File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes How to establish the mutual authentication using Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "How to establish the mutual authentication using "client.cer" file" Watch "How to establish the mutual authentication using "client.cer" file" New topic
Author

How to establish the mutual authentication using "client.cer" file

mojo lai
Greenhorn

Joined: Sep 09, 2007
Posts: 19
Hello everyone,

I want to try "mutual authentication" by using "client-cert" method in deployment describer

I follow the Java EE 5 tutorial at
http://java.sun.com/javaee/5/docs/tutorial/doc/bnbxw.html#bnbyi

then I got the client.cer file,

How do I use this file to achieve the "mutual authentication" ?

thank you.
mojo lai
Greenhorn

Joined: Sep 09, 2007
Posts: 19
Hello,

if I want to setup mutual authentication by client-cert

I must install certificate in the IE's certificate "Personal" Tab ?

Am I right ?
greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220
If the client is using IE, then yes. Not everybody uses IE.


Nice to meet you.
mojo lai
Greenhorn

Joined: Sep 09, 2007
Posts: 19
Among Servlet, JSP, JAX-WS, EJB

which component can use "client-cert" authentication ?

only JSP and Servlet ? or ALL?

thank you.
greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220
Your question is a little difficult for me to answer, because it is so broad, but I'll try.

The APIs and technologies you mention allow for a variety of security possibilities. Also, the JAX-WS tools may be used for building pieces of client-side applications, or even stand-alone applications. For example, you can use the XML schema compiler to create Java classes that are used solely for processing an XML data file. For the most part, however, these are server-side tools and APIs. There are two broad pieces of the security puzzle that are addressed in some way by all. Message security and network connection security. I forget where, but somewhere in the Sun documentation is a nice matrix summarizing these. The network connection security is what is provided by TLS/SSL, and for which the client certificates you have mentioned might by employed. TLS/SSL doesn't care about the content that goes over the connection. It only provides a secure pipe to transfer data between network peers. It will authenticate the server and optionally the client and then encrypt all the data sent. It is with client certificates that the client-side of the connection is authenticated. Message security is concerned with the contents of what is being sent, i.e. the "message". This involves the notions of a sender and a recipient, just like in e-mail. The sender applies security to the message, for example, encryption and digital signatures, and the result is a secured message. This secured message is the sent to the recipient, possibly over SSL or possibly not. It cannot be decrypted by anyone except the recipient. Message security functionality is provided by XML encryption and XML digital signature APIs and tools.

PS. The reference to the Sun docs I referred to above come from the Sun Java Web Services Tutorial, which in turn is from Security Challenges, Threats, and Countermeasures
[ December 15, 2007: Message edited by: greg stark ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to establish the mutual authentication using "client.cer" file
 
Similar Threads
2-way ssl not working: bad certificate
Working with J2EE Technologies
examples of tutorial: The Java EE 5Tutorial
newbie to J2EE
Where to start for advance java (j2ee)