Hi
Is there a bug/issue number for this??
Glen
________________________________
From: Legolas Woodland [mailto:legolas.w_at_gmail.com]
Sent: 02 May 2007 11:49
To: users_at_glassfish.dev.java.net
Subject: Re: SSL Mutual Authentication via JAX-WS
I have had your problem and i never succeed to use my certification. in
my case glassfish reports error when it tried to load keystore.jks and
complined about incorrect file format.
meanwhile keytool shows that keystore.jks is correct.
I even send samples and screenshot to glassfish representive to check
and find the problem with no luck.
if you find a solution to use third partu certification and pk and ....
with glassfish let me know please.
On 5/2/07, Drinkwater, GJ (Glen) <g.j.drinkwater_at_dl.ac.uk > wrote:
Hi
I am still trying to allow mutual authenication with JAX-WS but
with no avail. I can easily have this working with a self signed
certificate as in
http://java.sun.com/developer/EJTechTips/2006/tt0527.html but any
certificate that is derived from a PEM format fails, ie. SimpleCA. Has
anybody had this working with a PEM credential, if so which method did
you use to convert the PEM into JKS?
Is this a compatibility issue with java or glassfish?
Glen
________________________________
From: Drinkwater, GJ (Glen) [mailto:g.j.drinkwater_at_dl.ac.uk ]
Sent: 26 April 2007 17:26
To: users_at_glassfish.dev.java.net
Subject: RE: Re: SSL Mutual Authentication via JAX-WS
Hi
I have tried with using SimpleCa and this was the process.
1)
http://users.skynet.be/ballet/joris/SimpleCA/ and create a
simple root certificate and a user credential
2) Converted the pkcs12 file using globus toolkit into a java
jks keystore
$ keytool.exe" -list -keystore simple.jks -v
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: globus
Creation date: 26-Apr-2007
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=simple_at_s.com, CN=glen simple
Issuer: EMAILADDRESS=democa_at_democa.com, CN=SimpleCA Demo CA,
OU=Demo CA, O=SimpleCA, L=GB, ST=England, C=GB
Serial number: 1000
Valid from: Thu Apr 26 16:55:49 BST 2007 until: Fri Apr 25
16:55:49 BST 2008
Certificate fingerprints:
MD5: 42:7D:75:8D:AC:7C:16:EF:30:22:F8:D1:2A:65:88:22
SHA1:
76:AD:7B:63:B4:16:CA:2E:3A:F1:84:3C:C1:6B:2E:9C:03:E1:F2:55
Signature algorithm name: MD5withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 <
http://2.5.29.19/> Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#2: ObjectId: 2.5.29.37 <
http://2.5.29.37/> Criticality=false
ExtendedKeyUsages [
clientAuth
emailProtection
]
#3: ObjectId: 2.5.29.35 <
http://2.5.29.35/> Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BD 9D CA A5 47 D5 AC 3B 48 01 D5 F3 DF 96 46 DD
....G..;H.....F.
0010: B4 ED 06 02 ....
]
]
#4: ObjectId: 2.5.29.17 <
http://2.5.29.17/> Criticality=false
SubjectAlternativeName [
RFC822Name: simple_at_s.com
]
*******************************************
*******************************************
3) Export the simple CA cert from keystore
keytool -export -alias globus -file simple.crt -keystore
simple.jks
4) Import this into cacerts for glassfish
keytool -import -keystore
glassfish\domains\domain1\config\cacerts.jks -file simple.crt
-trustcacerts
5) Restart glassfish
6) Run application with VM options and again i get the same
error, I then try and add the root simpleCA to cacerts and again fails.
-Djavax.net.ssl.trustStore=${truststore.location}
-Djavax.net.ssl.trustStorePassword=${ssl.password}
-Djavax.net.ssl.keyStore =${keystore.location}
-Djavax.net.ssl.keyStorePassword=${ssl.password}
I have been following this
http://java.sun.com/developer/EJTechTips/2006/tt0527.html
Has anybody had this working using a cert from simpleCA?
