There is a wsdl which I wanted to access, the point here is I cannot access this WSDL as it is giving SSL Error. I wanted to know what all is needed here?
What I have done from my side :
Lets say Server A wants to access a WSDL which is implemented in Server B, now there has to be exchange of certificates between these two servers right? What all exchanges it should happen?
I have created a certificate request using "Create certificate Request" from IIS and shared this certificate request with Server B, from Server B We have got a p7b file. Now what exactly we have to do from here? Is the approach what we followed correct or we are deviating from the actual problem?
I got the clarification finally. Thanks for the support whatever you have given.
As conveyed above here was the problem,
Server A wants to access WSDL from Server B, and We are created a "Certificate request File" (P10b) file and shared with Server B, Now they have provided us with (P7b) file. Here was my doubt as to how to proceed.
Explanation :
P10b : "Certificate request" created by Server A in this case. This is a certificate request which means "This is my domain and I wanted to open a request for secured access" . Now this is what we share with Server B (Where wsdl is being implemented). Now since we want to access something from Server B over secured layer, Server B has to sign this request (signing here means approving any request which comes from Server A since this request holds the server name from where it is originating), Now this signing will be done by Server B which is when the certificate will be transformed from p10b to p7b which is what Server B will do and it will send this information to Server A.
Now at Server A we have this certificate called p7b, Server A will now have to convert this P7b to p12b which is the final version of the certificate. This conversion is a kind of decrypting technique which will be done by only the private key of Server A (which means only Server A can decrypt this) Once Server A converts this p7b to p12b which is the final version of certificate, now the server A can have access to the secured resources of Server B by using this certificate. If Server A want's to access WSDL from browser then the browser should have this certificate imported which can be done from the settings on the browser. If the wsdl has to be accessed from a soap UI then this can be done by SSL settings on SOAP UI.
I hope I have made clear. Please let me know if it's not clear anywhere.
I had faced the same issue with my remote spring service when I had converted it from normal http to https.All you need to do is generated certificate for requested application your application and register it with trust store of ServerB from where you want to access application. You can check following links to achieve that
Digital Certificate: How to import .cer file in to .truststore file using?
How to import a jks certificate in java trust store
http://singztechmusings.wordpress.com/2011/05/08/https-communication-how-it-works/
Hope this will give you very good insight.
Related
I have a certificate which i need to pass along with the SOAP Request in JMeter.
I have edited the system.properites file to add
javax.net.ssl.keyStore= path to keystore file
javax.net.ssl.keyStorePassword=password
I am still getting the error You need valid client certificate from DHW to access page.
Am I missing somethig here?
The same request is working well from SOAP_UI.
There is a lot that can be going wrong here.
Here is my guess though...
The server is most likely setup for mutual authentication. You can test this by running your java client with the following system property: -Djavax.net.debug=ssl
You should see the ssl handshake and see if the server is requesting a client certificate or not. The messaging will be VERY verbose and you will have to diligently look though the log output to see what is actually occurring.
Hopefully, in the output you will see a list of Certificate Authorities (CAs) that the server trusts. Your client's certificate MUST be signed by one of these CAs. If not, the client won't even attempt to send its client certificate.
If you have access to the server, you can create your own CA and then sign the clients certificate with that new CA and that will work. I actually just did that yesterday. :D
The issue is resolved. I was giving only single backspace instead of two backspaces as per java conventions. It works fine with this minor modification.
I built a Web-Service application in Jdeveloper 11.1.1.7 and deployed it on weblogic 10.3.6 with all Key-store and SSL configuration.
SSl Configuration:
Use Server Certs : Checked
Two Way Client Cert Behavior: Client Certs Not Requested. [That is means it is one-way ssl.
Correct me if that wrong]
SSL Listen Port Enabled: Checked
Key-store Configuration:
Custom Identity and Custom Trust. The file path has been specified for those custom key store
A sample client application has been created and everything seems to be fine; I mean the client can not access the server application without specifying the trust store file location where the server certificate is stored and it is trusted at the client end.
By the server certificate I mean the same certificate that has been configured in server Key-store Configuration
for your information the client application referring to trust store as follow:
System.setProperty("javax.net.ssl.trustStore",[Trust-store location goes here]);
System.setProperty("javax.net.ssl.trustStorePassword", [password goes here]);
Till now nothing wrong. Next is the problem details:
For the purpose of testing I tried to access the deployed web-service application using the SoapUI (open source software). What is confusing is the request has been sent, accepted at the server and proceed without specifying any thing for server certificate nor trust store location in SoapUI project configuration !!
Why the SOAP request has been accepted from SoapUI without referring to server certificate? The request should be rejected in this case.
My experience with SoapUI is that it is quite lenient. For example, if it doesn't check if the CN of server certificate matches the fully qualified domain name in the URL. In your case, your server most likely uses a CA signed certificate. Most of the root and intermediate certificates of well known CA's (e.g. VeriSign/Symantec) are already included in the default truststores for most systems. If your server had used a self-signed certificate, then SoapUI would have incurred SSL error unless you import the self-signed certificates into the truststore of the host where SoapUI is running.
We have configure a Big F5 load balancer virtual server for a particular IP address which redirects incoming https requests to several Windows servers where there is functionality to generate responses.
I am using SoapUI to test access to these windows servers via the IP address of virtual server in the Big F5.
