Two-way SSL and Web Start help neede - Weblogic

This is a discussion on Two-way SSL and Web Start help neede - Weblogic ; Using the examples from the OpenSSL book, I have created a rootCA, serverCA, server, and client cert utilizing openSSL. I have created a new trust and identity keystores containing only these certs. Additionally, I have created a .p12 version of ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Two-way SSL and Web Start help neede

  1. Two-way SSL and Web Start help neede

    Using the examples from the OpenSSL book, I have created a rootCA, serverCA, server, and client cert utilizing openSSL. I have created a new trust and identity keystores containing only these certs.

    Additionally, I have created a .p12 version of the client cert for importing into browsers (IE & Netscape).

    On my WLS 8.1 SP2 server, I have a web app which hosts my Web Start files. I'll call the jnlp file myClient.jnlp. Within the web.xml file, the "GET" command on the myClient.jnlp URL is protected with "CLIENT-CERT" and WLS is setup for two-way authentication.

    As long as I have imported my "client.p12" cert into my browser, when I type in the URL to my jnlp file, all goes well (far as SSL is concerned). Example https://hostname:7002/webApp/myClient.jnlp

    The SSL connection is made and the myClient.jnlp contents are streamed to the client (browser) which then inserts the contents into a local temp file. At this time, the browser kicks off java Web Start (javaws) with the local temp file as an argument.

    javaws then turns around and makes a call to the web app based on the codebase and href values in the jnlp files. In my case that will be the same URL I enterend in the browser. So the javaws process then tries to setup a two-way SSL connection to the WLS. Since javaws uses a different keystore than the browser, I get SSL handshake errors.

    My feable attempt to get around this was to import the rootCA and client certs (in pem format) into the cacerts keystore that is used by javaws. This seems to get me further down the road as the certificate received at the client (javaws) does "find" the trusted certificate. However, I still get "Required peer certificates not supplied by peer" on the WLS side. So it would indicate that javaws does not correctly reply with the client cert I imported into the cacert keystore.

    Has anyone been successful with getting WLS and javaws hooked up in a two-way SSL connection?

  2. Re: Two-way SSL and Web Start help neede

    Here is the output on the javaws side of the house:

    trustStore is: C:\j2sdk1.4.2_04\jre\lib\security\cacerts
    trustStore type is : jks
    init truststore

    ....snipping out all the well known trusted certs...

    adding as trusted cert:
    Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
    Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
    Algorithm: RSA; Serial number: 0x0
    Valid from Wed May 26 16:38:59 EDT 2004 until Fri Jun 25 16:38:59 EDT 2004

    adding as trusted cert:
    Subject: CN=shell.zork.org, O=Zork.org, L=Fairfax, ST=Virginia, C=US
    Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
    Algorithm: RSA; Serial number: 0x3
    Valid from Wed May 26 16:39:37 EDT 2004 until Fri Jun 25 16:39:37 EDT 2004

    trigger seeding of SecureRandom
    done seeding SecureRandom
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1069873789 bytes = { 220, 176, 55, 200, 10, 241, 5, 139,
    143, 112, 244, 141, 122, 219, 83, 93, 224, 139, 115, 186, 122, 165, 29, 237,
    230, 103, 167, 18 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
    SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
    SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
    Compression Methods: { 0 }
    ***
    Thread-3, WRITE: TLSv1 Handshake, length = 73
    Thread-3, WRITE: SSLv2 client hello message, length = 98
    Thread-3, READ: TLSv1 Handshake, length = 58
    *** ServerHello, TLSv1
    RandomCookie: GMT: 1069873790 bytes = { 153, 225, 151, 93, 168, 197, 61,
    107, 147, 81, 182, 171, 248, 7, 153, 255, 100, 213, 207, 47, 61, 230, 128,
    250, 251, 126, 104, 25 }
    Session ID: {226, 240, 20, 206, 151, 231, 195, 229, 182, 1, 167, 176, 92,
    94, 203, 32}
    Cipher Suite: SSL_RSA_WITH_DES_CBC_SHA
    Compression Method: 0
    ***
    %% Created: [Session-1, SSL_RSA_WITH_DES_CBC_SHA]
    ** SSL_RSA_WITH_DES_CBC_SHA
    Thread-3, READ: TLSv1 Handshake, length = 607
    *** Certificate chain
    chain [0] = [
    [
    Version: V3
    Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: SunJSSE RSA public key:
    public exponent:
    010001
    modulus:
    e2bd8de9 598e0735 2bed2057 3800c83d 348550e2 93a017c7 9845f35f cd7b4ada
    6ef0c70f 7a033e69 a97ccd15 46f0d1c8 7a0ae909 ddb76f5b cd8029e6 3a6a4965
    Validity: [From: Wed May 26 16:38:59 EDT 2004,
    To: Fri Jun 25 16:38:59 EDT 2004]
    Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
    SerialNumber: [ 00]

    Certificate Extensions: 3
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
    0010: 88 76 14 DA .v..
    ]
    ]

    [2]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
    0010: 88 76 14 DA .v..
    ]

    [CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US]
    SerialNumber: [ 00]
    ]

    [3]: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 29 CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D )..H../.J.s.q.X.
    0010: 9E 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD ..D....<........
    0020: C4 FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 ..R..re....ba5..
    0030: AE FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 ..........w..j..

