RMI security with client authentication
Hy,
I'm trying to set a secure RMI application using JSSE and SSL.
I have succeeded in writing an application with client and server authentication using both an RMISSLServerSocketFactory and RMISSLClientSocketFactory and passing those factories to the server while exporting the remote object.
The problem is I had to set both server public and private keys and client public and private keys in the custom Socket Factories. This implies that those keys are on the server disk which is problematic for the client private key.
Is there a way of giving the client private key only when the Client want to contact the server and not when exporting the remote object?
(I tried to do that using -Djava.net.ssl.keyStore and -Djava.net.ssl.trustStore properties but it doesn't seem to work).
Thank you for your help
Even when I haven't wrote RMI over SSL code, I've done that using standard SSL client authentication between a client and a server.
In that context, I got the SSLSocketFactory by using a SSLContext initialized with the proper TrustManager and KeyManager classes.
But I guess you can start by specifying from the command line the system properties related to keystores and truststores:
-Djavax.net.ssl.keyStore=<your keystore pathname>
-Djavax.net.ssl.keyStorePassword=<your keystore password>
-Djavax.net.ssl.trustStore=<your truststore pathname>
-Djavax.net.ssl.trustStorePassword=<your truststore password>
You can also see the RMISSLClientSocketFactory and RMISSLServerSocketFactory provided in the /samples/rmi folder of the JSSE 1.0.3_01 distribution.
The client factory version uses the default socket factory provided by JSSE, so it can be configured from the properties above.
Hope this helps.
Similar Messages
-
Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1
Hello All,
We are currently building up a HTTPS message exchange with an external client.
Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
Now we have to configure the addtional Client Authentication.
At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
But what are the next steps to get this scenario successfully in place?
Many thanks in advance!
JochenHi Colleagues,
following Steps still have to be done:
- Mapping public key to technical user at Java Stack
As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
- Be sure CA root certivicate at Database under STRUSTSSO2
- Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
- use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
Many thanks to all for support!
Regards,
Jochen -
I have written a console application to test the WASABi(AutoScaling Application Block) for my worker role running in azure. The worker role processes the messages in the queue and I want to scale-up based on the queue length. I have configured and set the
constraints and reactive rules properly. I get the following error when I run this application.
[BEGIN DATA]{}
DateTime=2013-12-11T21:30:02.5731267Z
Autoscaling General Verbose: 1002 : Rule match.
[BEGIN DATA]{"EvaluationId":"4f9f7cb0-fc0d-4276-826f-b6a5f3ea6801","MatchingRules":[{"RuleName":"default","RuleDescription":"The default constraint rule","Targets":["AutoscalingWebRole","AutoscalingWorkerRole"]},{"RuleName":"ScaleUpOnHighWebRole","RuleDescription":"Scale
up the web role","Targets":[]},{"RuleName":"ScaleDownOnLowWebRole","RuleDescription":"Scale down the web role","Targets":[]},{"RuleName":"ScaleUpOnHighWorkerRole","RuleDescription":"Scale
up the worker role","Targets":[]},{"RuleName":"ScaleDownOnLowWorkerRole","RuleDescription":"Scale down the worker role","Targets":[]},{"RuleName":"ScaleUpOnQueueMessages","RuleDescription":"Scale
up the web role","Targets":[]},{"RuleName":"ScaleDownOnQueueMessages","RuleDescription":"Scale down the web role","Targets":[]}]}
DateTime=2013-12-11T21:31:03.7516260Z
Autoscaling General Warning: 1004 : Undefined target.
[BEGIN DATA]{"EvaluationId":"4f9f7cb0-fc0d-4276-826f-b6a5f3ea6801","TargetName":"AutoscalingWebRole"}
DateTime=2013-12-11T21:31:03.7516260Z
Autoscaling Updates Verbose: 3001 : The current deployment configuration for a hosted service is about to be checked to determine if a change is required (for role scaling or changes to settings).
