IMPORTANT : Sending a cert from the client
Hi,
I have a solaris client which needs to communicate to NT machine. Both have Apache web servers with Jserv and JDk1.2.2 & JSSE 1.0.2
There is a SolarisServlet and a NTServlet on respective m/c's..
While I am connecting to NTServlet from the SolarisServlet, I need to give the client certificate to the NTServlet.
I know how to retrieve the cert at the NTServlet end.
But how do I need to send the cert to NTServlet?
Pls help me..
[488 byte] By [
glow007] at [2007-9-26 4:14:47]
You say that you know how to read client certificate from server side. But don't know how to send a certificate from client.
Thats surprising. Because the first sentence would lead one to beleive that you have made it a point to read the documentation that comes with JSSE; but the second would lead one to beleive that you have not. Which case is it ? Or are you trying to take some major short cuts ?
Anyways I feel there is no harm in giving some MORE hints and pointers...
Assuming you know that underneath what you see as a URLConnection(or more specificaly in this case a HttpsURLConnection), sits a socket. Actually an SSLSocket, take a look at the Javadoc for com.sun.net.ssl.HttpsURLConnection specifically the method setDefaultSSLSocketFactory()
Before you get tempted to hastily ask about how to create an instamce of etc, please go through the examples that come with JSSE 1.0.2 especially the one called %JSSE_HOME%/samples/sockets/clientSSLSocketClientWithClientAuth.javaYou will realize that almost everything you need to do to have a client send a certain certificate for client-authentication to the HTTPS server is outside of the code, in the keystore.
However, remember, this last statement may not hold if you decide to change over from the reference implementaion (provider is called SunJSSE) that comes with JSSE 1.0.2 to a comercial implementation, which you would ofcurse do for a comercial application.
The rest of the details would be the same as when using java.net.URL. i.e. the instance of URLConnection returned from URL.openConnection() would be of type com.sun.net.ssl.HttpsURLConnection.HttpsURLConnection
By the way, does this topic of yours have anything to do with http://forum.java.sun.com/thread.jsp?forum=2&thread=159252 If yes, why did you decide to leave that topic in a state of limbo and start this one. You know, that would be considered rude by many.
Hi Neville,
Updated the previous topic...
Thanks!!
When I say I knew how to read the certificate send by the client, I am referring to the forum
http://forum.java.sun.com/thread.jsp?forum=2&thread=159252
(solution given by you..)
|||--|
| SolarisServlet |> |NTServlet|
|||--|
(client cert)(server cert)
a) I have client cert on the solaris m/c..And when it connects to NTServlet, the SolarisServlet needs to communicate through https protocol, and it should send client cert to the NTServlet.
And this NTServlet should read the certificate.
b) After this, I extract info from this cert and allow only when its name matches with my info in the db.
(As of now I have trial certificates on both ends)
Any pointers to this will be of great help...
Well, did you read the documentation and the relevant examples that come with JSSE 1.0.2 download(s) ?
The examples are available as a separate download. Seehttp://java.sun.com/products/jsse/index-102.htmland look for the phrase JSSE 1.0.2 sample source code on that page.
I think, once you go through the documentation and the example(s) I mentioned in my previous message, you should be able to figure out what you have to code.
Does this seem like a pointer ? Feel free to ask again.
Thanks!!Do you have any other snippets of code so that it will be very helpful in understanding?
It would not be too difficult for me to post some of my own code here. However I do not see the point in doing that. My code is based on the sample code that comes with JSSE 1.0.2.There is nothing special that I have done in my code !
In my Apache conf I have set the property
SSLClientRequire require
So, the client has to give its cert when it accesses through ssl.
Client is also in my control.
I have seen all the examples given in Samples of JSSE.
The client Auth example is given when connected through sockets.
But I dont use any socket classes.
How should the client send the certificate to the server when HttpsURLConnection is used.
I have created a KeyManagerFactory with a keystore. But how should the cert be sent to the server?
Pls help me...
Use this only as guidelines. It is based on the code from the sample samples/sockets/client/SSLSocketClientWithClientAuth...
// You have created you keystore and yourKeyManagerFactory here
KeyManagerFactory yourKeyManagerFactory = ... // already initialized with your keystore
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(yourKeyManagerFactory.getKeyManagers(), null, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
// proceed with using URL etc here.
I think the main thing for you to note here is the line HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory())
I have done exactly the way you mentioned..But it is giving an exception java.io.IOException Broken pipe
Please see http://forum.java.sun.com/thread.jsp?forum=2&thread=161585Wait a minute. Are we all going in circles here ?May be npatha and you can collaborate ?!Seems like JSSE is really catching on !
