0

We are trying to access a restful web service resource hosted on IIS server with https protocol.

When we disable TWO WAY SSL Auth (server side validation of client certificate disabled) everything works fine.

When the IIS imposes TWO WAY SSL (server side validation of client certificate enabled) we are getting the below exception:

403 - Forbidden: Access is denied.

You do not have permission to view this directory or page using the credentials that you supplied. We are using java 1.8 update 102, IIS server 7.5 and TLS 1.2 for ssl

For detailed issue please open the below link:

For details SSL Debug log, certificates, client program

It will be great help if someone help us.

Thanks!

pedrofb
  • 37,271
  • 5
  • 94
  • 142
user3436310
  • 65
  • 1
  • 2
  • 6
  • Please, post your code here,not as a link – pedrofb Nov 07 '17 at 06:38
  • Thanks for your reply MLavoie. The thing is Stackoverflow has some limit for the content what we post. The link has all the required ssl debug logs, downloaded certificates and the client program code. – user3436310 Nov 07 '17 at 08:15
  • You log is very extensive. I suggest to post here the client code and comments and link only to the SSL debug log – pedrofb Nov 07 '17 at 21:18
  • 1
    See this _Warning: no suitable certificate found - continuing without client authentication_ Your server is sending a list of accepted CAs to request a client certificate, but your client does not find a suitable one. It seems your keystore has the correct certificate. May be it is a Java configuration issue. Ensure that your certificate is correct for example installing it in the browser and navigating to a protected resource – pedrofb Nov 07 '17 at 21:22
  • Please read this carefully: https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/impl/client/HttpClientBuilder.html _System properties will be taken into account when configuring the default implementations when `useSystemProperties()` method is called prior to calling build()._ You did not call it. And review also https://issues.apache.org/jira/plugins/servlet/mobile#issue/HTTPCLIENT-1477 – pedrofb Nov 07 '17 at 21:36
  • Thanks a lot Pedrofb. The suggested solution is working fine. I able to see in ssl debug logs where java is sending its certificate back to server on server certificate request. Before this part itself was not successful. I spent so many days searching solution on this. Thanks a lot again. – user3436310 Nov 09 '17 at 07:42
  • I'm glad. I posted a summary as an answer – pedrofb Nov 09 '17 at 08:21

1 Answers1

1

See this warning in the SSL log:

no suitable certificate found - continuing without client authentication

Your server is sending a list of accepted CAs to request a client certificate, but your client does not find a suitable one. It seems your keystore has the correct certificate. Ensure that your certificate is correct, for example installing it in the browser and navigating to a protected resource

May be it is a configuration issue of your Java client. Please read HttpClientBuilder documentation carefully

System properties will be taken into account when configuring the default implementations when useSystemProperties() method is called prior to calling build().

You did not call useSystemProperties().

See also this bug report that might affect you https://issues.apache.org/jira/plugins/servlet/mobile#issue/HTTPCLIENT-1477

pedrofb
  • 37,271
  • 5
  • 94
  • 142