Re: ibm jsse ssl and client authentication


javerra wrote:
if you are indeed getting an HTTP Response Code of 403, then you have
already made the connection and successfully sent your HTTP Request.
That might mean that some other required authentication has failed.

myConnection.getResponseCode(); does in fact return 403

right, but is that indeed what the server is sending?

IOW, I don't know if we can trust Java and maybe it gets a TCP error
and tells you that it's a 403 HTTP code.

Just as, IIRC, it treats a 4xx response code as it it were an I/O
exception.


If client cert auth fails, then the server drops the connection and you
wouldn't get to the point of receiving an HTTP response.

If I understand what your saything then the certificate was in fact
sent from my app and authentication failed elsewhere. But, I receive a
403 response if I dont' have the cert installed in my broswer.

Well then, that might be server specific behavior. Things aren't
standardized. IIRC, on failed client cert auth, Firefox--> Tomcat gives
a tcp error of something like 100257, while with IE--> Tomcat, you just
get the dropped connection.

(A wrinble is that Tomcat only accepts X509, not PKCS12.)

I can sympathize that most of what is happening is unseen by you. Maybe
you can trying experimenting locally. Stunnel gives good logging on
connection attempts and you can set up server sockets with it. You can
now also get pre-compiled OpenSSL for Windows. I can look that URL up
if you need it.


Seems
like I get that error only when the cert is missing. Is my thinking on
setting the default keystore within the sevlet correct or is there a
default store that jsse is using... like cacerts.

In the URL that I gave p[reviously, there's a reference to seemingly
IBM specific client-side properties:
* com.ibm.CSI.performTransportAssocSSLTLSRequired (true or false)
* com.ibm.CSI.performTransportAssocSSLTLSSupported (true or false)

Maybe that's the key. Since (if I'm reading you correctly) your servlet
is really the client, then the properties and keys you want to use are
part of the server's JVM, not the servlet engine.

I've tried placing
the key in cacerts and that doesn't help either..

yes, I'd think that the cacerts file is only for the Certificate
Authority certs

Seems like this
should be a very straight forward task Im just struggling horribly with
finding the solution.

Thanks again.

.

Relevant Pages

  • RE: RPC Over HTTP
    ... Normally running the CEICW (configure e-mail and internet connection ... wizard) and allowing RPC over HTTP option on the ... Web services configuration page should configur your server to allow RPC ... Verify that the certificate is installed by going to ...
    (microsoft.public.windows.server.sbs)
  • RE: Cannot connect via http but https works?
    ... Only one computer of three on my adhoc workgroup reports this error. ... only HTTP won't work. ... regsvr32 SOFTPUB.DLL ... computer and try to establish a connection and try the link, ...
    (microsoft.public.windowsxp.network_web)
  • Re: RPC over HTTP problem for some users only
    ... This will cause the Exchange ... The default connection methodology for Outlook 2003 when RPC/HTTP is ... Fast - TCP/IP then HTTP ...
    (microsoft.public.outlook.installation)
  • Re: L2TP VPN
    ... Install Certificate Services (the self signed cert that SBS creates isn't the right one for L2TP.) ... I created a connection manually. ...
    (microsoft.public.windows.server.sbs)
  • Re: RPCoHTTP always has 4 failures
    ... ON fast networks, connect using HTTP first, then connect using TCP/IP ... Outlook doesn't even prompt me to log in, it just says the server is ... Warning If you use Registry Editor incorrectly, ... It always shows HTTPS as the protocol in the connection ...
    (microsoft.public.exchange.admin)