1 Reply Latest reply on Jan 7, 2013 3:09 PM by yves.p

    Configuring client SSL authentication to connect to an external service

    aniand

      Hi

       

      I am new to jboss and I am trying to setup client SSL Authetication which is required by an external service that I need to connect to. My environment jboss7.

       

      The external service depends on a client-server authentication. I have two certificates, one is installed in the java truststore, this is the ca certificate used to trust the server. Additional, I have a second certificate witch is the client's, used by the server, to trust the client. 

       

      So if I do the following  it will fail:

       

       

      In the myService.properties file I have the following propreties set

       

      1.

      javax.net.ssl.trustStore=<path_to_jboss_home>/lib/security/cacerts

      javax.net.ssl.trustStorePassword=somepassword

      javax.net.ssl.keyStore=<somepath>/filename.p12

      javax.net.ssl.keyStorePassword=mypassword

      javax.net.ssl.keyStoreTypevalue=pkcs12

       

      2.

      In the bean that calls the external service over HTTPS. The properties file is loaded on

      @PostConstruct

          public void initialize() {

              initProperties();

          }

      3. The properties is removed then the bean is no longer used.

          @PreDestroy

          public void onDestroy() {

              removeSslProperties();

          }

       

      I log the properties values right before the request is sent to the sever. So I can see they are set.

      But I receive server handshake failure. The problem is that the following properties was not picked up:

       

      javax.net.ssl.keyStore=<somepath>/filename.p12

      javax.net.ssl.keyStorePassword=mypassword

       

      I am not sure when they need to be set, but I think that it is the  jsse class SSLSocketImpl or SSLContextFactory that

      needs to pick them up.

       

      Here is the stacktrace of the failure

       

      Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

              at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) [jsse.jar:1.6]

              at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136) [jsse.jar:1.6]

              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1839) [jsse.jar:1.6]

              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1019) [jsse.jar:1.6]

              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203) [jsse.jar:1.6]

              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1230) [jsse.jar:1.6]

              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1214) [jsse.jar:1.6]

              at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434) [jsse.jar:1.6]

              at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166) [jsse.jar:1.6]

              at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:133) [jsse.jar:1.6]

              at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:88) [google-http-client-1.7.0-beta.jar:1.7.0-beta]

              at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:807) [google-http-client-1.7.0-beta.jar:1.7.0-beta]

              at com.wimp.system.ejb.business.PlayServiceImplBean.playService(PlayServiceImplBean.java:52) [play-pl-ejb-1.1.0-SNAPSHOT.jar:]

              ... 122 more

       

      Now if I move the properties to the standalone.xml evertything works! So why can't I read the props on @PostConstruct in the bean? Why does not the java Socket level pick them up in this case? The problem by having the properties set in the standalone.xml is that they are shared among all other external services using https connection..... And the client certificate is not supposed to be used for them. If there is a problem with the client certificate then all https connections will fail in the application server. It cannot be like this.

       

      So, how can I configure this properly?

       

      Regards,

      Anita