Applet won't get client certificate from browser

Similar Messages

• Applet does not get client certificate from browser (Firefox, IE7)

  I'm writing a web service which runs Tomcat through Apache. One critical requirement is that the service be able to invoke certain device drivers on the end user's machine. Fortunately, there is a Java API for this, so this requirement can be fulfilled using an applet.
  Here's the problem. This is a B2B application, so we're using SSL and requiring client authentication. I'm no web security guru, but I managed to get SSL set up through Apache (with a self-signed certificate for now; we'll get a real one from a real CA when we're ready to go to production). I also managed to set up client authentication by creating my own CA and generating a client certificate, which I then copied to my test client (Win XPSP2) and imported into both Firefox (2.0.0.15) and IE (6.0.2900). The applet is signed with a real certificate, and that causes no problems. And all of the pages for my web service work as expected.
  All except one. The page which is supposed to load the applet pops a dialog stating 'Identification required. Please select certificate to be used for authentication', and presents a list of zero certificates.
  Actually, I get this dialog in Firefox on my XPSP2 box, and also when I test on a Vista Home Premium box running IE 7.0.6000. Puzzlingly, this behavior does NOT occur on my XPSP2 box when running through IE 6.0. It seems that with XPSP2 and IE 6.0, the JVM can manage to obtain the required client certificate from the browser and pass it along to Apache, but the JVM can't do this when running in Firefox or in IE 7.0 on Vista.
  I have gone to the Java Control Panel and verified that the 'Use certificates and keys in browser keystore' option is selected on both boxes.
  I've done a fair amount of research for this (including in this forum) and see that this appears to be a chronic difficulty with applets. What makes it worse is that I don't think I can use the standard workaround, which is to download the applet from a different host/virtual host, because the applet needs to communicate with the web service. Since we have the additional layer of Tomcat container-managed user authentication, the applet needs to be communicating with the server using the same session token as everything else.
  So at this point, I'm stuck. Does anyone know a solution to this problem? Two thoughts (I'm reaching at straws here):
  1) I have the certificate imported in both Firefox and IE as a 'personal' certificate. Is there someplace else I can put it so the JVM will know how to find it? A rather old thread in this forum mentioned something about setting properties in the Java Control Panel, but I see no place in the JCP to specify such properties, so I'm guessing that solution is no longer operative.
  2) I'm using a trick I found on the internet to make the applet load cleanly with both Firefox and IE, namely, I'm using the <OBJECT> tag to specify the applet class and codebase for IE, and then using <COMMENT><EMBED ... /></COMMENT> within the <OBJECT> declaration to specify the information for Firefox. Is there some other way of doing the markup that will give the JVM a hint that it should get a certificate from the browser?
  BTW . . . I would hate to drop support for Firefox, but if someone has an IE-only solution, I'll take it. Unfortunately, I reckon a Firefox-only solution would not fly.
  Thanks all.