[BEGIN DATA]{"EvaluationId":"4f9f7cb0-fc0d-4276-826f-b6a5f3ea6801","HostedServiceDetails":{"Subscription":"psicloud","HostedService":"rmsazure","DeploymentSlot":"Staging"},"ScaleRequests":{"AutoscalingWorkerRole":{"Min":1,"Max":2,"AbsoluteDelta":0,"RelativeDelta":0,"MatchingRules":"default"}},"SettingChangeRequests":{}}
DateTime=2013-12-11T21:31:03.7516260Z
Autoscaling Updates Error: 3010 : Microsoft.Practices.EnterpriseLibrary.WindowsAzure.Autoscaling.ServiceManagement.ServiceManagementClientException: The service configuration could not be retrieved from Windows Azure for hosted service with DNS prefix 'rmsazure'
in subscription id 'af1e96ad-43aa-4d05-b3f1-0c9d752e6cbb' and deployment slot 'Staging'. ---> System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---> System.Net.WebException:
The remote server returned an error: (403) Forbidden.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
If anyone know why I am getting this anonymous access violation error. My webrole is secured site but worker role not.
I appreciate any help.
Thanks,
ravi
Hello,
>>: The service configuration could not be retrieved from Windows Azure for hosted service with DNS prefix 'rmsazure' in subscription id **************
Base on error message, I guess your azure service didn't get your certificate and other instances didn't have certificate to auto scale. Please check your upload the certificate on your portal management. Also, you could refer to same thread via link(
http://stackoverflow.com/questions/12843401/azure-autoscaling-block-cannot-find-certificate ).
Hope it helps.
Any question or result, please let me know.
Thanks
Regards,
Will
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
HTTPS with Client Authentication not available in EHP1?
Hi Guys,
I am not seeing this option in PI 7.1 EHP1.
At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
any help would be appreciated
Thanks,
SriniHi Srinivas,
I didnot use it personally. But when I see on SAP help I dont see that option anywhere. Please see this sap help:
http://help.sap.com/saphelp_nwpi711/helpdata/en/48/3555240bea31c3e10000000a42189d/content.htm
But you have an option sender agreeement for security. Please see this help:
http://help.sap.com/saphelp_nwpi711/helpdata/en/48/ceb8cf18d3424be10000000a421937/content.htm
Since we have the option to skip the adapter engine they have enabled this option in http adapter. So you can directly hit to integration engine skipping the adapter framework, which will help in improving the performance. Please see this help on this:
http://help.sap.com/saphelp_nwpi711/helpdata/en/43/64db4daf9f30b4e10000000a11466f/frameset.htm
Regards,
---Satish -
HTTPS with Client Authentication in SOAP sender Adapter
Hi All,
In SOAP Sender communication channel. When I generate WSDL with HTTP Security Level = HTTP: it works when third party tries to send data to XIwebservice.
But when I tried with HTTPS with Client Authentication option its giving error
InfoPath either cannot connect to the data source, the service has timed out, or the server has an invalid certificate.
Please guide how to use HTTPS with Client Authentication option, and what all configuration need to apply in XI & in third party to use this.
RegardsRohan,
With spy you can trace the entire route, since you are using client authentication using certificate, it would be a better option to verify with the certificate.
You also have the option of using a username/pwd combo though that is not advocated as it lowers security levels and is permeable to passive sniffing.
So the answer to your question is yes, after importing the certificate with sender and third party reciever a test would reveal the complete scenario along with any issues that you could encounter..
