users@glassfish.java.net

Re: SSL Mutual Authentication via JAX-WS

From: Legolas Woodland <legolas.w_at_gmail.com>
Date: Wed, 2 May 2007 14:19:22 +0330

I have had your problem and i never succeed to use my certification. in my
case glassfish reports error when it tried to load keystore.jks and
complined about incorrect file format.
meanwhile keytool shows that keystore.jks is correct.
I even send samples and screenshot to glassfish representive to check and
find the problem with no luck.
if you find a solution to use third partu certification and pk and .... with
glassfish let me know please.




On 5/2/07, Drinkwater, GJ (Glen) <g.j.drinkwater_at_dl.ac.uk> wrote:
>
> Hi
>
> I am still trying to allow mutual authenication with JAX-WS but with no
> avail. I can easily have this working with a self signed certificate as in
> http://java.sun.com/developer/EJTechTips/2006/tt0527.html but
> any certificate that is derived from a PEM format fails, ie. SimpleCA. Has
> anybody had this working with a PEM credential, if so which method did you
> use to convert the PEM into JKS?
>
> Is this a compatibility issue with java or glassfish?
>
> Glen
>
> ------------------------------
> *From:* Drinkwater, GJ (Glen) [mailto:g.j.drinkwater_at_dl.ac.uk ]
> *Sent:* 26 April 2007 17:26
> *To:* users_at_glassfish.dev.java.net
> *Subject: *RE: Re: SSL Mutual Authentication via JAX-WS
>
>
> Hi
>
> I have tried with using SimpleCa and this was the process.
>
> 1) http://users.skynet.be/ballet/joris/SimpleCA/ and create a simple root
> certificate and a user credential
> 2) Converted the pkcs12 file using globus toolkit into a java jks keystore
>
> $ keytool.exe" -list -keystore simple.jks -v
> Enter keystore password:
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> Alias name: globus
> Creation date: 26-Apr-2007
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> Owner: EMAILADDRESS=simple_at_s.com, CN=glen simple
> Issuer: EMAILADDRESS=democa_at_democa.com, CN=SimpleCA Demo CA, OU=Demo CA,
> O=SimpleCA, L=GB, ST=England, C=GB
> Serial number: 1000
> Valid from: Thu Apr 26 16:55:49 BST 2007 until: Fri Apr 25 16:55:49 BST
> 2008
> Certificate fingerprints:
> MD5: 42:7D:75:8D:AC:7C:16:EF:30:22:F8:D1:2A:65:88:22
> SHA1: 76:AD:7B:63:B4:16:CA:2E:3A:F1:84:3C:C1:6B:2E:9C:03:E1:F2:55
>
> Signature algorithm name: MD5withRSA
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.19 Criticality=true
> BasicConstraints:[
> CA:false
> PathLen: undefined
> ]
>
> #2: ObjectId: 2.5.29.37 Criticality=false
> ExtendedKeyUsages [
> clientAuth
> emailProtection
> ]
>
> #3: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: BD 9D CA A5 47 D5 AC 3B 48 01 D5 F3 DF 96 46 DD ....G..;H.....F.
> 0010: B4 ED 06 02 ....
> ]
>
> ]
>
> #4: ObjectId: 2.5.29.17 Criticality=false
> SubjectAlternativeName [
> RFC822Name: simple_at_s.com
> ]
>
>
>
> *******************************************
> *******************************************
> 3) Export the simple CA cert from keystore
>
> keytool -export -alias globus -file simple.crt -keystore simple.jks
>
> 4) Import this into cacerts for glassfish
>
> keytool -import -keystore glassfish\domains\domain1\config\cacerts.jks
> -file simple.crt -trustcacerts
>
> 5) Restart glassfish
>
> 6) Run application with VM options and again i get the same error, I then
> try and add the root simpleCA to cacerts and again fails.
>
>
> -Djavax.net.ssl.trustStore=${truststore.location}
> -Djavax.net.ssl.trustStorePassword=${ssl.password}
> -Djavax.net.ssl.keyStore =${keystore.location}
> -Djavax.net.ssl.keyStorePassword=${ssl.password}
>
>
> I have been following this
> http://java.sun.com/developer/EJTechTips/2006/tt0527.html
>
> Has anybody had this working using a cert from simpleCA?
>
> Glen
>
>
> ------------------------------
> *From:* Drinkwater, GJ (Glen) [mailto:g.j.drinkwater_at_dl.ac.uk]
> *Sent:* 26 April 2007 16:49
> *To:* users_at_glassfish.dev.java.net
> *Subject:* RE: Re: SSL Mutual Authentication via JAX-WS
>
>
> Hi
>
>
> And what command did you use for converting pem.
> I first tried using the org.mortbay.util.PKCS12Import from
> http://mark.foster.cc/kb/openssl-keytool.html Then i tired using
