• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Client certificate authentication

 
Deepak Bala
Bartender
Posts: 6663
5
Firefox Browser Linux MyEclipse IDE
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How do I go about sending a client certificate from a java program to a server ? I know that I would have to set the following parameters in system properties

1. Keystore
2. Keystore pass
3. Truststore
4. Truststore pass

Now how can I decide which certificate in my keystore to pass to the server ? Should I set a parameter that will decide this or will the SSL process automatically try to figure out which certificate to use to authenticate the client ? I am not even sure if a certificate will automatically be used from my keystore, in which case I would make sure that my keystore has only one certificate. Or would I have to load the serializable X509Certificate and send it across somehow ? Any suggestions would be great !
 
Deepak Bala
Bartender
Posts: 6663
5
Firefox Browser Linux MyEclipse IDE
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I figured this out a while back so I am posting so others know the solution. The JVM looks for some system properties and a SSL provider to communicate with HTTPS. You need to provide the following in the system properties

1. Keystore
2. Keystore pass
3. Truststore
4. Truststore pass

You can google and find out the keys for the properties. Then you set the ssl provider

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

You then need to figure out what is happening behind the scenes when you open a URL connection to a https end point. If you are unable to communicate for some reason, the following stuff should be checked

1. Do you trust the server certificate ?
2. Does the server trust your certificate (if you provide one to the server. It should be in the server's trust store)
3. Is the JVM able to find your trust and keystores ?
4. Is the operation timing out ?

You can find the answers by turning JSSE debugging on. The following parameter will reveal all possible debugging options.

-Djava.security.debug=help

The program would quit with an output like the following



Choose the debugging options you require like so

java -Djavax.net.debug=SSL,handshake,data,trustmanager MyApp

More information here

http://java.sun.com/products/jsse/doc/guide/API_users_guide.html

If you get errors like 'No SSL provider found' in spite of doing the stuff mentioned above you should check the debug logs. For example if the keystore is not found the 'No SSL provider' error could be thrown.
 
Consider Paul's rocket mass heater.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic