Hello,
I got into a strange problem after setting up SSL with client authentication enabled on SSL connection, my domain XML has following setting which means each request on SSL checks for client certificate. how to make it optional is an open one but i will ask this in another thread..... here the problem is something else
[i] <http-listener acceptor-threads="2" address="0.0.0.0" blocking-enabled="false" default-virtual-server="server" enabled="true" family="inet" id="http-listener-2" port="8181" security-enabled="true" server-name="" xpowered-by="true">
<ssl cert-nickname="s1as" client-auth-enabled="true" ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>
</http-listener>[/i]
due to above config, whenever I request a page in my JSF application over SSL, it asks for valid client certificate. I created my own test certificates for server and client and installed the trust relation as follows
glassfish config
----------- cacerts.jks
----------------------self signed server certificate (CN=localhost)
----------------------self generated client certificate (CN = MyName) as well so that when this test client certificate is sent by browser, glassfish can accept it
----------- keystore.jks
----------------------self signed server certificate (same as above, CN=localhost)
Firefox
----------- converted keytool generated client certificate into .pfx (pkcs12) file (using openSSL) and installed in firefox.
IE 7
----------- installed pfx here as well.
accessed pages over https, bowsers cribbed for invalid server certificates (because i did not install self signed certificates in browsers trust zone), i ignored browser warnings, and both browsers shook hands with server in the right way and presented client certificates, server validated them ok and finally pages were displayed ok.
so far so good...
i then thought to test a valid personal class 2 certificate (signed by a valid CA) and installed it in both the browsers using the alladin eToken i have. i wanted to check that if verisign's CA certificate in there in cacerts.jks (truststore) then it should accept my class 2 certificate (c2c) as well.
the certificate chain for my c2c is
MyCert
-------Intermediary 1
----------------Intermediary 2
------------------------------Root CA 1
i then modified configuration as follows
glassfish
----------cacerts.jks
----------------------<certificate for MyCert>
----------------------<certificate for Intermediary 1>
----------------------<certificate for Intermediary 2>
----------------------<certificate for Root CA>
---------------------- self signed server certificate
-----------------------<deleted self created client certificate from here>
------------keystore.jks
-----------------------self signed server certificate
firefox
------------removed self generated client certificate and added my valid c2c.
ie 7
------------<same as in firefox>
trust store cacerts.jks now contained all the certificates in my c2c chain.
this worked fine with both the browsers again....
then i removed MyCert from cacerts.jks and restarted server it worked still with both browsers.
then i removed Intermediary 1 from cacerts.jks and it worked with IE7 but not with Firefox
then I removed Intermediary 2 from cacerts.jks and it did not work with IE 7 and Firefox, both.
I think it should have worked because according to me the only entry needed in trust store cacerts.jks is that for root CA which was very much there so (list of questions)
1) why did it not work?
2) why is there difference of behaviour in both the browsers (after removal of intermediary 1)?
3) does glassfish not validate presented client certificate (by browsers) up through its chain (upto root CA)?
4) Am I missing something here?
Thanks
[Message sent by forum member 'anusheel' (anusheel)]
http://forums.java.net/jive/thread.jspa?messageID=299912