  My applet is also signed by a valid certificate. The question of whether the applet is signed/self-signed/unsigned >isn't an issue --- I just wanted you to make sure the Applet runs because it is a know valid Java2 Applet that is 100% signed properly and verified to run.
  This eliminates the possibility that it is a JVM issue. However after reading your message further I am afraid
  it is not relevant to your issue.
  due to the client authentication, my browser (Firefox, IE7) refuses to even download the applet.
  I went to your site, and I can see your applet in both Firefox and IE6. However, I don't believe your site is set up >quite like mine, because it appears I can run your applet whether I have imported your X509 certificate or not. What I >did was:If that is true we are all dead :) No I think you just missed the cert in the IE databse. It doesn't have to be in the
  Applet database to function. Surprise!
  Check your IE/tools/internet options/content tab/certificates/trusted root certification authorities.
  I then opened the Java control panel and verified that the certificate isn't listed there, either. So unless the certificate >is being cached/read from some other location (which could be, this certificate stuff is largely black magic to me), >then your server isn't requiring client authentication, either accidentally or by design.No HyperView is a valid java2 Applet and actually writes to a file "hyperview.dat" though it is probably empty.
  If you click on a component in the view and then on the view and type "dumpgobs" it shoud write out some data about the current graphics objects so you can see it has complete read/write access..
  Further it opens up a complete NIO server ands starts listening for connections on a random port
  (Echoed in your java console) You can connect to it with telnet and watch impressive ping messages all day :)
  This all goes back to a few years BTW back before there was a plugin and there was only Netscape & IE.
  There are actually 2 certificate databases and what loads where depends on which type of cert you are using. Now self signed or not doesn't matter but what does matter is the type of certificate. IE: is it RSA/DSA/Sha1
  etc. The Netscape DB was a Berkley DB and MS used whatever they use. The Cert is a DSA/Sha1 cert
  which I like the best ATM as it (X fingers it stays so) always has worked.
  Sadly that tidbit doesn't help you either I am afraid.
  What I'm trying to do is require client authentication through Apache by including the following markup in a virtual >host definition:
  SSLCACertificateFile D:/Certificates/ca.crt
  SSLVerifyClient require
  SSLVerifyDepth 1You got me there I avoid markup at all costs and only code in C java and assembler :)
  Now unless I am wrong I think you are saying that you want the Applet to push the certificate to the server
  automatically and I don't think this happens. Least I have never heard of this happening from an Applet automatically.
  On my client machine, I have a certificate which was generated using OpenSSL and the ca.crt file listed. Testing >shows that the server is requiring a certificate from the client, and the web browser is always providing it.
  The problem is that when the browser fires up the Java plugin to run an applet, there is not sufficient communication >between the browser and the plugin so that the plugin can obtain the certificate from the browser and provide it to >the server.
  So the server refuses to send the applet bytecode to the JVM, and we're stuck.In terms of implementation ease I think you may have the cart before the horse because I think it would be far easier to run an Applet in the first place to do the authentication, and then send, for example, a jar file to bootstrap and run
  (or some classes) in the event the connection is valid. Then again one never knows it all and there may be some classes which enables the plugin as you wish. I have never heard of this being done with the plugin the way you suggest.
  I am thinking maybe there is another method of doing this I do not know.
  Did you try pushing the cert via JavaScript/LIveConnect?? That way it could run before the Applet and do the authentication.
  Maybe someone else has other ideas; did you try the security forum??
  Sorry but I am afraid that is not much help.
  I did snarf this tidbit which may have some relevance
  The current fix for this bug in Mantis and 1.4.1_02 is using JSSE API, Here are the step:
  In Java control panel, Advanced tab -> Java Runtime Parameters, specify:
  -Djavax.net.ssl.keyStore=<name and path to client keystore file>
  -Djavax.net.ssl.keyStorePassword=<password to access this client keystore file>
  If it is a PKCS12 format keystore, specify:
  -Djavax.net.ssl.keyStoreType=PKCS12
  In our future JRE release 1.5, we will create our own client authentication keystore file for JPI and use that for client authentication, for detail info, please see RFE 4797512.
  Dennis
  Posted Date : 2005-07-28 19:55:50.0Good Luck!
  Sincerely:
  (T)
  Edited by: tswain on 23-Jul-2008 10:07 AM

• Presenting a Client Certificate from ACE?

  Hi Folks,
  This is a bit of an odd one, so please stick with me!
  A bit of background:
  We currently visit a secure 3rd party website from our company, in order to identify our company to the website we have to use a client-side certificate to authenticate us (before we then login to the website).
  As we have a large number of machines loading a client-certificate on to each one has not proved agile enough (this is more a legacy thing).  So to work around this we have used a Stunnel proxy which the clients are forwared too (HTTP), which then proxies the connection as HTTPS and provides the end website with the Client Cert and does all the bits for SSL.   The Stunnel service was meant to be a tempory workaround, about 3 or so years ago (don't you just love those?) and is hosted on a desktop PC which has recently started to crash - there's no real support on this either - which leads me onto the question:
  Can the ACE module replace the Stunnel Box in this scenario?
  Is it possibile to load a client certificate onto the ACE and get it to provide this to an end webserver.  I realise that the ACE is probably not designed for this function, however this would get us onto something more stable and has a better internal support function.
  I've attached a really basic diagram of how the connectivity operates - but I'm happy to consider suggestions on alternative ways of doing it.
  Thanks in advance
  Kev

  Hi.
  It seems to be not possible : http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/initiate.html
  I have to check if other products can do what you want, but I have some doubts...

• Getting client certificate on Websphere

  Hi,
  I'm new to java security API. In my project i need to get a client certificate through java in the server and extract some values from it. Can anyone let me know how to go about doing that?