Regards
Ravi Raman -
HTTPS With Client Authentication
Hi,
I've created a simple Web Service in PI 7.11 SP 4 when trying to connect to the Web Service from Soap UI I get the following error:
java.security.AccessControlException: client certificate required
In the the transaction scim the following can be seen:
[Thr 5061] <<- SapSSLSessionInit()==SAP_O_K
[Thr 5061] in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
[Thr 5061] out: sssl_hdl = 1117534b0
[Thr 5061] <<- SapSSLSetSessionCredHdl(sssl_hdl=1117534b0)==SAP_O_K
[Thr 5061] in: sssl_hdl = 1117534b0
[Thr 5061] in: cred_hdl = 116cfc110
[Thr 5061] NiIBlockMode: set blockmode for hdl 271 TRUE
[Thr 5061] SSL NI-sock: local=XX.XX.XX.XX:50001 peer=XX.XX.XX.XX:2310
[Thr 5061] <<- SapSSLSetNiHdl(sssl_hdl=1117534b0, ni_hdl=271)==SAP_O_K
[Thr 5061] <<- SapSSLSessionStart(sssl_hdl=1117534b0)==SAP_O_K
[Thr 5061] status = "resumed SSL session, NO client cert"
The fault is not at the Soap UI end as I've fired the request at a Tomcat server and confirmed that a certificate is sent when requested.
Sender Communication Channel,
Transport Protocol: HTTP,
Message Protocol: Soap 1.1,
Adapter Engine: Central Adepter Engine,
HTTPS with Client Authentication,
Keep Headers
Any ideas?
Kind regards,
JohnHi Peter,
If memory serves we did not find a solution to this problem. I think, and a quick check of the configuration suggests I'm right, that we're handling the HTTPS connection on an IIS box and passing it through to a non encrypted HTTP sender on PI.
It may be that Soap UI is not configured correctly, however when I was getting the 'client certificate required', as mentioned in the original post, I'd confirmed that soap UI was correctly configured by connecting to an alternative Web Service. I also used Wireshark to see whether or not a certificate was being requested, or sent. It's invaluable if you're using Soap UI.
All the best,
John -
SOAP sender adapter with client authentication
Hi,
Can you please tell me the steps to be followed to configure SOAP sender adpater for HTTPS with client authentication.
ThanksHello,
Check out this SAP NOTE
[Note 891877 - Message-specific configuration of HTTP-Security|https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=891877]
Check out below blog for step by step process.
/people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter
Hope this will help.
Nilesh
Edited by: Nilesh Kshirsagar on May 28, 2009 11:31 AM -
SOAP Sender with HTTP(with SSL)=HTTPS with Client Authentication config
Hi All,
I have a Web-service-XI-Proxy scenario where we use SOAP Sender Adapter with HTTPs. Double authentication (client- server) sertificate shall be used.
Testing simple HTTP and XI user name/password works fine.
Now I installed requred sertificates in TrustedCA and ssl-provider in VIsualadmin.
But i can't see how i can configure certificates in SOAP sender Adapter. I've just did SOAP receiver for another scenario and there I could give keystore entry.
I also doesn't know how to disable asking for name/password. I am using XI 7.0.
Please advise.
Thanks,
NataliyaHi Nataliya,
Go to SOAP Adapter> Inbound Security Checks-> HTTP Security Level--> Here you can specify option "HTTP with Client Authentication.
One more thing HTTP Security level option is always available in Sender Adapter.
For more clarity about HTTPS find below link.
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
To enable the TrustedCA in SOAP Sender adapter. Go SOAP Sender> Security Parameter> Security Profile--> Web Service
security. Then go to sender agreement there you need to give key store entry. -
We are getting an error on the authentication piece when trying to submit a file to the OfficialFile.asmx web service to submit a document to the Drop-Off Library. Here is the code snippet -
public string FileUpload(HttpPostedFile FileInput, RecordsRepositoryProperty[] properties)
string strFileUrl = string.Empty;
RecordsRepositorySoapClient repository = new RecordsRepositorySoapClient();
BinaryReader b = new BinaryReader(FileInput.InputStream);
byte[] binData = b.ReadBytes(FileInput.ContentLength);
repository.ClientCredentials.Windows.ClientCredential = new System.Net.NetworkCredential(iUserID, iUserPassword, iUserDomain);
repository.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
repository.SubmitFile(binData, properties, null, FileInput.FileName, HttpContext.Current.User.Identity.Name);
strFileUrl = repository.GetFinalRoutingDestinationFolderUrl(properties, null, FileInput.FileName).Url;
return strFileUrl;
Although we are setting the network credential in the client call we still get the error
- The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.
Ideas?
Thanks in advance.Hi,
Based on the error message, the issue is related to the authentication type.
I suggest you can specify the credential type like the below:
CredentialCache credentialCache = new CredentialCache();
NetworkCredential credentials = new NetworkCredential(UserName, PassWord, sDomain);
credentialCache.Add(new Uri(recordCenterUrl), "NTLM", credentials);
Here is a detailed code demo for your reference:
http://blogs.msdn.com/b/mcsnoiwb/archive/2011/06/06/sending-files-to-a-record-center-using-the-sp2010-webservice-officialfile-asmx.aspx
Best Regards
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Jerry Guo
TechNet Community Support -
HTTP request was forbidden with client authentication scheme 'anonymous'
Hi,
We have updated our support Package for version BPC NW 10.0 release 801 from 0002 to 0005.
After the update we are not being to access the server folders in EPM Add-in.
We have the following error "HTTP request was forbidden with client authentication scheme 'anonymous'". Nevertheless we only can't access to the content of folders that are not public or local.
In SLG1 log, we have the error " Access not granted, You are not the member of team: BUSINESS ADMIN". This is not true because the user has SAP_ALL in BW and is a primary administrator in BPC. The data access profile associated is the administrator member access profile.
Has anybody seen this error?
Best regards,
JAHi Nilanjan,
We are able to log in into EPM Add-in.
We have the error when we try to open input forms or reports from server, but only from some folders.
When we select the folder we have the error.
For example we can see the content from:
WEBEXCEL\REPORTLIBRARY\
ADMIN\WEBEXCEL\TEAMREPORTLIBRARY\
But we can't see the content from:
BUSINESS ADMIN\WEBEXCEL\TEAMREPORTLIBRARY\
TEAM FI\WEBEXCEL\TEAMREPORTLIBRARY\
The user has administrator member access profile ans is included in all teams (ADMIN, BUSINESS ADMIN and TEAM FI)
We really can't see what could be the problem
Hope you can help us.
regards,
JA -
KDC identifying both with client authentication
hi everybody
i am using a client authentication certificate template's ,
and i also want to use a KDC identifying both with client authentication
looking for this configure specified
thank you
Marv KikovanovichHey Marv
Thanks for posting ,
You've need to add another Application Policy: "KDC Authentication" on client
certificate template.
Certification Authority\Certificate Templates\Manage
properties the client certificate template - extensions TAB
Edit Application Polices , and Add the "KDC Authentication" Policy.
Good Luck.
I'd be glad to answer any question -
Hi,
Some users in my company are experiencing a strange issue when connecting to our MDS server using the MDS Excel plugin. They receive the error message:
"The HTTP Request is unauthorized with client authentication scheme negotiate. The authentication header received from the server was "NTLM,BASIC real="DOMAIN NAME IWA"
They are receiving this error when first trying to connect. For some reason they only receive this error when connected to the work network via the VPN. They don't receive this error from within our network.
Does anyone know what might be causing this issue and how to resolve?
Many Thanks,
PhilTry the following links and see if it helps:
https://support.microsoft.com/en-us/kb/896861/
https://social.technet.microsoft.com/Forums/projectserver/en-US/912c7179-8858-4c48-a71d-d9a21ff10a1b/the-http-request-is-unauthorized-with-client-authentication-scheme-ntlm-the-authentication?forum=project2010custprog
-Nithesh Shetty Software Engineer, C & E -> IMML -> MDS, Microsoft. -
when i connect to wcf service , i am getting the client authentication error.
It happens only when i connect to wcf service from a client machine (virtual machine) that is logged in with local user account.
Wcf service is hosted as windows service in my case.
Client application is a windows application that connects using below security mode.
BasicHttpBinding httpbind = new BasicHttpBinding();
httpbind.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
httpbind.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
httpFactory.Credentials.Windows.AllowedImpersonationLevel
= System.Security.Principal.TokenImpersonationLevel.Impersonation;
Please help me with a solution.
As i read more through below link , i doubt if the client is not in the same domain, it might not work ? is it rite.
http://blogs.msdn.com/b/chiranth/archive/2013/09/21/ntlm-want-to-know-how-it-works.aspx
Regards Battechhttps://msdn.microsoft.com/en-us/library/windows/desktop/aa378749%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
Well, you need to figure out what the authentication is supposed to be bettwen the WCF client and WCF service, because Windows Authentication is being rejected. -
Handshake failure with client authentication
Hi,
I am using the JDK1.4 beta 3 to accomplish the following: I want to request an HTML page on an Apache webserver configured with SSL and client-authentication. It works with Netscape and Internet Explorer (and also with the openssl s_client test program)...
But now I want to try it using Java... So, I wrote a very simple program based on some examples found on this forum... But i keep getting the following error (excerpt from the javax.net.debug=all command)
As you can see the server request a client certificate that's issued by the certificate authority mentioned...
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<[email protected], CN=Andy Zaidman, OU=stage, O=Kava's Certif
icate Authority, L=Antwerp, ST=Antwerp, C=BE>
[read] MD5 and SHA1 hashes: len = 180
0000: 0D 00 00 B0 02 01 02 00 AB 00 A9 30 81 A6 31 0B ...........0..1.
0010: 30 09 06 03 55 04 06 13 02 42 45 31 10 30 0E 06 0...U....BE1.0..
0020: 03 55 04 08 13 07 41 6E 74 77 65 72 70 31 10 30 .U....Antwerp1.0
0030: 0E 06 03 55 04 07 13 07 41 6E 74 77 65 72 70 31 ...U....Antwerp1
0040: 25 30 23 06 03 55 04 0A 13 1C 4B 61 76 61 27 73 %0#..U....Kava's
0050: 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 Certificate Aut
0060: 68 6F 72 69 74 79 31 0E 30 0C 06 03 55 04 0B 13 hority1.0...U...
0070: 05 73 74 61 67 65 31 15 30 13 06 03 55 04 03 13 .stage1.0...U...
0080: 0C 41 6E 64 79 20 5A 61 69 64 6D 61 6E 31 25 30 .Andy Zaidman1%0
0090: 23 06 09 2A 86 48 86 F7 0D 01 09 01 16 16 41 6E #..*.H........An
00A0: 64 79 2E 5A 61 69 64 6D 61 6E 40 75 69 61 2E 61 [email protected]
00B0: 63 2E 62 65 c.be
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
*** ClientKeyExchange, RSA PreMasterSecret, v3.1
Random Secret: { 3, 1, 38, 54, 219, 158, 32, 158, 155, 15, 55, 137, 216, 164, 4
5, 65, 153, 142, 200, 98, 57, 251, 55, 6, 46, 124, 181, 161, 164, 234, 218, 75,
195, 72, 218, 187, 182, 197, 4, 11, 249, 45, 3, 136, 207, 114, 236, 172 }
[write] MD5 and SHA1 hashes: len = 141
0000: 0B 00 00 03 00 00 00 10 00 00 82 00 80 64 92 2E .............d..
0010: 42 2C A5 79 1D 2B A9 A5 D0 46 2A 1F 67 F3 49 28 B,.y.+...F*.g.I(
0020: E0 ED 1D 85 E3 06 22 49 8A 79 02 48 E2 DD E6 75 ......"I.y.H...u
0030: F3 C0 D3 A8 31 C0 18 94 7C 81 24 75 6A A1 0C 4F ....1.....$uj..O
0040: 99 03 66 B8 37 4F 05 0D 5D CD F2 A0 10 F5 D5 F5 ..f.7O..].......
0050: 50 66 49 91 CA C0 18 F1 07 E9 70 D0 CB EA 70 D3 PfI.......p...p.
0060: 8E 13 55 E7 43 BD 94 1C D3 96 1F E9 67 93 57 62 ..U.C.......g.Wb
0070: 91 5C E6 ED B1 75 9C A8 55 B7 50 DE CE 9B 1C EE .\...u..U.P.....
0080: 57 62 20 9C F3 11 36 68 7A 38 62 79 D1 Wb ...6hz8by.
main, WRITE: SSL v3.1 Handshake, length = 141
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 26 36 DB 9E 20 9E 9B 0F 37 89 D8 A4 2D 41 ..&6.. ...7...-A
0010: 99 8E C8 62 39 FB 37 06 2E 7C B5 A1 A4 EA DA 4B ...b9.7........K
0020: C3 48 DA BB B6 C5 04 0B F9 2D 03 88 CF 72 EC AC .H.......-...r..
CONNECTION KEYGEN:
Client Nonce:
0000: 3B E9 51 EF F3 13 65 11 4E D6 B7 B1 9F E8 F6 CB ;.Q...e.N.......
0010: B5 2B 34 8F 87 53 66 61 33 BF 5A AD 7D 22 57 7D .+4..Sfa3.Z.."W.
Server Nonce:
0000: 3B E9 53 4E 03 37 E9 CD E8 DB 7C 54 9A 9E 53 B9 ;.SN.7.....T..S.
0010: 78 E0 36 DF 06 17 07 90 2C D1 83 5E 20 05 DC E9 x.6.....,..^ ...
Master Secret:
0000: B5 A0 37 0A 2C 29 AD AC 99 B6 2F E0 4D 80 38 68 ..7.,)..../.M.8h
0010: F7 4F 24 C4 AA 8C ED 25 A9 D6 90 33 4B 5A 0B 1D .O$....%...3KZ..
0020: 11 A5 C9 E8 DB DE EF 9B 8D EB 7C 84 D6 AC 94 4F ...............O
Client MAC write Secret:
0000: F5 AF 61 5B B4 C2 A8 12 DA 7A FE A6 82 79 7F FC ..a[.....z...y..
0010: B9 86 B2 C0 ....
Server MAC write Secret:
0000: 62 22 C6 39 91 E4 45 50 2A 49 E0 26 CF 16 3E 6A b".9..EP*I.&..>j
0010: 46 19 00 D9 F...
Client write key:
0000: D9 D2 99 89 5C CA 2E 7D F3 B8 52 24 9E 01 9B 3B ....\.....R$...;
Server write key:
0000: 37 C3 37 78 8B 85 B0 FE 01 83 E2 6C F7 C6 73 33 7.7x.......l..s3
... no IV for cipher
main, WRITE: SSL v3.1 Change Cipher Spec, length = 1
JsseJCE: Using JSSE internal implementation for cipher RC4
*** Finished, v3.1
verify_data: { 51, 236, 194, 3, 230, 37, 147, 76, 251, 233, 132, 207 }
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 33 EC C2 03 E6 25 93 4C FB E9 84 CF ....3....%.L....
Plaintext before ENCRYPTION: len = 36
0000: 14 00 00 0C 33 EC C2 03 E6 25 93 4C FB E9 84 CF ....3....%.L....
0010: 64 30 E3 0B 31 CF 7D C7 D6 17 D8 FB 31 23 F9 34 d0..1.......1#.4
0020: 5D B9 47 F9 ].G.
main, WRITE: SSL v3.1 Handshake, length = 36
main, READ: SSL v3.1 Alert, length = 2
main, RECV SSLv3 ALERT: fatal, handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at java.io.OutputStream.write(OutputStream.java:61)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
at HttpClient.main(HttpClient.java:105)
Now, I am sure the certificate is in the keystore, because one of the first things I do in the program is print the certificates available in the keystore...
Does anyone know what I'm doing wrong? If you need the code to make a proper judgement, I will post it...
Tnx in advance!