> utils.ImportPrivateKey from web logic.
>
> Is there any other ways to import pem files to java jks formats?
>
> Can you send the steps you used with keytool to generate the keypair
>
> I did not generate the key pair that does not work, these are gererated
> by my works CA Authority. When i generated the key pair using keytool
> -genkey ... the system worked ok.
>
>
> Please make sure that the corresponding CA certs or the cert (if it is self-signed)
> is in imported into cacerts.jks.
>
> I do have the root ca of my certificate in cacerts of glassfish.
>
>
> keytool.exe -keystore glassfish\domains\domain1\config\cacerts.jks -list
> -trustcacerts -alias mykey
> Enter keystore password:
> mykey, 26-Apr-2007, trustedCertEntry,
> Certificate fingerprint (MD5):
> F7:65:A8:5E:67:2B:7C:F4:90:20:38:14:BC:05:04:F6
>
> ------------------------------
> *From:* Vbkumar.Jayanti_at_Sun.COM [mailto:Vbkumar.Jayanti_at_Sun.COM]
> *Sent:* 26 April 2007 16:21
> *To:* users_at_glassfish.dev.java.net
> *Subject:* Re: SSL Mutual Authentication via JAX-WS
>
>
> Drinkwater, GJ (Glen) wrote:
>
> Hi
>
> I am trying to setup SSL mutual authentication using JAX-WS with glassfish
> UR1. I have set up everything correctly and generated a key pair using
> keytool and the web service picks up the certificate fine and everything
> works ok.
>
> Now, if I convert my pem files into jks keystore format and use this, the
> handshake fails. I have imported the root cert into the trusted cacerts of
> glassfish and everything looks fine with the keystore with 'keytool -list
> -keystore mykeystore.jks -v'
>
> Can you send the steps you used with keytool to generate the keypair
>
> Has anybody managed to get this working with a converted pem credential?
>
> And what command did you use for converting pem.
>
> Thanks.
>
> On the serverside I get :
>
> SSL Error getting client Certs
> javax.net.ssl.SSLHandshakeException: null cert chain
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException (
> Alerts.java:174)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(
> SSLSocketImpl.java:1520)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE (
> Handshaker.java:182)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java
> :172)
> at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(
> ServerHandshaker.java:1206)
> at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(
> ServerHandshaker.java:148)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop (
> Handshaker.java:511)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(
> Handshaker.java:449)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord (
> SSLSocketImpl.java:817)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(
> SSLSocketImpl.java:679)
> at com.sun.net.ssl.internal.ssl.AppInputStream.read (
> AppInputStream.java:75)
>
> And on the client side I get:
>
> ***
> [write] MD5 and SHA1 hashes: len = 16
> 0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC ....$S.+........
> Padded plaintext before ENCRYPTION: len = 32
> 0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC ....$S.+........
> 0010: EF 68 74 7D 7B E6 54 80 E5 7C DD 52 E4 90 3B 66 .ht...T....R..;f
> main, WRITE: TLSv1 Handshake, length = 32
> main, waiting for close_notify or alert: state 3
> main, Exception while waiting for close java.net.SocketException: Software
> caused connection abort: recv failed
> main, handling exception: java.net.SocketException : Software caused
> connection abort: recv failed
> %% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
> main, SEND TLSv1 ALERT: fatal, description = unexpected_message
> Padded plaintext before ENCRYPTION: len = 18
> 0000: 02 0A ED AE 45 78 72 A0 27 0C D3 2B B4 21 DA DE ....Exr.'..+.!..
> 0010: BA DB ..
> main, WRITE: TLSv1 Alert, length = 18
> main, Exception sending alert: java.net.SocketException : Software caused
> connection abort: socket write error
> main, called closeSocket()
> main, called close()
> main, called closeInternal(true)
> javax.xml.ws.WebServiceException: javax.xml.ws.WebServiceException:
> java.net.SocketException: Software caused connection abort: recv failed
>
> Thanks glen
>
>
>