My web application performs some (Spring) service calls from appserver to appserver (both a are Glassfish v2). These calls are secured by client certificate authentication. I am using a private CA certificate to sign all server certificates. I have configured the necessary security settings such that everything appears to be working.
In each server's keystore I have the original s1as certificate, as generated by the installation. In addition I also have each respective server's signed certificate which is set, by alias, as the certificate to use for authentication.
Now assume server A is acting as the client, making https calls to server B. I have noticed (by examining the SslSession in a filter) that sometimes connections are initiated using the s1as certificate of server A and sometimes they are initiated using the other, 'correct' certificate. Only when I delete the s1as certificate, out of the keystore, is the 'correct' certificate used consistently.
My question is whether this is expected behaviour? Is there a declarative way I can configure the server to always use a specific alias for client https connections or do I have to hack it by providing a custom KeyManager to always present the specific alias I want?
Thanks for any insight.
--Jens
[Message sent by forum member 'jdeppe' (jdeppe)]
http://forums.java.net/jive/thread.jspa?messageID=241807