users@glassfish.java.net

RE: SSL Mutual Authentication via JAX-WS

From: Drinkwater, GJ \(Glen\) <"Drinkwater,>
Date: Wed, 2 May 2007 08:48:56 +0100

Hi
 
I am still trying to allow mutual authenication with JAX-WS but with no
avail. I can easily have this working with a self signed certificate as
in http://java.sun.com/developer/EJTechTips/2006/tt0527.html but any
certificate that is derived from a PEM format fails, ie. SimpleCA. Has
anybody had this working with a PEM credential, if so which method did
you use to convert the PEM into JKS?
 
Is this a compatibility issue with java or glassfish?
 
Glen
 
________________________________

From: Drinkwater, GJ (Glen) [mailto:g.j.drinkwater_at_dl.ac.uk]
Sent: 26 April 2007 17:26
To: users_at_glassfish.dev.java.net
Subject: RE: Re: SSL Mutual Authentication via JAX-WS


Hi
 
I have tried with using SimpleCa and this was the process.
 
1) http://users.skynet.be/ballet/joris/SimpleCA/ and create a simple
root certificate and a user credential
2) Converted the pkcs12 file using globus toolkit into a java jks
keystore
 
$ keytool.exe" -list -keystore simple.jks -v
Enter keystore password:
 
Keystore type: JKS
Keystore provider: SUN
 
Your keystore contains 1 entry
 
Alias name: globus
Creation date: 26-Apr-2007
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=simple_at_s.com, CN=glen simple
Issuer: EMAILADDRESS=democa_at_democa.com, CN=SimpleCA Demo CA, OU=Demo CA,
O=SimpleCA, L=GB, ST=England, C=GB
Serial number: 1000
Valid from: Thu Apr 26 16:55:49 BST 2007 until: Fri Apr 25 16:55:49 BST
2008
Certificate fingerprints:
         MD5: 42:7D:75:8D:AC:7C:16:EF:30:22:F8:D1:2A:65:88:22
         SHA1:
76:AD:7B:63:B4:16:CA:2E:3A:F1:84:3C:C1:6B:2E:9C:03:E1:F2:55
         Signature algorithm name: MD5withRSA
         Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]
 
#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  clientAuth
  emailProtection
]
 
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BD 9D CA A5 47 D5 AC 3B 48 01 D5 F3 DF 96 46 DD
....G..;H.....F.
0010: B4 ED 06 02 ....
]
 
]
 
#4: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: simple_at_s.com
]
 
 
 
*******************************************
*******************************************

3) Export the simple CA cert from keystore
 
keytool -export -alias globus -file simple.crt -keystore simple.jks
 
4) Import this into cacerts for glassfish
 
keytool -import -keystore glassfish\domains\domain1\config\cacerts.jks
-file simple.crt -trustcacerts
 
5) Restart glassfish
 
6) Run application with VM options and again i get the same error, I
then try and add the root simpleCA to cacerts and again fails.
 
 -Djavax.net.ssl.trustStore=${truststore.location}
   -Djavax.net.ssl.trustStorePassword=${ssl.password}
   -Djavax.net.ssl.keyStore =${keystore.location}
   -Djavax.net.ssl.keyStorePassword=${ssl.password}
 
I have been following this
http://java.sun.com/developer/EJTechTips/2006/tt0527.html
 
Has anybody had this working using a cert from simpleCA?
 
Glen
 

________________________________

From: Drinkwater, GJ (Glen) [mailto:g.j.drinkwater_at_dl.ac.uk]
Sent: 26 April 2007 16:49
To: users_at_glassfish.dev.java.net
Subject: RE: Re: SSL Mutual Authentication via JAX-WS


Hi
 
 
And what command did you use for converting pem.
 
I first tried using the org.mortbay.util.PKCS12Import from
http://mark.foster.cc/kb/openssl-keytool.html
<http://mark.foster.cc/kb/openssl-keytool.html> Then i tired using
utils.ImportPrivateKey from web logic.
 
Is there any other ways to import pem files to java jks formats?
 
Can you send the steps you used with keytool to generate the keypair
 
I did not generate the key pair that does not work, these are gererated
by my works CA Authority. When i generated the key pair using keytool
-genkey ... the system worked ok.
 
Please make sure that the corresponding CA certs or the cert (if it is
self-signed) is in imported into cacerts.jks.

I do have the root ca of my certificate in cacerts of glassfish.


keytool.exe -keystore glassfish\domains\domain1\config\cacerts.jks
-list -trustcacerts -alias mykey
Enter keystore password:
mykey, 26-Apr-2007, trustedCertEntry,
Certificate fingerprint (MD5):
F7:65:A8:5E:67:2B:7C:F4:90:20:38:14:BC:05:04:F6

 
________________________________

From: Vbkumar.Jayanti_at_Sun.COM [mailto:Vbkumar.Jayanti_at_Sun.COM]
Sent: 26 April 2007 16:21
To: users_at_glassfish.dev.java.net
Subject: Re: SSL Mutual Authentication via JAX-WS


Drinkwater, GJ (Glen) wrote:


        Hi

        I am trying to setup SSL mutual authentication using JAX-WS with
glassfish UR1. I have set up everything correctly and generated a key
pair using keytool and the web service picks up the certificate fine and
everything works ok.

        Now, if I convert my pem files into jks keystore format and use
this, the handshake fails. I have imported the root cert into the
trusted cacerts of glassfish and everything looks fine with the keystore
with 'keytool -list -keystore mykeystore.jks -v'

Can you send the steps you used with keytool to generate the keypair


        Has anybody managed to get this working with a converted pem
credential?

And what command did you use for converting pem.

Thanks.


        

        On the serverside I get :

        SSL Error getting client Certs
        javax.net.ssl.SSLHandshakeException: null cert chain
                at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
                at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520
)
                at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182)
                at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:172)
                at
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHa
ndshaker.java:1206)
                at
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHands
haker.java:148)
                at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511)

                at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:4
49)
                at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java
:817)
                at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.
java:679)
                at
com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)


        And on the client side I get:

        ***
        [write] MD5 and SHA1 hashes: len = 16
        0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC
....$S.+........
        Padded plaintext before ENCRYPTION: len = 32
        0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC
....$S.+........
        0010: EF 68 74 7D 7B E6 54 80 E5 7C DD 52 E4 90 3B 66
.ht...T....R..;f
        main, WRITE: TLSv1 Handshake, length = 32
        main, waiting for close_notify or alert: state 3
        main, Exception while waiting for close
java.net.SocketException: Software caused connection abort: recv failed
        main, handling exception: java.net.SocketException: Software
caused connection abort: recv failed
        %% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
        main, SEND TLSv1 ALERT: fatal, description = unexpected_message

        Padded plaintext before ENCRYPTION: len = 18
        0000: 02 0A ED AE 45 78 72 A0 27 0C D3 2B B4 21 DA DE
....Exr.'..+.!..
        0010: BA DB ..
        main, WRITE: TLSv1 Alert, length = 18
        main, Exception sending alert: java.net.SocketException:
Software caused connection abort: socket write error
        main, called closeSocket()
        main, called close()
        main, called closeInternal(true)
        javax.xml.ws.WebServiceException:
javax.xml.ws.WebServiceException: java.net.SocketException: Software
caused connection abort: recv failed

        Thanks glen