dcsimg
JSSE and PKI
2 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   David_Dankwerth
Posted On:   Tuesday, July 24, 2001 09:51 AM

Hello After searching just about any forum i could find , i saw no solution for PKI Client in Java My Goal is to get a pki protected connecetion to apache mod_ssl. the apache has a directory which is pki protected using : SSLVerifyClient require When i try to connect without the pki protection using https url (i.e https://myserver/html) it is working fine, when i enable the pki verify i get socket exception. any idea? thanks David    More>>

Hello

After searching just about any forum i could find ,

i saw no solution for PKI Client in Java

My Goal is to get a pki protected connecetion to apache mod_ssl.

the apache has a directory which is pki protected using :



SSLVerifyClient require



When i try to connect without the pki protection using https url

(i.e https://myserver/html)

it is working fine,

when i enable the pki verify i get socket exception.



any idea?




thanks David

   <<Less

Re: JSSE and PKI

Posted By:   Berin_Loritsch  
Posted On:   Thursday, October 11, 2001 10:44 AM

It is a multi-step process. I went through the pangs of implementing PKI
support to Apache JMeter.

  1. You must have the CA certificates installed on your client. That
    means in $JAVA_HOME/jre/lib/security/cacerts or in
    $JAVA_HOME/jre/lib/security/jssecacerts. The keystore with the
    Certificate Authority (CA) certificates MUST be in Sun's JKS format.
    (Readable with keytool by default).


  2. You must supply the keystore with the certificate and private key.
    This can be a JKS format keystore, or a PKCS12 file. The certificate
    must be an x509 compliant certificate signed by the proper CA
    certificate. Lastly, you MUST use a password that is 6 characters
    or more. This is an implementation bug in Sun's JSSE implementation,
    and forces you to have somewhat better security anyway.


  3. You must wrap the X509 Key Manager to use your keystore. In JSSE
    1.0.2 the class is com.sun.net.ssl.X509KeyManager.
    The version included with JDK1.4 changes the package to be
    javax.net.ssl. Below is the code snippet from Apache
    JMeter that performs the initialization of the SSL session.



if (null == this.rand) {
this.rand = new SecureRandom();
}

// this.defaultpw is the password for the user keystore.

try {
this.context = SSLContext.getInstance("TLS");
KeyManagerFactory managerFactory = KeyManagerFactory.getInstance("SunX509");
KeyStore keys = this.getKeyStore();
managerFactory.init(keys, this.defaultpw.toCharArray());
KeyManager[] managers = managerFactory.getKeyManagers();

for (int i = 0; i < managers.length; i++) {
if (managers[i] instanceof X509KeyManager) {
X509KeyManager manager = (X509KeyManager) managers[i];
managers[i] = new WrappedX509KeyManager(manager, keys, this.defaultpw);
}
}

context.init(managers, null, this.rand);
HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
} catch (Exception e) {
}


Now, every SSL handshake in the classloader will use your certificate
if the session requires authentication. I found that this can only be
done once--so you can't change the certificate once you set it.

Re: JSSE and PKI

Posted By:   John_Mitchell  
Posted On:   Tuesday, July 24, 2001 11:36 AM

There's an example of doing client authentication in the
JSSE Reference Guide -- Code Samples
. Basically, your client must have the appropriate (client) certificates and make those available during the SSL handshake phase when the server requires it.
About | Sitemap | Contact