Configuring client SSL authentication to connect to an external service
aniand Jan 6, 2013 5:44 AMHi
I am new to jboss and I am trying to setup client SSL Authetication which is required by an external service that I need to connect to. My environment jboss7.
The external service depends on a client-server authentication. I have two certificates, one is installed in the java truststore, this is the ca certificate used to trust the server. Additional, I have a second certificate witch is the client's, used by the server, to trust the client.
So if I do the following it will fail:
In the myService.properties file I have the following propreties set
1.
javax.net.ssl.trustStore=<path_to_jboss_home>/lib/security/cacerts
javax.net.ssl.trustStorePassword=somepassword
javax.net.ssl.keyStore=<somepath>/filename.p12
javax.net.ssl.keyStorePassword=mypassword
javax.net.ssl.keyStoreTypevalue=pkcs12
2.
In the bean that calls the external service over HTTPS. The properties file is loaded on
@PostConstruct
public void initialize() {
initProperties();
}
3. The properties is removed then the bean is no longer used.
@PreDestroy
public void onDestroy() {
removeSslProperties();
}
I log the properties values right before the request is sent to the sever. So I can see they are set.
But I receive server handshake failure. The problem is that the following properties was not picked up:
javax.net.ssl.keyStore=<somepath>/filename.p12
javax.net.ssl.keyStorePassword=mypassword
I am not sure when they need to be set, but I think that it is the jsse class SSLSocketImpl or SSLContextFactory that
needs to pick them up.
Here is the stacktrace of the failure
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) [jsse.jar:1.6]
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136) [jsse.jar:1.6]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1839) [jsse.jar:1.6]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1019) [jsse.jar:1.6]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203) [jsse.jar:1.6]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1230) [jsse.jar:1.6]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1214) [jsse.jar:1.6]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434) [jsse.jar:1.6]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166) [jsse.jar:1.6]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:133) [jsse.jar:1.6]
at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:88) [google-http-client-1.7.0-beta.jar:1.7.0-beta]
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:807) [google-http-client-1.7.0-beta.jar:1.7.0-beta]
at com.wimp.system.ejb.business.PlayServiceImplBean.playService(PlayServiceImplBean.java:52) [play-pl-ejb-1.1.0-SNAPSHOT.jar:]
... 122 more
Now if I move the properties to the standalone.xml evertything works! So why can't I read the props on @PostConstruct in the bean? Why does not the java Socket level pick them up in this case? The problem by having the properties set in the standalone.xml is that they are shared among all other external services using https connection..... And the client certificate is not supposed to be used for them. If there is a problem with the client certificate then all https connections will fail in the application server. It cannot be like this.
So, how can I configure this properly?
Regards,
Anita