SSL works
non-self-signed cert generated by openSSL.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net
|
|
|
|
|
|
|
|
|
Re: SSL Mutual Authentication via JAX-WS
Posted:
May 4, 2007 7:46 AM
in response to: Drinkwater, GJ ...
|
|
|
|
|
Hi
What was the method /command you used to convert the PEM format into JKS
format?
Glen
[att1.html]
|
|
|
|
|
|
|
|
|
RE: Re: SSL Mutual Authentication via JAX-WS
Posted:
May 4, 2007 8:02 AM
in response to: Drinkwater, GJ ...
|
|
|
|
|
Hi
This are the steps i used , what steps did you do differently??
1) http://users.skynet.be/ballet/joris/SimpleCA/ and create a simple
root certificate and a user credential
2) Converted the pkcs12 file using globus toolkit into a java jks
keystore
$ keytool.exe" -list -keystore simple.jks -v
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: globus
Creation date: 26-Apr-2007
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=simple@s.com, CN=glen simple
Issuer: EMAILADDRESS=democa@democa.com, CN=SimpleCA Demo CA, OU=Demo CA,
O=SimpleCA, L=GB, ST=England, C=GB
Serial number: 1000
Valid from: Thu Apr 26 16:55:49 BST 2007 until: Fri Apr 25 16:55:49 BST
2008
Certificate fingerprints:
MD5: 42:7D:75:8D:AC:7C:16:EF:30:22:F8:D1:2A:65:88:22
SHA1:
76:AD:7B:63:B4:16:CA:2E:3A:F1:84:3C:C1:6B:2E:9C:03:E1:F2:55
Signature algorithm name: MD5withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
emailProtection
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BD 9D CA A5 47 D5 AC 3B 48 01 D5 F3 DF 96 46 DD
....G..;H.....F.
0010: B4 ED 06 02 ....
]
]
#4: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
RFC822Name: simple@s.com
]
*******************************************
*******************************************
3) Export the simple CA cert from keystore
keytool -export -alias globus -file simple.crt -keystore simple.jks
4) Import this into cacerts for glassfish
keytool -import -keystore glassfish\domains\domain1\config\cacerts.jks
-file simple.crt -trustcacerts
5) Restart glassfish
6) Run application with VM options and again i get the same error, I
then try and add the root simpleCA to cacerts and again fails.
-Djavax.net.ssl.trustStore=${truststore.location}
-Djavax.net.ssl.trustStorePassword=${ssl.password}
-Djavax.net.ssl.keyStore =${keystore.location}
-Djavax.net.ssl.keyStorePassword=${ssl.password}
[att1.html]
|
|
|
|
|
|
|
|
|
Re: SSL Mutual Authentication via JAX-WS
Posted:
May 4, 2007 1:23 PM
in response to: Drinkwater, GJ ...
|
|
|
|
|
Hi,
Your steps look ok, but not sure while converting the certs to jks had
issue. The following details can give you some clues.
1) See the attached file for generating certs using OpenSSL.
OpenSSL -- gen_certs_openssl.sh
2) Versign -
http://wiki.glassfish.java.net/gfwiki/Wiki.jsp?page=How_to_ssl_versign
3) Converting PKCS12 to JKS --> We used internal java program to do the
conversion.
Now with J2SE 6, you can convert from PKCS12 to JKS directly using the
keytool. See the documentation @URL
http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html
Example:
jdk6/bin/keytool -importkeystore -srckeystore appserver1.p12
-destkeystore appserver1.jks -srcstoretype PKCS12 -deststoretype JKS
-srcalias appserver1
Hope this helps.
Thanks.
-- Jagadesh
Drinkwater, GJ (Glen) wrote:
> Hi
>
> This are the steps i used , what steps did you do differently??
>
> 1) http://users.skynet.be/ballet/joris/SimpleCA/ and create a simple
> root certificate and a user credential
> 2) Converted the pkcs12 file using globus toolkit into a java jks
> keystore
>
> $ keytool.exe" -list -keystore simple.jks -v
> Enter keystore password:
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> Alias name: globus
> Creation date: 26-Apr-2007
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> Owner: EMAILADDRESS=simple@s.com, CN=glen simple
> Issuer: EMAILADDRESS=democa@democa.com, CN=SimpleCA Demo CA, OU=Demo CA,
> O=SimpleCA, L=GB, ST=England, C=GB
> Serial number: 1000
> Valid from: Thu Apr 26 16:55:49 BST 2007 until: Fri Apr 25 16:55:49 BST
> 2008
> Certificate fingerprints:
> MD5: 42:7D:75:8D:AC:7C:16:EF:30:22:F8:D1:2A:65:88:22
> SHA1:
> 76:AD:7B:63:B4:16:CA:2E:3A:F1:84:3C:C1:6B:2E:9C:03:E1:F2:55
> Signature algorithm name: MD5withRSA
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.19 Criticality=true
> BasicConstraints:[
> CA:false
> PathLen: undefined
> ]
>
> #2: ObjectId: 2.5.29.37 Criticality=false
> ExtendedKeyUsages [
> clientAuth
> emailProtection
> ]
>
> #3: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: BD 9D CA A5 47 D5 AC 3B 48 01 D5 F3 DF 96 46 DD
> ....G..;H.....F.
