How to configure TOMCAT to make the browser show the installed certificates (A3; token USB) when a URL (servlet) is called?
I will retriev the X509 certificate on the servlet request parameter.
Your question is a bit difficult to understand, but I'm guessing that you want tomcat to request a certificate from a client.
If this is the case, then you will want to enable what is called mutual authentication in tomcat.
You will have to set the clientAuth attribute of your tomcat ssl connector to either want or true. The ssl connector will be found in your tomcat server.xml file.
'want' asks the client to send a certificate if it has one, but the request will go though if the client doesn't have a certificate and 'true' means the client is required to send a certificate and the request will fail if the client does not provide a certificate.
More information can be found on the tomcat website:
SSL/TLS Configuration HOW-TO
Related
I have configured the SSL configuration for my jboss.
-Djavax.net.ssl.keyStore=/opt/appserver/jboss5.1/test.jks
-Djavax.net.ssl.keyStorePassword=*********
-Djavax.net.ssl.trustStore=/opt/appserver/jboss5.1/test.jks
-Djavax.net.ssl.trustStorePassword=*******
I am using the spring integration to connect to restservice, the ssl certificate is getting passed for some request and it is not getting passed for some other request, Any idea why the certificate will not be passed for one request?
It is the servers responsibility to request the client to send a certificate during mutual authentication.
When you have time, verify that the server has the ssl 'clientAuth' attribute set 'true' for all the urls that you want mutual authentication (client authentication).
I built a Web-Service application in Jdeveloper 11.1.1.7 and deployed it on weblogic 10.3.6 with all Key-store and SSL configuration.
SSl Configuration:
Use Server Certs : Checked
Two Way Client Cert Behavior: Client Certs Not Requested. [That is means it is one-way ssl.
Correct me if that wrong]
SSL Listen Port Enabled: Checked
Key-store Configuration:
Custom Identity and Custom Trust. The file path has been specified for those custom key store
A sample client application has been created and everything seems to be fine; I mean the client can not access the server application without specifying the trust store file location where the server certificate is stored and it is trusted at the client end.
By the server certificate I mean the same certificate that has been configured in server Key-store Configuration
for your information the client application referring to trust store as follow:
System.setProperty("javax.net.ssl.trustStore",[Trust-store location goes here]);
System.setProperty("javax.net.ssl.trustStorePassword", [password goes here]);
Till now nothing wrong. Next is the problem details:
For the purpose of testing I tried to access the deployed web-service application using the SoapUI (open source software). What is confusing is the request has been sent, accepted at the server and proceed without specifying any thing for server certificate nor trust store location in SoapUI project configuration !!
Why the SOAP request has been accepted from SoapUI without referring to server certificate? The request should be rejected in this case.
My experience with SoapUI is that it is quite lenient. For example, if it doesn't check if the CN of server certificate matches the fully qualified domain name in the URL. In your case, your server most likely uses a CA signed certificate. Most of the root and intermediate certificates of well known CA's (e.g. VeriSign/Symantec) are already included in the default truststores for most systems. If your server had used a self-signed certificate, then SoapUI would have incurred SSL error unless you import the self-signed certificates into the truststore of the host where SoapUI is running.
We have configure a Big F5 load balancer virtual server for a particular IP address which redirects incoming https requests to several Windows servers where there is functionality to generate responses.
I am using SoapUI to test access to these windows servers via the IP address of virtual server in the Big F5.
Using Server and Client certificates generated by the organization where the we have also this set up and sending requests via SoapUI I get the predicted responses back.
The business requirements call for Commercially signed certificates by Thawte.
We created a Certifcate Servcice Request (CSR) to generate a Server certificate and its private key and then we had it signed by Thawte, and also requested a Client Commercially signed certificate from Thawte.
We loaded both certificates in SoapUI client and the Big F5 load balancer but we attempting to test the requests we get the "javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake" error.
My questions are:
How can I monitor where exactly the 2 way SSL handshake is terminated
The actual reason what exactly is happening?.. why using commercially signed certificates this does not work now?
Any replies are welcome. Thanks.
However when we swithch Serverto commercially signed by Thawte
This is possibly due to the Java security feature. If so you need to edit the soapui-4.x.x.vmoptions file located at soapui-4.x.x\bin folder and add -Dsun.security.ssl.allowUnsafeRenegotiation=true to the end.
You may also need to export the certificate as a pfx file and set it up in soapUI preference page. For details you can check http://geekswithblogs.net/gvdmaaden/archive/2011/02/24/how-to-configure-soapui-with-client-certificate-authentication.aspx and http://forums.devarticles.com/java-development-38/javax-net-ssl-sslhandshakeexception-received-fatal-alert-handshake-failure-11809.html .
The client is a SoapUI request that has not changed except a different client certificate
That suggests that the server doesn't trust the new client certificate, which in turn implies that the client certificate wasn't even sent because it wasn't signed by one of the server's trusted signers. Closing the connection is the server's only real option in this circumstance, as there isn't an SSL alert for it.
Make sure you have address translation on and the SNAt set to Auto Map for your VIP
I am attempting to construct a Glassfish hosted web service that impersonates (for development testing) a WCF hosted web service. I have the WSDL from the WCF hosted service, and I can construct the Java service and Java client from the WCF-hosted WSDL with no issues. The WSDL uses Mutual Certificate Security for data exchange.
The WSDL has an embedded X509 certificate that matches the WCF server's host certificate.
When I try to connect my Java client to the Glassfish-hosted Java service I get - of course - certificate errors.
So what steps do I take to get this to work? I am assuming that:
A) I need to replace the X509 certificate string in the WSDL with the contents of the self-signed Glassfish certificate 's1as' created when I installed Glassfish.
B) Set the Glassfish server SSL parameters for the server Network config to use the default cacerts.jks and keystore.jks certificate stores supplied with the Glassfish installation. Even though I am not using SSL here, I am assuming the server needs to know where its truststore and keystore is to perform mutual certificate security across HTTP.
C) Add the 's1as' server certificate to the truststore for the Java client.
D) Add whatever certificate I was previously using for the original WCF connecting client to the keystore for the Glassfish server. (I am not sure on this one?)
Is there something I am missing here? Any assistance would be much appreciated.
Apparently, you're using message layer security, not SSL. So the communication layer is not encrypted, just the messages themselves.
This is done in Glassfish using the WSIT features. I suggest looking at the Mutual Certificate Security example in the WSIT Tutorial: http://docs.oracle.com/cd/E19316-01/820-1072/ahiem/index.html.
Basically, WSIT uses the keystores in as-install/domains/domain1/config, and you need to specify them by alias name in your WSIT descriptor.
Greets, Geert.
I have a certificate. pfx to access a webservice.
I followed the steps listed on this page
When looking at the xml sent is encrypted.
But the server returns me the message:
The page requires a client certificate
.........
HTTP/1.1 403 Forbidden
.......
Server Microsoft-IIS/6.0
I can see the definition of this server from the browser if I have this certificate installed (the certificate is correct).
Also I have to use username and password to see the definition of service.
In the Trustor I have the server certificate.
I'm programming in java and use axis, any ideas why I am getting this error?
You need to configure your Axis client to inclue a client certificate with your outgoing request. This is different from server certificates which are more common. This post gives good info on setting up client certs in Java:
This is the solution:
System.setProperty(“javax.net.ssl.keyStore”, “path/keystore.jks”);
System.setProperty(“javax.net.ssl.keyStorePassword”, “pass”);
System.setProperty(“javax.net.ssl.keyStoreType”, “PKCS12″);
System.setProperty(“javax.net.ssl.trustStore”, “path/trusstore.jks”);
System.setProperty(“javax.net.ssl.trustStorePassword”, “pass”);
System.setProperty(“com.sun.net.ssl.dhKeyExchangeFix”, “true”);