2 Client Certificates
I have a WebStart application that is required to use client certificates. These certificates come from a user's Smart Card that gets put into Internet Explorer. WebStart will automatically grab the certificate and send it to the server.
My problem comes when there are 2 certificates that fit the profile. In that case, a dialog pops up asking the user to pick 1. It comes up with just about every new connection made back to the server.
The way I see it, my options are:
1) Try to reuse connections, extend keep-alive so not too many connections are made.
2) Try to get the certificates from Internet Explorer manually and pass one of them with the connection
3) Open a connection back to the server -- WebStart will ask which certificate -- and programmatically capture with certificate the user selected so I can reuse. Is this even possible?
or
4) Read the certificate directly from the Card and pass it along.
I've been trying #1 for a while now, and it doesn't get too much better.
Any ideas?
[1064 byte] By [
Toshi47a] at [2007-11-27 7:06:39]
# 1
I am experiencing almost exactly the same problem, the only difference being that the certificates are just installed in IE's certificate store and not coming from a smart card.
We have an application that requires a client certificate for access outside our intranet. If there is a single certificate from our CA in the browser's certificate store, there are no problems.
However, if there are 2 or more certificates from the same CA in the browser certificate store, then the user is challenged 30-40 times (i.e. it looks like they're challenged each time a connection is made back to the server) before the application starts up.
This doesn't happen the first time the link to our webstart application is clicked and the jnlp and jars are downloaded. Everything works fine then. It is on subsequent starts of the application (from clicking the same link in a browser) that the multiple certificate challenges start to happen.
I'm guessing this is because the first time there are no jars in the cache to check, whereas on subsequent launches, the jars that are already in the cache are being compared against the versions on the web server for how up to date they are.
I'm scratching my head over this one. Not been able to find anything in the Sun bug database, and Google hasn't helped me much yet, either.
Has anyone else ever come across anything like this?
Did you manage to solve it?
Message was edited by:
damian_ryan
# 2
Nope, I haven't solved it yet. For now, I'm working on getting the certificates from the Microsoft Certificate Store and opening URLConnections with that. Here's what I got so far-
KeyStore store = KeyStore.getInstance("Windows-MY");
store.load(null, null);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(store, null);
X509TrustManager tm = new NaiveTrustManager();
sc = SSLContext.getInstance("TLS");
TrustManager []tma = {tm};
sc.init(kmf.getKeyManagers(), tma, new SecureRandom());
It still doesn't work. The KeyStore.getInstance("Windows-MY") is new in Java 1.6 if you have that option. If not, the way I understand it, you need to get some third-party code at https://download.assembla.se/jceprovider. That download doesn't work for me though.
Does you application open up connections back to the server once it is started? If not, and it only happens before the app starts, then one thing that might help is to put everything into one jar.
I used to get the same behavior at startup also, except mine would happen the first time also. I figured it would happen on the download, or when WebStart was trying to figure out if there were any new jars. One jar helped a lot.
Let me know if you solve it.
Aloha,
Rich