Glen
________________________________
From: Drinkwater, GJ (Glen) [mailto:g.j.drinkwater_at_dl.ac.uk]
Sent: 26 April 2007 16:49
To: users_at_glassfish.dev.java.net
Subject: RE: Re: SSL Mutual Authentication via JAX-WS
Hi
And what command did you use for converting pem.
I first tried using the org.mortbay.util.PKCS12Import from
http://mark.foster.cc/kb/openssl-keytool.html
<
http://mark.foster.cc/kb/openssl-keytool.html> Then i tired using
utils.ImportPrivateKey from web logic.
Is there any other ways to import pem files to java jks formats?
Can you send the steps you used with keytool to generate the
keypair
I did not generate the key pair that does not work, these are
gererated by my works CA Authority. When i generated the key pair using
keytool -genkey ... the system worked ok.
Please make sure that the corresponding CA certs or the cert (if
it is self-signed) is in imported into cacerts.jks.
I do have the root ca of my certificate in cacerts of glassfish.
keytool.exe -keystore
glassfish\domains\domain1\config\cacerts.jks -list -trustcacerts -alias
mykey
Enter keystore password:
mykey, 26-Apr-2007, trustedCertEntry,
Certificate fingerprint (MD5):
F7:65:A8:5E:67:2B:7C:F4:90:20:38:14:BC:05:04:F6
________________________________
From: Vbkumar.Jayanti_at_Sun.COM [mailto:Vbkumar.Jayanti_at_Sun.COM]
Sent: 26 April 2007 16:21
To: users_at_glassfish.dev.java.net
Subject: Re: SSL Mutual Authentication via JAX-WS
Drinkwater, GJ (Glen) wrote:
Hi
I am trying to setup SSL mutual authentication using
JAX-WS with glassfish UR1. I have set up everything correctly and
generated a key pair using keytool and the web service picks up the
certificate fine and everything works ok.
Now, if I convert my pem files into jks keystore format
and use this, the handshake fails. I have imported the root cert into
the trusted cacerts of glassfish and everything looks fine with the
keystore with 'keytool -list -keystore mykeystore.jks -v'
Can you send the steps you used with keytool to generate the
keypair
Has anybody managed to get this working with a converted
pem credential?
And what command did you use for converting pem.
Thanks.
On the serverside I get :
SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException (Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520
)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE (Handshaker.java:182)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:172)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate
(ServerHandshaker.java:1206)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHands
haker.java:148)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop
(Handshaker.java:511)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:4
49)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord
(SSLSocketImpl.java:817)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.
java:679)
at
com.sun.net.ssl.internal.ssl.AppInputStream.read
(AppInputStream.java:75)
And on the client side I get:
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC
....$S.+........
Padded plaintext before ENCRYPTION: len = 32
0000: 14 00 00 0C 24 53 01 2B EB A8 C6 98 9F 10 F9 CC
....$S.+........
0010: EF 68 74 7D 7B E6 54 80 E5 7C DD 52 E4 90 3B 66
.ht...T....R..;f
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 3
main, Exception while waiting for close
java.net.SocketException: Software caused connection abort: recv failed
main, handling exception: java.net.SocketException :
Software caused connection abort: recv failed
%% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
main, SEND TLSv1 ALERT: fatal, description =
unexpected_message
Padded plaintext before ENCRYPTION: len = 18
0000: 02 0A ED AE 45 78 72 A0 27 0C D3 2B B4 21 DA DE
....Exr.'..+.!..
0010: BA DB
..
main, WRITE: TLSv1 Alert, length = 18
main, Exception sending alert: java.net.SocketException
: Software caused connection abort: socket write error
main, called closeSocket()
main, called close()
main, called closeInternal(true)
javax.xml.ws.WebServiceException:
javax.xml.ws.WebServiceException: java.net.SocketException: Software
caused connection abort: recv failed
Thanks glen