users@glassfish.java.net

Re: SSL Mutual Authentication via JAX-WS

From: Jagadesh B Munta <Jagadesh.Munta_at_Sun.COM>
Date: Fri, 04 May 2007 13:23:04 -0700

Hi,

Your steps look ok, but not sure while converting the certs to jks had
issue. The following details can give you some clues.

1) See the attached file for generating certs using OpenSSL.
OpenSSL -- gen_certs_openssl.sh

2) Versign -
http://wiki.glassfish.java.net/gfwiki/Wiki.jsp?page=How_to_ssl_versign

3) Converting PKCS12 to JKS --> We used internal java program to do the
conversion.

Now with J2SE 6, you can convert from PKCS12 to JKS directly using the
keytool. See the documentation @URL
http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html

Example:
jdk6/bin/keytool -importkeystore -srckeystore appserver1.p12
-destkeystore appserver1.jks -srcstoretype PKCS12 -deststoretype JKS
-srcalias appserver1

Hope this helps.

Thanks.
-- Jagadesh

Drinkwater, GJ (Glen) wrote:
> Hi
>
> This are the steps i used , what steps did you do differently??
>
> 1) http://users.skynet.be/ballet/joris/SimpleCA/ and create a simple
> root certificate and a user credential
> 2) Converted the pkcs12 file using globus toolkit into a java jks
> keystore
>
> $ keytool.exe" -list -keystore simple.jks -v
> Enter keystore password:
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> Alias name: globus
> Creation date: 26-Apr-2007
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> Owner: EMAILADDRESS=simple_at_s.com, CN=glen simple
> Issuer: EMAILADDRESS=democa_at_democa.com, CN=SimpleCA Demo CA, OU=Demo CA,
> O=SimpleCA, L=GB, ST=England, C=GB
> Serial number: 1000
> Valid from: Thu Apr 26 16:55:49 BST 2007 until: Fri Apr 25 16:55:49 BST
> 2008
> Certificate fingerprints:
> MD5: 42:7D:75:8D:AC:7C:16:EF:30:22:F8:D1:2A:65:88:22
> SHA1:
> 76:AD:7B:63:B4:16:CA:2E:3A:F1:84:3C:C1:6B:2E:9C:03:E1:F2:55
> Signature algorithm name: MD5withRSA
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.19 Criticality=true
> BasicConstraints:[
> CA:false
> PathLen: undefined
> ]
>
> #2: ObjectId: 2.5.29.37 Criticality=false
> ExtendedKeyUsages [
> clientAuth
> emailProtection
> ]
>
> #3: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: BD 9D CA A5 47 D5 AC 3B 48 01 D5 F3 DF 96 46 DD
> ....G..;H.....F.
> 0010: B4 ED 06 02 ....
> ]
>
> ]
>
> #4: ObjectId: 2.5.29.17 Criticality=false
> SubjectAlternativeName [
> RFC822Name: simple_at_s.com
> ]
>
>
>
> *******************************************
> *******************************************
>
> 3) Export the simple CA cert from keystore
>
> keytool -export -alias globus -file simple.crt -keystore simple.jks
>
> 4) Import this into cacerts for glassfish
>
> keytool -import -keystore glassfish\domains\domain1\config\cacerts.jks
> -file simple.crt -trustcacerts
>
> 5) Restart glassfish
>
> 6) Run application with VM options and again i get the same error, I
> then try and add the root simpleCA to cacerts and again fails.
>
> -Djavax.net.ssl.trustStore=${truststore.location}
> -Djavax.net.ssl.trustStorePassword=${ssl.password}
> -Djavax.net.ssl.keyStore =${keystore.location}
> -Djavax.net.ssl.keyStorePassword=${ssl.password}




#!/bin/sh -x

############################################################################
# Description: Creation of certificates signed by CA for AppServer testing
# uses OpenSSL
# author: jagadesh.munta_at_sun.com
# 06/09/2004
############################################################################

mkdir CA
mkdir CA/newcerts
touch CA/index.txt
rm CA/serial
echo "01">CA/serial
# create a new request for CA certificate
#Issuer: EMAILADDRESS=jagadesh.munta_at_sun.com, CN=J2EE SQE Root CA, OU=Java Web Services, O="Sun Microsystems, Inc.", L=Santa Clara, ST=California, C=US
openssl req -config openssl.cnf -new -x509 -keyout CA/cakey.pem -out CA/cacert.pem -days 3650

# get the CA certificate in B64 encoded format
openssl x509 -in CA/cacert.pem -out CA/cacert.crt

# create a new request for SERVER certificate
#EMAILADDRESS=jagadesh.munta_at_sun.com, CN=AppServer1, OU=Java Web Services, O="Sun Microsystems, Inc.", L=Santa Clara, ST=California, C=US
openssl req -config openssl.cnf -new -keyout newreq.pem -out newreq.pem -days 3650
                                                                                              
# SIGN the server certificate with CA
openssl ca -config openssl.cnf -keyfile CA/cakey.pem -cert CA/cacert.pem -out newcert.pem -passin pass:changeit -infiles newreq.pem

# export the SERVER certificate into PKCS12 format
openssl pkcs12 -export -inkey newreq.pem -in newcert.pem -out appserver1.p12 -name AppServer1

#EMAILADDRESS=jagadesh.munta_at_sun.com, CN=AppServer2, OU=Java Web Services, O=Sun Microsystems Inc, L=Santa Clara, ST=California, C=US
# create a new request for SERVER certificate
openssl req -config openssl.cnf -new -keyout newreq.pem -out newreq.pem -days 3650
                                                          
# SIGN the server certificate with CA
openssl ca -config openssl.cnf -keyfile CA/cakey.pem -cert CA/cacert.pem -out newcert.pem -passin pass:changeit -infiles newreq.pem
            
# export the SERVER certificate into PKCS12 format
openssl pkcs12 -export -inkey newreq.pem -in newcert.pem -out appserver2.p12 -name AppServer2


# create a new request for CLIENT certificate
#EMAILADDRESS=jagadesh.munta_at_sun.com, CN=Jagadesh Munta, OU=Java Web Services, O="Sun Microsystems, Inc.", L=Santa Clara, ST=California, C=US
openssl req -config openssl.cnf -new -keyout newreq.pem -out newreq.pem -days 3650

# SIGN the client certificate with CA
openssl ca -config openssl.cnf -keyfile CA/cakey.pem -cert CA/cacert.pem -out newcert.pem -passin pass:changeit -infiles newreq.pem

# export the CLIENT certificate into PKCS12 format
openssl pkcs12 -export -inkey newreq.pem -in newcert.pem -out jagadesh_munta.p12 -name jagadesh

# get the CLIENT certificate in B64 encoded format
openssl x509 -in newcert.pem -out jagadesh_munta.crt

# display the certificate
openssl x509 -in jagadesh_munta.crt -text

echo "**********************************************"
echo "CA certificate is at CA/cacert.crt"
echo "Client certificate is at jagadesh_munta.p12 and jagadesh_munta.crt"
echo "**********************************************"