0

I have been unable to find a solution to this problem elsewhere so I am hoping someone here can provide some insight. My setup below:

keystore, myKeys.jks:

mine-private, 3/6/2014, PrivateKeyEntry
mine-trusted, 3/6/2014, trustedCertEntry

trust store, myTrust.jks:

trusted-cert-1, 3/6/2014, trusterCertEntry
trusted-cert-2, 3/6/2014, trusterCertEntry
mine-trusted, 3/6/2014, trustedCertEntry   <-- this is mine

What ends up happening is I get a message stating that my client has not been authenticated. Let me know if there is more information necessary

Responses to questions:

First off: what classes/library are you using? Simply the default https in java?

Apache HTTP Client, code below:

HttpClient client = new HttpClient();
GetMethod method = new GetMethod("https://foo.bar.baz/rest");  
client.executeMethod(method);

Secondly: how exactly are you registering the keystore/truststore? You need a custom SSLContext for this.

Don't think so, but could be wrong

-Djavax.net.ssl.trustStore="path/to/myTrust.jks"
-Djavax.net.ssl.trustStorePassword="password"
-Djavax.net.ssl.keyStore="path/to/myKeys.jks"
-Djavax.net.ssl.keyStorePassword="password"
Woot4Moo
  • 23,987
  • 16
  • 94
  • 151
  • Have you checked (I don't know by heart) if the apache http client also uses these system properties? – nablex Mar 07 '14 at 12:54

2 Answers2

1

First off: what classes/library are you using? Simply the default https in java?

Secondly: how exactly are you registering the keystore/truststore? You need a custom SSLContext for this.

Initial example:

SSLContext context = SSLContext.getInstance();
KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyFactory.init(keyStore, password);

TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(trustStore);

context.init(keyFactory.getKeyManagers(), trustFactory.getTrustManagers(), null);

Most libraries that I know support setting a custom SSLContext or SSLSocketFactory which can be obtained from the context.

nablex
  • 4,635
  • 4
  • 36
  • 51
  • move this to the comment section so you don't get blasted. But sure I will gladly provide that information – Woot4Moo Mar 07 '14 at 12:45
  • http://hc.apache.org/httpclient-3.x/sslguide.html per their tutorial that is all that is necessary. Unless they botched the docs. – Woot4Moo Mar 07 '14 at 12:54
  • On the page you linked I don't see (though I only quickly scanned) a reference to the system properties. What I did see was: Protocol myhttps = new Protocol("https", new MySSLSocketFactory(), 443); Note the custom socket factory. – nablex Mar 07 '14 at 12:57
  • PS: http client 3.x is really old. Consider updating. – nablex Mar 07 '14 at 12:57
0

I have written a sample that does the exact same thing. You can find the particular code in [1].

[1] https://github.com/wso2/carbon-identity/blob/v5.0.7/components/authentication-framework/org.wso2.carbon.identity.application.authentication.endpoint.util/src/main/java/org/wso2/carbon/identity/application/authentication/endpoint/util/TenantMgtAdminServiceClient.java#L155

thariyarox
  • 454
  • 2
  • 11