Client Auth

Similar Messages

• Client Auth  and SSL with Seeburger AS2 adapter

  Hello All,
  We are using the Seeburger AS2 adapter in our landscape and I am in the process of setting the same up and have made quite some progress in all my issues.
  and I  hope that you will be able to help me out.
  1. Server SSL on Receiver AS2 adapter
  I am sending a message from XI using the Receiver AS2 adapter to my AS2 test tool using Server SSL.
  This is working perfectly fine. In my AS2 adapter I have selected HTTPS as the protocol and the message goes via SSL to the target test tool, is processed and the MDN comes back to XI perfectly.
  The issue here is :
  Irrespective of what is provided in the Server Certificate ( Keystore) , the message goes to my target test tool. I even left this field blank with no certificate entry and still the SSL connection was established and the message went to the target system.
  Is there no validation that XI does here? I am lost what is the use of this entry Server Certificate if XI blindly accepts all SSL connections.
  I am using a Decentral Adapter Engine with LoadBalancer.
  2. Client Auth on Receiver AS2 Adapter
  I tried to perform Client Authentication by proving my Server's private key in the AS2 adapter. The corresponding public key is loaded in my partner's Keystore.
  XI error's with the error "SSL handshake failed - Bad Certificate" .
  I am not sure why XI is erroring out here and I have a feeling that I have misunderstood the use of the fields in the AS2 adapter,
  Server Certificate ( Keystore) and Private Key for Client Authentication.
  Has anyone tried this? If further details are needed, I will be able to furnish the same.
  Regards,
  Bhavesh

  Hello Jens,
  Thanks for your reply.
  1. The Encryption and Signature part of the Interface is working absolutely fine and I use the same concept highlighted by you - The Sender always signs the message with his private key and encrypts with message with the partner's public key in the corresponding agreement.
  2. Server SSL is also working perfectly fine, i.e, when XI initiates the connection the SSL connection is established to the partner.
  3. Mutual Auth was the issue where I was getting the bad certificate issue.
  To investigate further I moved the same setup to my Central Adapter Engine and all the issues I had described above seem to have vanished and things work exactly as I was expecting, ie.
  The field : Server Certificate (Keystore) is used to provide the Target System's Server SSL's public Certificate.
  The field : Private Key for Client Authentication is used where XI provides its own Server SSL's private key for Mutual / Client Authentication.
  The problem seems to be with my Decentral Adapter engine and not my central adapter engine and so I guess,
  1. I either have the incorrect certificates on my Decentral Adapter Engine.
  2. I also have 2 instances of a Decentral Adapter Engine with a Webdispatcher and so maybe the 2 Visual Admin's of the 2 Decentral AE are inconsistent.
  3. Maybe it was just a long day and I did something wrong
  Will investigate further for the root cause but I am glad that my concepts remain intact and things do work as I expected them to work.
  A blog on all this is on the cards sometime soon.
  Cheers,
  Bhavesh

• HTTPS with client auth

  Hello , I am working on a scenario to implement Client Authentication with HTTPS , i got to a blog where its mentioed of steps of implementing HTTPS with Client auth on XI system , in order to test it i would also require a webservice client that works for this purpose. i got to SAP Soap client , but whatz the way to generate the certificate request so that i can send it to CA and get it signed any ideas pl?

  Hi together,
  i have the same problem? is anybody out there who could give us some hints?
  many thanks
  alex schramm

• Probelm client auth from jsse client with open ssl server

  I tried to connect jsse client with a openssl server.. with clientAuth
  This is what i did ..
  Using openssl req comand i created a X509 certificate for server and imported the same to java keystore..
  The communication works fine without client authentication.
  To enable client auth i create client private/public key pair using keytool and exported the public key to a file client.public. and used it in open ssl server .
  This is how i invoke the client ..
  java
  -Djavax.net.debug=all
  -Djavax.net.ssl.trustStore=cacerts
  -Djavax.net.ssl.trustStorePassword=changeit
  -Djavax.net.private -Djavax.net.ssl.keyStorePassword=password EchoClient
  After which i get following error in server
  SSL3 alert write:fatal:handshake failure
  SSL_accept:error in SSLv3 read client certificate B
  SSL_accept:error in SSLv3 read client certificate B
  ERROR
  17246:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:1666:
  shutting down SSL
  CONNECTION CLOSED
  The client debug says it is recieving a certificate request.. what could be the problem.. can anybody help...

  i also have that problem. I was trying to configure SSL in apache in Win XP machine, but this error occurs. Is there anyone, who can help on it?