Using Server and Client certificates generated by the organization where the we have also this set up and sending requests via SoapUI I get the predicted responses back.
The business requirements call for Commercially signed certificates by Thawte.
We created a Certifcate Servcice Request (CSR) to generate a Server certificate and its private key and then we had it signed by Thawte, and also requested a Client Commercially signed certificate from Thawte.
We loaded both certificates in SoapUI client and the Big F5 load balancer but we attempting to test the requests we get the "javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake" error.
My questions are:
How can I monitor where exactly the 2 way SSL handshake is terminated
The actual reason what exactly is happening?.. why using commercially signed certificates this does not work now?
Any replies are welcome. Thanks.
However when we swithch Serverto commercially signed by Thawte
This is possibly due to the Java security feature. If so you need to edit the soapui-4.x.x.vmoptions file located at soapui-4.x.x\bin folder and add -Dsun.security.ssl.allowUnsafeRenegotiation=true to the end.
You may also need to export the certificate as a pfx file and set it up in soapUI preference page. For details you can check http://geekswithblogs.net/gvdmaaden/archive/2011/02/24/how-to-configure-soapui-with-client-certificate-authentication.aspx and http://forums.devarticles.com/java-development-38/javax-net-ssl-sslhandshakeexception-received-fatal-alert-handshake-failure-11809.html .
The client is a SoapUI request that has not changed except a different client certificate
That suggests that the server doesn't trust the new client certificate, which in turn implies that the client certificate wasn't even sent because it wasn't signed by one of the server's trusted signers. Closing the connection is the server's only real option in this circumstance, as there isn't an SSL alert for it.
Make sure you have address translation on and the SNAt set to Auto Map for your VIP
I have a certificate. pfx to access a webservice.
I followed the steps listed on this page
When looking at the xml sent is encrypted.
But the server returns me the message:
The page requires a client certificate
.........
HTTP/1.1 403 Forbidden
.......
Server Microsoft-IIS/6.0
I can see the definition of this server from the browser if I have this certificate installed (the certificate is correct).
Also I have to use username and password to see the definition of service.
In the Trustor I have the server certificate.
I'm programming in java and use axis, any ideas why I am getting this error?
You need to configure your Axis client to inclue a client certificate with your outgoing request. This is different from server certificates which are more common. This post gives good info on setting up client certs in Java:
This is the solution:
System.setProperty(“javax.net.ssl.keyStore”, “path/keystore.jks”);
System.setProperty(“javax.net.ssl.keyStorePassword”, “pass”);
System.setProperty(“javax.net.ssl.keyStoreType”, “PKCS12″);
System.setProperty(“javax.net.ssl.trustStore”, “path/trusstore.jks”);
System.setProperty(“javax.net.ssl.trustStorePassword”, “pass”);
System.setProperty(“com.sun.net.ssl.dhKeyExchangeFix”, “true”);
I am implementing a VB.NET desktop application which consumes a web service.
The web service implemented in Java and I currently using Tomcat on my localhost to host the web service.
The web service requires secure communication with the client and so I have followed instructions that outlined how to use Java's keytool.exe to create two .jks keystores (one for the client and one for the server) and then create two .cer certificates (one for the client and one for the server)
I have placed the keystores and certificates generate into the directory where the web service is expecting them (according to the instructions)
I have installed the certificates into TrustedPeople and have attempted to use the certificate by setting the ClientCredentials.ClientCertificates property like this:
myServiceProxy.ClientCredentials.ClientCertificate.SetCertificate(storeLocation.CurrentUser, StoreName.TrustedPeople, X509FindType.FindByIssuerName, "name")
I keep getting the following error message when I try to call any method:
An error was discovered processing the <wsse:Security> header
My problem is that I don't know how to use this in the VB.NET client application that is consuming the web service. I could be doing this completely wrong. Any guidance on this topic would be greatly appreciated.
Thank you,
-Frinny
While I haven't coded VB for 10 years, this should get you started: http://www.example-code.com/vbdotnet/ssl_client_certificate.asp
especially this looks like it is loading the file containing the certificate:
certStore.LoadPfxFile("chilkat_secret.pfx","secret")
and this extracts the certificate and uses it for the connection:
Dim cert As Chilkat.Cert
cert = certStore.FindCertBySubjectCN("Chilkat Software, Inc.")
If (cert Is Nothing ) Then
MsgBox(certStore.LastErrorText)
Exit Sub
End If
socket.SetSslClientCert(cert)
When I had to work with certificates and WS, I had lots of issues with the them too. Use the certificates MMC and verify:
That you placed the certificate in the correct place. Note that there is a CurrentUser store, Machine Store etc. Make sure you put the certificate in the correct one according to your code.
Which user is running your application? Is the certificate located in it's store? The certificate must be visible to the user.
Open the certificate and make sure it is trusted (you will see a warning if not). You may need to put your CA's certificate in Trusted Certification Authorities store.
Make sure that the algorithms you use on each side are supported by the other side.
Note that you are looking for the certificate by issuer name X509FindType.FindByIssuerName, "name" open the certificate, make sure the issuer name matches (I guess not since it seems like copy&paste from example).
If all of this fails, try to experiment with the certificate location (I vaguely remember some issue with being able to use certificates from one location and not the other), and with the property you use to search for the certificates.
Plus, since you asked about certificates I answered about certificates. It's a good idea to check if there's an inner exception and see - it may be another problem.