users@jax-rpc.java.net

RE: Mutual SSL authentication with JAX-RPC

From: Ryan LeCompte <ryan.lecompte_at_pangonetworks.com>
Date: Thu, 18 Nov 2004 21:18:26 -0500

Sharib,

Thank you for your response. I was actually able to the mutual
authentication working under Tomcat today. However, I didn't have to see the
<login-config> and <user-data-constraint> fields as you mentioned. You
mentioned that this is only for the server side? My client is a standalone
JAX-RPC client that doesn't run within a web container, so there is no
web.xml file associated with the standalone JAX-RPC client. However, the
remote web service implementation that runs within Tomcat has a web.xml
file. Is that where you want me to specify the settings that you mentioned?
I haven't set them at this point and I am able to get mutual SSL
communication to happen without any problems. I have done the correct
importing of the certificates for the client/server, and also set
clientAuth=true in Tomcat. I'm now trying to do the same experiment with the
same web service deployed on the .Net platform in IIS. It seems as though
the only thing that I really have to set on my JAX-RPC client to get it to
work with all flavors of SSL (including mutual authentication) is to set the
following system properties to the correct values:

            System.setProperty("javax.net.ssl.trustStore", trustStorePath);
            System.setProperty("javax.net.ssl.trustStorePassword",
trustStorePassword);
            System.setProperty("javax.net.ssl.trustStoreType",
trustStoreType);
            System.setProperty("javax.net.ssl.keyStore", keyStorePath);
            System.setProperty("javax.net.ssl.keyStorePassword",
keyStorePassword);
            System.setProperty("javax.net.ssl.keyStoreType", keyStoreType);
            System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
            Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());

There should be nothing else to set on the JAX-RPC client side to get all
flavors of SSL to work, correct?

Thanks,
-- Ryan

-----Original Message-----
From: Sharib Anis [mailto:sharib.anis_at_wilabs.com]
Sent: Thursday, November 18, 2004 9:12 PM
To: users_at_jax-rpc.dev.java.net
Subject: RE: Mutual SSL authentication with JAX-RPC

Hi Ryan,

First you have to decide what kind of authentication you want to use. Three
types are common:

* HTTP basic authentication--The Web server authenticates a principal using
the username and password obtained from the Web client. The username and
password are included in the HTTP headers and are handled at the transport
layer.
* Form-based authentication--A developer can customize a form for entering
username and password information, and then use this form to pass the
information to the J2EE Web container. This type of authentication, geared
toward Web page presentation applications, is not used for Web services.
* HTTPS mutual authentication--Both the client and the server use digital
certificates to establish their identity, and authentication occurs over a
channel protected by Secure Sockets Layer.

It seems to me you're trying to use the last one. If yes, then 1. You do
need to set this:
<login-config>
  <auth-method>CLIENT-CERT</auth-method>
</login-config>
and this:
<user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
in the <security-constraint/>.
These settings are only on the server side.
2. Import the server cert into client keystore AND vice versa.
3. In Tomcat, you may set the clientAuth="true". It's not a must, you may
also set it to "want", if you want Tomcat to request a client Certificate,
but not fail if one isn't presented.

Thanks and Regards,
Sharib Anis
Senior Research Engineer
Wireless Intellect Labs Pte Ltd
A MobileOne Company
http://www.wilabs.com
sharib.anis_at_wilabs.com
DID: +65-6843 8672; Fax: +65-6560-4950 (TZ: +0800 GMT)

There are 10 kinds of people in the world, those who understand binary and
those who don't.

DISCLAIMER: This email (including any attachments) is intended for the
recipient(s) named above and may contain information that is confidential to
Wireless Intellect Labs Pte Ltd. Any use of the information (including, but
not limited to, total or partial reproduction, distribution or dissemination
in any form) by persons other than the intended recepient(s) is prohibited.
If you are not an intended recipient of this email, please notify the sender
immediately and delete it. Any views expressed in this message are those of
the individual sender, except where the sender states them, with requisite
authority, to be those of Wireless Intellect Labs Pte Ltd.

-----Original Message-----
From: Ryan LeCompte [mailto:ryan.lecompte_at_pangonetworks.com]
Sent: 19 November 2004 01:33
To: users_at_jax-rpc.dev.java.net
Subject: Mutual SSL authentication with JAX-RPC


Hello,

I'm trying to have my static stub JAX-RPC client communicate via SSL with a
remote web service. I'm setting the two system properties for specifying the
SSL trust store path and trust store password. The client is able to
successfully communicate via SSL when the remote web service's web server is
configured to not require client-side authentication (for example in tomcat
the configuration attribute 'clientAuth="false"' would be used). However,
when I turn on this attribute and require client-side authentication, the
JAX-RPC client fails to communicate successfully with the web service. Is
there anything else that must occur on the JAX-RPC client side when the
remote web server requires a client-side certification authentication? I'm
still new to SSL, so perhaps I have the basic concept confused. Do I have to
import another certification in the client-side keystore for this to work? I
looked in the java web services tutorial and they say that you need to
specify the following in web.xml:

<login-config>
  <auth-method>CLIENT-CERT</auth-method>
</login-config>

However, this is a standalone JAX-RPC client that isn't running within a web
container (thus there is no web.xml).

Am I missing something here? Thank you for any suggestions...

-- Ryan


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net