Hi Experts,
I am trying to enable certificate based authentication.
Can I do the following ?
1.Create a keyusing keytool -genkey
2.Get the certificate for that key using keytool -export
3.Give this certificate to the client which and do keytool -import in the client's jre
Please advice
Thanks & Regards,
Mukunt
Hi "ejb"
Thanks for the quick response.
But when I try to invoke the ejb which sits inside a weblogic server, I get the following exception in the client and server
I did the following :
1.I created a key in the keystore d:/WL/.../cacerts with alias myKey (keytool -genkey)
2.I exported a certificate from the same keystore d:/WL/.../cacerts from the same alias myKey(keytool -export)
3.I imported this exported certificate into jre which I use to invoke ejb which sits in the weblogic server.(keytool -import -keystore <jre/lib/security/cacerts of client>)
Am I importing in right place ? is this the way to do ?
But I get the following issue
client console log
<Apr 4, 2007 11:16:06 AM GMT+05:30> <Warning> <Security> <BEA-090542> <Certificate chain received from ISLCH-268.i-flex.com - 202.46.212.162 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain.
In the server console I see,
><Apr 4, 2007 11:16:06 AM GMT+05:30> <Warning> <Security> <BEA-090482> <BAD_CERTIFICATE alert was received from ISLCH-268.i-flex.com - 202.46.212.162. Check thepeer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>
HI ,
In weblogic server, I have configured the keystore as
Custom Identity Keystore: D:\Software\bea\weblogic81server\lib\cacerts
From this keystore only I created a key and from that exported a certificate and stored in my clients keystore which is D:\Progra~1\Java\jre1.5.0_11\lib\security\cacerts
Then what I did is I created a key in
D:\Progra~1\Java\jre1.5.0_11\lib\security\cacerts and exported the certificate and imported to weblogic's cacerts ie D:\Software\bea\weblogic81server\lib\cacerts
In the weblogic config page, I see as
Java Standard Trust Keystore: JAVA_HOME\jre\lib\security\cacerts
Indicates the use of the Java Standard Trust keystore provided by the JDK. The Java Standard Trust keystore is located in JAVA_HOME/jre/lib/security/cacerts
I didnt touch this trust store. What I will have to put in this trust store and what I will have to put in the cacerts of the server and client.
I understand I am missing some basic thing here..
Once again many thaks for your help
Regards,
Mukunt
> Then what I did is I created a key in
> D:\Progra~1\Java\jre1.5.0_11\lib\security\cacerts and
And did you tell your client that that file is the keystore? and give it the password? There is no default for the keystore, or rather an empty keystore is the default.
http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Customization
Hi,
I tried like the following:
java -Djavax.net.ssl.keyStore=D:\Progra~1\Java\jre1.5.0_11\lib\security\cacerts -Djavax.net.ssl.keyStorePassword=changeit <myClass>
But still getting error like
<Apr 4, 2007 3:00:44 PM GMT+05:30> <Warning> <Security> <BEA-090504> <Certificate chain received from ISLCH-268 - 202.46.212.162 failed hostname verification check. Certificate contained mukuntaraj k but check expected ISLCH-268>
In the weblogic config page, I see as
Java Standard Trust Keystore: JAVA_HOME\jre\lib\security\cacerts
Indicates the use of the Java Standard Trust keystore provided by the JDK. The Java Standard Trust keystore is located in JAVA_HOME/jre/lib/security/cacerts
I didnt touch this trust store. What I will have to put in this trust store I understand I am missing some basic thing here..
Once again thanks for your help
Regards,
Mukunt