  In the following link everything available..
  .http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html
  this is very good tutotorial
  or use RMI/IIOP on websphere
  I hve no code available
  Message was edited by:
  loveme
  Message was edited by:
  loveme

• HTTPS request signed by client certificate from PL/SQL procedure

  Hi All, please help.
  The PL/SQL procedure connects to different web services, using both HTTP/HTTPS, for HTTPS sever certificates were used. Everything was OK.
  The next service requires client to sign requests with client certificate. I made the client certificate, sign it by CA, store it in Wallet Manager.
  Is here the possibility to send signed HTTPS request from PL/SQL?
  If not, how to do it using Java and encapsulate for PL/SQL?
  Please answer ASAP!!!

  It is pretty straight-forward to make HTTPS requests with UTL_HTTP.
  To do so, you first need to create an Oracle wallet on the database server host with Oracle Wallet Manager. If your database resides on Windows, I believe a short-cut has been created in the Windows menu. On Linux, it can be invoked from $ORACLE_HOME/bin/owm.
  Once the wallet is created, you need to make an additional call to utl_http.set_wallet(<wallet-directory>, <wallet-password>) before any utl_http.request or utl_http.begin_request calls. The <wallet-directory> is the wallet directory where you will find the cwallet.sso and/or ewallet.p12 files, using the format "file:/<wallet-directory>". For example:
  utl_http.set_wallet('file:/home/oracle/wallets/my_wallet/', '123456');
  When an Oracle wallet is created, it is pre-populated with common certificate authorities' certificates (e.g. Verisign). In the event that the server certificate of the HTTPS host is not signed by one of those common certificate authorities, you need to import the additional certificate authority's certificate in your wallet using Oracle Wallet Manager.

• Tell me the alternate way to get my certificate from sap

  hi all,
  i badly need help. actually my company sponsered me for the certification during teched-06.
  i cleared my exam and company got the certificate also. but now my company is not ready to give me the certificate b'se they think that the moment i will get it i will leave the company.
  so plzzzz tell me is there any other way to get atleast my certification id or a duplicate certificate from sap.i have everything including the badge i got for the teched, identity card of company with photo and other id proofs also like passport, driving license etc.
  thanks a lot in advance. eagerly waiting for the response.
  zenithi george

  Hi George,
  You can contact SAP and tell them that you cleared your exam and give them the details.. Like your Name, Date of Certification Exam, Location and Company Sponsering you. And give them the address for delivery of new certificate.
  You can also contact Mr. M V Ramakrishnan from SAP. He can guide you and help you in much better way. His email ID is <b>[email protected]</b> ..Just discuss it with him. He will let you know the right person to contact and you can get your certificate at your home address.
  Ciao,
  Himanshu.

• Open certificate from browser keystore

  dear all
  i my application need to open certificate from windows key store to show the user. i can open certificate in .cer file using .exec("cmd .cer file name"). but i don't know how to open a certificate in keystore(say "Windows-MY").
  thanks for ur help.

  Sorry I'm not a Windoze user, but maybe you can look at this MS document to see if any of these tools suit your need.
  http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dscj_mcs_ooiy.mspx?mfr=true

• How do I get the client certificate from the request

  We are on Netweaver 2004 using the SAP webdispatcher (end-to-end). I need to do an OCSP validation, I have all of the code I need for the OCSP portion.  What I need is the X509Certficate that came from the client.  Is this stored in the request object, session? How do I get it?
  Thanks.

  Hi Joseph,
  I think the question is which component terminates the SSL connection. It could be an upfront load balancer or the WebAS itself. The former could write the certificate into a request header vairable,  while the latter will create a J2EE standard request attribute: javax.servlet.request.X509Certificate
  I never did it with the web dispatcher, but you can try the following:
  X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
  HTH
  Daniel

• How to exctract/backup a client certificate from Firefox for Android similar to question #1000240 but for the latest Firefox Beta for Android?

  As in #1000240 and in #1032181, I've installed a StartSSL login certificate in my Firefox for Android and having a problem with extracting/backuping it to use with another device/browser.
  I'm using the latest Firefox Beta for Android (35.0) at present; the Android version is 4.1.2, my phone model is Sony LT26i (Xperia S), so neither of the aforementioned questions asked at the Mozilla Support website do not contain any solution to the given problem.
  Any chance to recover the certificate?
  P. S. I haven't rooted my device; if getting a root is the only possible way to recover the certificate, I may consider doing so.

  You can try https://addons.mozilla.org/en-US/android/addon/copy-profile/ If that does not retrieve the file then see below.
  If you know the name and path of the file you can get it using run-as function of adb. See http://stackoverflow.com/questions/18471780/android-adb-retrieve-database-using-run-as
  If you end up down here you'll need root to be able to navigate the file system. I don't know the file name, though it is likely in your profile folder which can be determined by visiting about:cache in the Firefox address bar. It will be similar to /data/data/org.mozilla.firefox_beta/files/mozilla/$RANDOM.default/

• Roll out client certificate from Windows

  Hi,
  We have recently begun using Macs in our Windows Enviroment and are having problems with our wireless. It is 802.1x with Network Policy Server as RADIUS. To connect you need correct user credentials and machine certificate that is rolled out through GPO.
  Is there a way to roll out the certificate to our Macs also? If it's necessary to connect them to our domain, that isn't a problem.
  The Macs are running Mountain Lion or Mavericks.
  //Robert

  You can use the Profile Manager feature of OS X Server, and create a profile that retrieves a certificate via SCEP or RPC from your CA.  This profile can then be downloaded or pushed to Mac clients that are enrolled in the profile manager.

• Linksys WRT54GL won't get dhcp address from isp

  I'm using Linux.
  I just bought this router because it had good reviews on Newegg but for the past 4 hours I have gotten nowhere with it.
  When I connect the router to the net and click the refresh button on the browser interface, the router doesn't go out and get a dhcp address. I see the initial click of the mouse that hits the modem but no information comes back. No addresses are updated.
  I have tried cloning the mac address but that does no good either.
  Any hints appreciated.
  Thanks

  Try resetting the router for 30 secs in such a way that power light is blinking on the router.Also, try doing the complete network power cycle i.e., unplug the power cables from the modem & from the router.Then, plug in the power cable to the modem first once all the lights are solid on the modem you could plug in the power cable to the router & then try configuring the router & it will definately work!!!

• Love my Xoom, but Verizon won't get 1 cent from me.

  I have had a Xoom since launch, and love it... but Verizon's activation fee scam and lack of a proper pay-as-you-go ala the ipad has put me off ever activating the data plan. If there was a proper way for me to activate it and deactivate, I would sign up, but knowing that I get to pay an activation fee for the privilege ...and knowing that I may pay said fee many times during the course of my ownership has totally put me off Verizon. If samsung makes a strong showing with a new honeycomb tablet on Sprint, I may just have jump ship.
  Verizon, please reconsider your fees or risk alienating the burgeoning tablet community.

  Cut and pasted my comments from another similar thread...
  I ordered my Xoom from Verizon and was expecting to see it added as another phone on my current Droid X unlimited plan, but found out that was not the case before I hit the confirm button. I also fully understand why the Xoom and other similar devices, including USB modems, have different data pricing. The data use of my Xoom would be huge compared to that of my Droid if it were not for my WiFi. Although I got the unlimited data plan for my Droid, I would have opted for a lower plan but wanted to use Pandora radio all the time away from my WiFi and I don't load music onto the SD card. I bought the Xoom to replace an aging Inspiron 9200 laptop, and that laptop will replace an aging Dimension 4100 desktop. Although I wanted a new comparable laptop, the cost was above my comfort zone so I took some time to think about how I actually used my laptop and what I really needed. I surprised myself when the Xoom could do, after the Flash 10.2 release, pretty much everything I was using my laptop for except for the 17" screen. Also, the laptop was bought as a "desktop replacement" but I never got rid of the desktop, LOL I also purchased the keyboard and Verizon bundle with the basic dock, portfolio case, and screen protectors and still spent less than the low end laptop I was originally looking to buy (and it's more portable). I opted for the $35 ($28 with my employee discount) 3GB plan ($10 each additional 1GB) fully knowing that only occasional 3G use a month would quickly use that $20 1GB plan ($20 each additional 1GB) allowance up. I figure I can do my major downloads at home on the WiFi and still use the 3G on the 3GB plan away from home and not go over in that allowance in 30 days. I thought about using my Droid X as a WiFi hot-spot for the Xoom, but thats $20 a month addition for 2GB ($20 more for the next 2GB) which is almost the same cost as the 3GB plan on the Xoom at $10/GB.
  Ok back to the "Pay as you Go Plan" subject, the 1GB plan is pretty much pay as you go. You will easily use up that 1GB a month when away from a WiFi source and will be charged another $20 for the next 1GB if you go over (that's $20/GB). What I'm saying is, why not get the 3GB or 5GB plan if you plan to use it that much on the 3G network, and monitor your use knowing the overages will only cost $10 for the next 1GB each (approx. $10/GB). If you think you can use less than 1GB a month and want a pay as you go price you might as well go with a WiFi only model and find a hot-spot when your away from home every time you want to use it. I have used 0.1GB since I got my Xoom, but that has been less than a week and I have had the 3G pretty much turned off before yesterday when my FiOS router died and I have no WiFi. I even used the hot-spot on the Xoom for a while yesterday to get my laptop online, which has no additional cost vs. the Droid plan since the Xoom uses the data from your regular plan pricing when using the hot-spot option.

• HELP... problem establishing a secure connection when trying to get to Hotmail from browser

  I have a Blackberry Curve.  I could sign in to Hotmail fine up until the other day when I received the error message "problem establishing a secure connection".  When I click details, it says untrusted certificate and unable to determine the certificate orgin.  I contact my service provider Wind who were NO HELP at all.  Someone, please help me!!???

  Hi and Welcome to the Community!
  Here is a KB that discusses that error:
  Article ID: KB35687 Certificates issued by the GlobalSign Root CA show as untrusted
  Hopefully it contains something useful! There also are multiple existing threads on this site that discuss that exact error...your review of those might prove useful, and a search of this site, using the error message, error code, or symptom, should reveal all applicable existing threads to you.
  Good luck and let us know!
  Occam's Razor nearly always applies when troubleshooting technology issues!
  If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
  Join our BBM Channels
  BSCF General Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• Get certificate from the browser

  Hi friends!,
  I am working with an application to get files from the client machine, to sign those files with the client's certificate and send those sign to the server.
  The application get the client's certificate from a key store, but I want the applet will get the certificate from the browser.
  Is that possible?.
  Thanks and sorry for my little english. Greetings from Venezuela.

  If all you're looking for is Client SSL Authentication, then you don't need to access the digital certificates through an applet; just enable ClientAuth on your web-server and let the browser handle it for you. While I haven't tried this with Chrome, Safari or Opera, I know for a fact that this works on Firefox and IE.
  If you're trying to access the digital certificates/keys in the browser-keystore for digitally signing some content that the applet creates, you're going to have far more difficulty. About 10-12 years ago, Netscape provided an API that allowed you to digitally sign text-content through JavaScript. That died a quiet death, I think, since I don't know of anyone who used that capability (outside of test environments).
  Years later, Mozilla added the ability to digitally sign XML content using XForms; there is even an add-on for Thunderbird (which uses the same libraries as Firefox for PKCS work): https://addons.mozilla.org/en-US/thunderbird/addon/4522/.
  However, to the best of my knowledge, the only way you can get an applet to access the borwser's keystore today is to have the security policy on the client-machine modified to provide access to the local file-system, and the applet then pretty much deals with the keystore and its objects through JCE.
  But, if I'm reading your post correctly, I think all you're looking for is SSL ClientAuth, for which you don't need to do anything other than enable it on your web-server that hosts the applets, and let the browser do the heavy lifting.
  Arshad Noor
  StrongAuth, Inc.

• How to get certificate from sun one directory server

  I have installed sun one directory server 5.2. Now in order to connect to the server through ldap protocol i need certificate on the client side.
  How to get the certificate from the sun one directory server...??
  ( Earlier i tried the same procedure with active directory .and i got the certificate successfully ...as well as ldap authentication..but don't know what to do with the sun one..???)
  Any tips on this issue will be helpful
  thank you

  You didn't make mention of setting up ssl on the server side, so search these boards for openssl. Some nice person uploaded an nice example of how do use openssl to do this.
  To get the ssl certs for the solaris-client ssl authentication ( tls:simple ) to work you will need to use netscape to connect to the ssl port to get the right format. There are comments in that same doc on how to do that.