    ]
    ***
    Found trusted certificate:
    [
    [
    Version: V3
    Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: SunJSSE RSA public key:
    public exponent:
    010001
    modulus:
    e2bd8de9 598e0735 2bed2057 3800c83d 348550e2 93a017c7 9845f35f cd7b4ada
    6ef0c70f 7a033e69 a97ccd15 46f0d1c8 7a0ae909 ddb76f5b cd8029e6 3a6a4965
    Validity: [From: Wed May 26 16:38:59 EDT 2004,
    To: Fri Jun 25 16:38:59 EDT 2004]
    Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
    SerialNumber: [ 00]

    Certificate Extensions: 3
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
    0010: 88 76 14 DA .v..
    ]
    ]

    [2]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
    0010: 88 76 14 DA .v..
    ]

    [CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US]
    SerialNumber: [ 00]
    ]

    [3]: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 29 CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D )..H../.J.s.q.X.
    0010: 9E 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD ..D....<........
    0020: C4 FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 ..R..re....ba5..
    0030: AE FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 ..........w..j..

    ]
    Thread-3, READ: TLSv1 Handshake, length = 220
    *** CertificateRequest
    Cert Types: RSA, DSS, Ephemeral DH (RSA sig),
    Cert Authorities:


    Thread-3, READ: TLSv1 Handshake, length = 4
    *** ServerHelloDone
    *** Certificate chain
    ***
    JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
    *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
    Random Secret: { 3, 1, 113, 14, 220, 68, 152, 155, 224, 225, 130, 17, 42,
    207, 42, 15, 72, 179, 217, 93, 249, 50, 247, 245, 219, 75, 215, 107, 242, 89
    , 122, 202, 185, 50, 145, 242, 212, 173, 220, 70, 14, 140, 161, 44, 51, 111,
    199, 220 }
    Thread-3, WRITE: TLSv1 Handshake, length = 77
    SESSION KEYGEN:
    PreMaster Secret:
    0000: 03 01 71 0E DC 44 98 9B E0 E1 82 11 2A CF 2A 0F ..q..D......*.*.
    0010: 48 B3 D9 5D F9 32 F7 F5 DB 4B D7 6B F2 59 7A CA H..].2...K.k.Yz.
    0020: B9 32 91 F2 D4 AD DC 46 0E 8C A1 2C 33 6F C7 DC .2.....F...,3o..
    CONNECTION KEYGEN:
    Client Nonce:
    0000: 40 C5 FA 7D DC B0 37 C8 0A F1 05 8B 8F 70 F4 8D @.....7......p..
    0010: 7A DB 53 5D E0 8B 73 BA 7A A5 1D ED E6 67 A7 12 z.S]..s.z....g..
    Server Nonce:
    0000: 40 C5 FA 7E 99 E1 97 5D A8 C5 3D 6B 93 51 B6 AB @......]..=k.Q..
    0010: F8 07 99 FF 64 D5 CF 2F 3D E6 80 FA FB 7E 68 19 ....d../=.....h.
    Master Secret:
    0000: 07 2C 2B 1C 3F 9A 95 EC 42 DF B1 2A A9 8C D0 8D .,+.?...B..*....
    0010: 2B 37 05 42 1A 06 19 AF 3B 32 AC 6B C8 5C 85 0E +7.B....;2.k.\..
    0020: A4 E2 17 8B D7 DE F5 71 C6 30 E9 EA AC 21 45 E7 .......q.0...!E.
    Client MAC write Secret:
    0000: 59 0D 47 3B 35 D0 90 C1 70 4C 26 FD 8D 0D D6 15 Y.G;5...pL&.....
    0010: B4 84 DC C3 ....
    Server MAC write Secret:
    0000: 7A AE 70 A5 F7 5B 83 25 79 A9 BA 39 D6 72 B2 8E z.p..[.%y..9.r..
    0010: 94 44 3B 49 .D;I
    Client write key:
    0000: 7F 8A CB 24 6B C2 57 E3 ...$k.W.
    Server write key:
    0000: 8B 25 55 E4 12 53 99 F8 .%U..S..
    Client write IV:
    0000: 3B 71 0D BA B1 8B ED D3 ;q......
    Server write IV:
    0000: 06 7D 50 87 43 4B 3F 7F ..P.CK?.
    Thread-3, WRITE: TLSv1 Change Cipher Spec, length = 1
    JsseJCE: Using JSSE internal implementation for cipher DES/CBC/NoPadding
    *** Finished
    verify_data: { 237, 212, 23, 248, 241, 254, 232, 186, 121, 188, 103, 251 }
    ***
    Thread-3, WRITE: TLSv1 Handshake, length = 40
    waiting for close_notify or alert: state 1
    Exception while waiting for close java.net.SocketException: Software caused
    connection abort: recv failed
    Thread-3, handling exception: java.net.SocketException: Software caused
    connection abort: recv failed
    Thread-3, SEND TLSv1 ALERT: fatal, description = unexpected_message
    Thread-3, WRITE: TLSv1 Alert, length = 24
    Exception sending alert: java.net.SocketException: Software caused
    connection abort: socket write error
    Thread-3, called closeSocket()

    "P Hudgins" wrote in message news:40c62c56$1@mktnews1...



+ Reply to Thread