• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Knute Snortum
  • Bear Bibeault
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Frits Walraven
  • Carey Brown
  • Tim Holloway

Enable SSL using PKCS12 - Call https url in Java 1.7

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

I have been going through the forums and read many questions on this topic, but stil I couldnt find the answer. Hence creating new thread. I have generated self-signed certificate using openssl, created .pfx file from including .crt and .key file. In tomcat server.xml (version 1.7.42) forced SSLVerifyClient="require" as below.

   <Connector port="8443" protocol="HTTP/1.1"  SSLEnabled="true"
              maxThreads="150" scheme="https" secure="true" SSLVerifyClient="require"
              SSLCertificateFile="C:/domaind7wtde.crt" SSLCertificateKeyFile="C:/domain.key" SSLPassword="d7wtde2-dctm"  clientAuth="false" sslProtocol="all"/>


Then used below java code to call an https url :

                       

But I kept getting

... no IV derived for this protocol
*** CertificateVerify
java.net.SocketException: Software caused connection abort: socket write error



Please could someone help me in identifying what I am missing here? The certificate has been imported into cacerts, and I can view it when i list the certs using Keytool. And I installed the certificate in both server and client machines, under Trusted Root certificates.

Any help/advice would be much appreciated.

Thanks

 
Bartender
Posts: 20828
125
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The SSLCertificate and Key files are only applicable when using the APR protocol. Normal SSL communication with a Tomcat server would simply use a keystore.

On the client side, you wouldn't use a keystore unless you are using a client-side certificate for authentication, Otherwise, it's enough to simply use an HTTPURLConnection with an "https:" protocol URL. The JVM maintains a trusted certificate chain internally for public certs. I think there's an option to accept self-signed server certificates. Obviously not as secure, but if security is an issue, get a public cert. You can get one for free from LetsEncrypt (although it expires every couple of months).
 
Selvameena Dhandapani
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry I should have said before. I'm using APR protocol.
 
Selvameena Dhandapani
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And, I'm using client side authentication. It's a self signed certificate that's installed in server, and sending the same with the request from client.
 
Tim Holloway
Bartender
Posts: 20828
125
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Your Connector element does not specify the APR protocol. Also, I think you are confused on how the certs are supposed to work. Each client should have a unique certificate. That certificate pairs with a key (not cert) on the server.

Actually, client-side certs are very rarely used. They're tied to the machine that they are installed on, which means that the user of that machine is out of luck if the machine breaks down. If the machine is stolen, then whoever steals the machine has unfettered access to the server. And finally, unless there is also a traditional login, the user cannot use any other general-purpose machine to connect to the server as a substitute for the original client machine if they need to log in from an alternate location or swap out to a temporary machine.

Also, unless I'm mistaken, the client cert doesn't merely assure secure transport, it contains the client identity (login ID). So anyone who has access to that machine will appear to be that user. Which tends to annoy security auditors.

So the best use for a client-side cert is on one of those movie-style terminals sitting all alone locked in a stainless-steel vault deep underground. Or at least for something like a military control center where the identity of the specific person on duty isn't what's important, just the authenticity of the request source.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!