I have a Java application running on Tomcat and the application needs to consume a WCF service that requires client certificate authentication . I have the keystores and truststores configured on the client side and I have confirmed that the request is getting sent to IIS, however I'm getting an "unauthorized" error message from IIS logs. I'm wondering if there is any specific Tomcat configuration required in order to allow sending a client certificate from the client?
Thanks in advance.
It's the application code that is calling the WCF service, right? In that case, I don't think Tomcat configuration is what you need - Tomcat's SSL configuration is about what SSL authentication happens when browsers and other web clients connect to the Tomcat server and its applications, not about what happens when the applications are themselves clients to other network services. Rather, the application code calling the service needs to use an SSLContext created with the proper keystore, which will need to hold both the private key and certificate presented to the server for client authentication, and the certificates needed to authenticate the certificate presented by the WCF service.
Related
I have a client <-> server application that uses CORBA for communication. The client application is launched in a client machine using Java Web Start. I need to enable IIOP over SSL for the applications. On the server side, this easily done by setting keystore and keystore password in the jacorb.properties. I am not sure how to enable SSL on the client side with Javaws launch as I know very little about Java Web Start.
What are my options for enabling SSL for the javaws client
application?
If the client keystore file is placed in the server machine, how should the client application access or retrieve it?
Or can the client application generate a keystore dynamically everytime it is launched?
A little history of the application if it might help.
Prior to the upgrade the client application used custom SSL socket factory classes which retrieved the keystore from remote server machine. However, for various other reasons, we had to remove these socket factory class during the JacORB upgrade.
I decided to package the keystore in a jar and access it with JNLP. I wrote a sample program to test it. The code is available on GitHub
https://github.com/KiranMohan/corba-javaws-ssl
I am developing an integration project and at runtime my component would be connecting to a service hosted on HTTPS server. Now to connect to this server I would be downloading the certificate for this server, importing the same to the system.jks of my server (where my application would be running). At runtime while connecting to the service (hosted on HTTPS server) which I do using Apache HTTPClient I want the system.jks to be looked up for the certificate.
I have not handled this so far and I am getting 403 forbidden error. Could you please suggest how to handle this.
Thanks,
Rakesh
I am writing an application in GAE java which authenticate the user by its certificate. I have created a self signed certificate using keytool at client side. I also enable the https request in google app engine for my application. The flow of application is every simple. User come at home page of application using any browser and then try to access a resource of application. I just authenticate the user is it has valid certificate. I am missing the part that how this certificate that i created at client side will be sent to the application when user access my application by any browser?? Also How i validate the certificate?? Thanks in advance
I did lot of search and come to these point and sharing it here.
1- In this scenario when i browser connect with the server, sending client certificate is the responsibility of browser. The client certificate should have to configured/install/import in the browser. If you are developing client side then you can code to read certificate from you local machine and embed it in the request and then send it to the server.
2- Browser only send certificate to server when server request for it and server had already sent his certificate to browser and this certificate has been validated by the browser. We have to first configured our server to send certificate to client and also request for client certificate. We can validate the client certificate in our application. we just have to extract certificate from the request.
3- Till now GAE don't provide client certificate service. There is no way we can configured our GAE server to request client certificate. May be there would another way to do this but I didn't find any solution for it. I hope in future GAE will support client certificate authentication.
I've got backend running on the tomcat server and client running in the browser. Application is built on Spring 3 MVC + Spring security framework. How to secure the communication ? Is there other option than just to set the server to be accessed only via HTTPS ? I've got no experience with this so it might be a stupid question, but will this affect my application and do I have to set something up in my app, when the server shall communicate with client via GET/POST request via https ?
It depends somewhat what you mean by "secure." If you want privacy, you must use TLS (SSL) as a transport.
If you're only concerned with authentication, then you have another option: Digest Authentication.
Digest Authentication allows the client (browser, usually) and the server to exchange authentication credentials in a secure manner without securing the entire communication. If you use Digest Authentication, then third parties can still:
See what data the client and server exchange
Insert themselves between the client and server and alter the exchange
What third parties cannot do is spoof the authentication or steal username/passwords in transit.
If that's not secure enough, you need TLS. You do not necessarily have to purchase a certificate. You can use OpenSSL to generate your own. This certificate will not automatically be trusted by browsers, however, so you can't really use it for public sites.
You will need to consult your server documentation for how to set up HTTPS or Digest Authentication, depending on which fits your needs.
Your application should not be affected by switching from HTTP to HTTPS, Tomcat handles this or maybe an Apache in front. It's important to understand, that HTTPS is a server-thing, not an application topic, because the client makes a connection to the server (Tomcat), not to your application. Check out the Tomcat documentation, it's pretty clear about how things work.
And, like the others said: From what you've said it's best to use HTTPS (TLS/SSL). Certificates are a bit frightning at the beginning, but it's worth to invest the time.
HTTPS is the (S)ecure form of HTTP, since you have an HTTP client server application I would certainly used HTTPS. All you need is to create an SSL certicate for your website and restrict access to your website to HTTPS only, then you are 99.99% secure.
Your certicate can be either commercial from Versign or equivalent or some open source engine.
for the clients nothing needs to be done to support HTTPS
I can't find any documentation on how to run CAS SSO client application on HTTP. I've installed CAS server, it is running on HTTPS, that is OK. But I don't want my client applications to be running on HTTPS. The reason is because they are internal application, there is no need for them to run on HTTPS.
When I am trying to run my client applications on HTTP I am getting the exceptions of SSL handshake, because CAS expecting my application to be running over HTTPS.
Is this even possible to run client application integrated with CAS over HTTP? And if it is how to make this happen?
Specifications:
Tomcat 6.0.35
JDK 1.6
CAS 3.5.1
The CAS server knows the CAS client applications by the urls patterns defined in its back office and these urls patterns can be HTTP based.