> 0010: B4 ED 06 02 ....
> ]
>
> ]
>
> #4: ObjectId: 2.5.29.17 Criticality=false
> SubjectAlternativeName [
> RFC822Name: simple@s.com
> ]
>
>
>
> *******************************************
> *******************************************
>
> 3) Export the simple CA cert from keystore
>
> keytool -export -alias globus -file simple.crt -keystore simple.jks
>
> 4) Import this into cacerts for glassfish
>
> keytool -import -keystore glassfish\domains\domain1\config\cacerts.jks
> -file simple.crt -trustcacerts
>
> 5) Restart glassfish
>
> 6) Run application with VM options and again i get the same error, I
> then try and add the root simpleCA to cacerts and again fails.
>
> -Djavax.net.ssl.trustStore=${truststore.location}
> -Djavax.net.ssl.trustStorePassword=${ssl.password}
> -Djavax.net.ssl.keyStore =${keystore.location}
> -Djavax.net.ssl.keyStorePassword=${ssl.password}
[att1.html]
#!/bin/sh -x
############################################################################
# Description: Creation of certificates signed by CA for AppServer testing
# uses OpenSSL
# author: jagadesh.munta@sun.com
# 06/09/2004
############################################################################
mkdir CA
mkdir CA/newcerts
touch CA/index.txt
rm CA/serial
echo "01">CA/serial
# create a new request for CA certificate
#Issuer: EMAILADDRESS=jagadesh.munta@sun.com, CN=J2EE SQE Root CA, OU=Java Web Services, O="Sun Microsystems, Inc.", L=Santa Clara, ST=California, C=US
openssl req -config openssl.cnf -new -x509 -keyout CA/cakey.pem -out CA/cacert.pem -days 3650
# get the CA certificate in B64 encoded format
openssl x509 -in CA/cacert.pem -out CA/cacert.crt
# create a new request for SERVER certificate
#EMAILADDRESS=jagadesh.munta@sun.com, CN=AppServer1, OU=Java Web Services, O="Sun Microsystems, Inc.", L=Santa Clara, ST=California, C=US
openssl req -config openssl.cnf -new -keyout newreq.pem -out newreq.pem -days 3650
# SIGN the server certificate with CA
openssl ca -config openssl.cnf -keyfile CA/cakey.pem -cert CA/cacert.pem -out newcert.pem -passin pass:changeit -infiles newreq.pem
# export the SERVER certificate into PKCS12 format
openssl pkcs12 -export -inkey newreq.pem -in newcert.pem -out appserver1.p12 -name AppServer1
#EMAILADDRESS=jagadesh.munta@sun.com, CN=AppServer2, OU=Java Web Services, O=Sun Microsystems Inc, L=Santa Clara, ST=California, C=US
# create a new request for SERVER certificate
openssl req -config openssl.cnf -new -keyout newreq.pem -out newreq.pem -days 3650
# SIGN the server certificate with CA
openssl ca -config openssl.cnf -keyfile CA/cakey.pem -cert CA/cacert.pem -out newcert.pem -passin pass:changeit -infiles newreq.pem
# export the SERVER certificate into PKCS12 format
openssl pkcs12 -export -inkey newreq.pem -in newcert.pem -out appserver2.p12 -name AppServer2
# create a new request for CLIENT certificate
#EMAILADDRESS=jagadesh.munta@sun.com, CN=Jagadesh Munta, OU=Java Web Services, O="Sun Microsystems, Inc.", L=Santa Clara, ST=California, C=US
openssl req -config openssl.cnf -new -keyout newreq.pem -out newreq.pem -days 3650
# SIGN the client certificate with CA
openssl ca -config openssl.cnf -keyfile CA/cakey.pem -cert CA/cacert.pem -out newcert.pem -passin pass:changeit -infiles newreq.pem
# export the CLIENT certificate into PKCS12 format
openssl pkcs12 -export -inkey newreq.pem -in newcert.pem -out jagadesh_munta.p12 -name jagadesh
# get the CLIENT certificate in B64 encoded format
openssl x509 -in newcert.pem -out jagadesh_munta.crt
# display the certificate
openssl x509 -in jagadesh_munta.crt -text
echo "**********************************************"
echo "CA certificate is at CA/cacert.crt"
echo "Client certificate is at jagadesh_munta.p12 and jagadesh_munta.crt"
echo "**********************************************"
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net
|
|
|
|
|
java.net RSS