Greetz,
Andy Zaidman
[email protected]import java.net.*;
import java.io.*;
import java.security.*;
import java.security.cert.*;
import javax.net.ssl.*;
import java.util.*;
public class HttpClient
public HttpClient(){}
public static void main (String args[])
try
//This is my server certificate - public key
String serverCertificateFile = "MyCA.cer";
//This is my client personal certificate
String clientCertificateFile = "MyPersonal.pfx";
CertificateFactory cf = CertificateFactory.getInstance("X.509");
KeyStore ks = KeyStore.getInstance("JKS");
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SUNX509");
ks.load(null, null);
java.security.cert.X509Certificate the_cert = (java.security.cert.X509Certificate) cf.generateCertificate(new FileInputStream(serverCertificateFile));
ks.setCertificateEntry("server", the_cert);
tmf.init(ks);
for (Enumeration e = ks.aliases() ; e.hasMoreElements() ;)
System.out.println(ks.getCertificate(e.nextElement().toString()).toString());
KeyStore ks2 = KeyStore.getInstance("PKCS12", "SunJSSE");
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SUNX509");
ks2.load(null, null);
FileInputStream fin = new FileInputStream(clientCertificateFile);
ks2.load(fin, "xxx".toCharArray());
kmf.init(ks2, "xxx".toCharArray());
fin.close();
for (Enumeration e = ks2.aliases() ; e.hasMoreElements() ;)
System.out.println(ks2.getCertificate(e.nextElement().toString()).toString());
SSLContext ctx = SSLContext.getInstance("SSLv3");
KeyManager[] km = kmf.getKeyManagers();
for(int i = 0; i < km.length; ++i)
System.out.println(km);
TrustManager[] tm = tmf.getTrustManagers();
ctx.init(km, tm, null);
// connection part
SSLSocketFactory factory = ctx.getSocketFactory();
SSLSocket socket = (SSLSocket)factory.createSocket("localhost", 443);
for(int i = 0; i < socket.getEnabledCipherSuites().length; ++i)
System.out.println(socket.getEnabledCipherSuites()[i]);
socket.startHandshake();
PrintWriter out = new PrintWriter(
new BufferedWriter(
new OutputStreamWriter(
socket.getOutputStream())));
out.println("GET " + "/" + " HTTP/1.1");
out.println();
out.flush();
catch(Exception e)
e.printStackTrace(); -
ACE end-to-end SSL with Client Authentication
we have a need to perform an end-to-end SSL with the ACE doing client authentication. Is there a mechanism to allow the ACE to inspect certain fields in the user certificate? All I see are checks for signature, validity, expiration, etc. Nothing that would allow me to inspect a user cert field such as "OU" and take an action based on content of the field.
any ideas? thanks
Bob Overberg
RABA Technologies
SRA International, Inc.Thanks for the quick response. Is there another Cisco device that does have those capabilities?
thanks.
Bob O.
Maybe you are looking for
-
Replenishment in SAP Retail - Article with multiple UOM/EAN
Dear all, I am using SAP Retail. I have an article with multiple unit of measurement as well as multiple EAN. A good example of this article will be canned soft drinks. It comes in pack size of each, 6, 12, 24. I have only one article number for this
-
Adobe Reader: No zoom out in landscape mode...
I have a drawing/plan for a buiding in A3 size, pdf format. When I open the file in landscape orientation. The page fills up the width of the screen and I need go scroll to see the full drawing. I can zoom in, but not zoom out. Meanwhile, in portrait
-
Images with negative pixels value
Consider a simple black (0) and white (255) image composed by 3 vertical bands : the first is white, the second is black and the third is white. Image size is W columns by H lines. Band width is W1, W2, W3 for bands 1, 2 and 3 respectively (W1+W2+W3=
-
Anybody installed the PDK Scheduler example? I can render the pages, however when I try to add an event, no matter what I do with the dates I get an error dialogue stating that I have a dating problem!!!! I have not had a dating problem since I got m
-
I'm using Essbase 6.2I have the following two dimensions:Year: 2002, 2003, 2004, 2005 etc.Issue Year: "Issue Year 2002", "Issue Year 2003", "Issue Year 2004", etc.I want to calculate all the combinations where the Issue Year matches the real Year. Ho