• WS security, SSL and client auth

  Hello all,
  I need to secure a web service using SSL with client auth (client has a certificat issued by the web service provider wich he can use to access it... i suppose).
  Being a newbie i have no idea what are the options and how to implement them.
  If good tutos are available on the subject it would be nice.
  I also had another question: with a web service, what guarantee do i have that the client has consumed the web service and received the information he wants etc., it is critical for me to know that everything went ok...
  Cheers

  Hi
  One of the best books I found that covers security is located at:
  http://www.lulu.com/content/214643
  You will, or get you company to :), buy it (it's not expensive). It covers axis1.3, note that axis2 is out, but since your just starting with web services this will be a very good start on many of the concepts and how to implement them.
  Should you decide to use Axis give it's documentation and many tutorials a look, the main site is: http://ws.apache.org/axis2/
  Re: getting a guarantee, I might be wrong, but I do not see how this can be done with services and to be honest with any other type of application (especially the "received the information he wants" bit). The only way I can think one to do this is to include it as part of the SOP (standard operating procedure) for specific functionality in your application. The "it" would be an additional step that the user needs to do e.g. click an "accept" button that kicks of another "request" to the web service indicating that the initial request satisfied the users query - logically this request will need to contain some type of identifier that will enable you to map it to a previous request.

• Client-Auth reports: HTTP4030: Timeout while waiting for client certificate

  Hello,
  I'm having problems with the certificate authentication in my Sun Java System Web Server Enterprise Edition 6.1: I have created an ACL in the SJWS that asks for a client certificate when the user goes to a specific URI:
  acl "uri=/server1/myaction.do";
  authenticate (user) {
  method="ssl";
  deny (all)
  user = "admin";
  It works great and, when the user goes to "/server1/myaction.do" (we are using Internet Explorer 7 as Web browser), the window for selecting the client certificate appears:
  - If the user selects a certificate that doesn't require password, everything works fine.
  - The problem comes when the certificate is configured in Internet Explorer for asking for a password every time it is accessed. Once the user has selected the password protected certificate, the window for typing the password appears, but if the user doesn't type it and click OK IN LESS THAN 5 SECONDS (I've timed it), the following messages appear in the SJWS logs:
  [28/Nov/2007:09:25:05] failure ( 2055): for host 10.0.145.11 trying to GET /server1/myaction.do, Client-Auth reports: HTTP4030: Timeout while waiting for client certificate.
  [28/Nov/2007:09:25:05] security ( 2055): HTTP4290: get_auth_user_ssl: client passed no certificate.
  I tried to add the following two lines to the magnus.conf file of the SJWS, but nothing changed:
  SSLClientAuthTimeout 240
  AcceptTimeout 3600
  Has anyone experienced something similar? Any little piece of advice would be greatly appreciated.
  Thank you very much in advance,
  Carlos.

  This is fixed in Web Server 7.0 update 2. Please migrate/upgrade to Web Server 7.0 update 2. Sorry for the inconvenience.

• Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938

  I am trying to deploy the clientcert sample applcation that comes with the platform edition of SunOne V7.
  I have used openssl as a CA and have created client and server certs.
  I get the following problem.
       Sun ONE Application Server - HTTP Status 403 Error
       Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
       Type: Status Report
       Message: Access to the requested resource has been denied.
  As can be seen from the server.log below, some form of authentication succeeds:
       [12/Aug/2004:08:56:11] FINE ( 2392): X.500 name login succeeded for : CN=tweekes, O=tester, C=ie
  Note, common name is that of my client cert.
  However there is a severe error:
       [12/Aug/2004:08:56:09] SEVERE ( 2392): for host 169.254.111.12 trying to GET /cert, Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938
  Also, HTTPS works with server side authentication and I signed both client and server certs with same private "CA" certification.
  Question: Do I need any special extentions in the certs for use with SSL?
  Thanks in advance.
  server.log fragment:
  [12/Aug/2004:08:56:09] FINE ( 2392): for host 169.254.111.12 trying to GET /cert, ntrans-j2ee reports: directory listing for context "/cert"
  [12/Aug/2004:08:56:09] FINE ( 2392): Attaching to JVM thread service-j2ee-4
  [12/Aug/2004:08:56:09] FINE ( 2392): context = StandardEngine[null].StandardHost[server1].StandardContext[cert]
  [12/Aug/2004:08:56:09] FINE ( 2392): contextPath = /cert
  [12/Aug/2004:08:56:09] FINE ( 2392): wrapper = null
  [12/Aug/2004:08:56:09] FINE ( 2392): servletPath = null
  [12/Aug/2004:08:56:09] FINE ( 2392): pathInfo = null
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Process request for '/cert'
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Checking for SSO cookie
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: SSO cookie is not present
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Security checking request GET /cert
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Checking constraint 'SecurityConstraint[clientcert security test]' against GET --> true
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Subject to constraint SecurityConstraint[clientcert security test]
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling checkUserData()
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: User data constraint has no restrictions
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling authenticate()
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Looking up certificates
  [12/Aug/2004:08:56:09] FINEST ( 2392): Requesting client certificate from core.
  [12/Aug/2004:08:56:09] SEVERE ( 2392): for host 169.254.111.12 trying to GET /cert, Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: No certificates included with this request
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Failed authenticate() test
  [12/Aug/2004:08:56:09] FINE ( 2392): for host 169.254.111.12 trying to GET /cert, ntrans-j2ee reports: directory listing for context "/cert"
  [12/Aug/2004:08:56:09] FINE ( 2392): Attaching to JVM thread service-j2ee-5
  [12/Aug/2004:08:56:09] FINE ( 2392): context = StandardEngine[null].StandardHost[server1].StandardContext[cert]
  [12/Aug/2004:08:56:09] FINE ( 2392): contextPath = /cert
  [12/Aug/2004:08:56:09] FINE ( 2392): wrapper = null
  [12/Aug/2004:08:56:09] FINE ( 2392): servletPath = null
  [12/Aug/2004:08:56:09] FINE ( 2392): pathInfo = null
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Process request for '/cert'
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Checking for SSO cookie
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: SSO cookie is not present
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Security checking request GET /cert
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Checking constraint 'SecurityConstraint[clientcert security test]' against GET --> true
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Subject to constraint SecurityConstraint[clientcert security test]
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling checkUserData()
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: User data constraint has no restrictions
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling authenticate()
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Looking up certificates
  [12/Aug/2004:08:56:09] FINEST ( 2392): Requesting client certificate from core.
  [12/Aug/2004:08:56:11] FINEST ( 2392): Processing login with credentials of type: class sun.security.x509.X500Name
  [12/Aug/2004:08:56:11] FINE ( 2392): Processing X.500 name login.
  [12/Aug/2004:08:56:11] FINEST ( 2392): Certificate realm setting up security context for: CN=tweekes, O=tester, C=ie
  [12/Aug/2004:08:56:11] FINE ( 2392): X.500 name login succeeded for : CN=tweekes, O=tester, C=ie
  [12/Aug/2004:08:56:11] FINE ( 2392): Authenticator[cert]: Authenticated 'CN=tweekes, O=tester, C=ie' with type 'CLIENT-CERT'
  [12/Aug/2004:08:56:11] FINE ( 2392): SingleSignOn[server1]: Registering sso id '6264FF86CB3151E572951CB77D0C515F' for user 'CN=tweekes, O=tester, C=ie' with auth type 'CLIENT-CERT'
  [12/Aug/2004:08:56:11] FINE ( 2392): Authenticator[cert]: Calling accessControl()
  [12/Aug/2004:08:56:11] FINEST ( 2392): PRINCIPAL : CN=tweekes, O=tester, C=ie hasRole?: staffmember
  [12/Aug/2004:08:56:11] FINEST ( 2392): PRINCIPAL TABLE: {staff=[staffmember], C=ie, O=tester, CN=tweekes=[staffmember]}

  The below one is the correct configurations
  <If $uri =~ "/my(/passo.*)">
  NameTrans fn="restart" from="$uri" uri="/my/jsp$1"
  </If>
  <Object ppath="/my/jsp/passo/*">
  PathCheck fn="get-client-cert" dorequest="1"
  </Object>

• Client auth error

  I am using iPlanet Web Server 6.0 SP4 on Solaris 2.8 that is enabled for SSL and Client-auth.
  In order to validate the client certificate, I configured this server to use my own Plug-in by adding authTrans line in "obj.conf":
  <Object name=default>
  AuthTrans fn="vsCheckClientCert"
  </Object>
  During startup, web server fails with following error.
  Thanks in advance!!!
  [20/Sep/2002:11:50:58] info ( 1984): successful server startup
  [20/Sep/2002:11:50:58] info ( 1984): iPlanet-WebServer-Enterprise/6.0SP4 B07/17/2002 14:04
  [20/Sep/2002:11:51:00] info ( 1985): Installing a new configuration
  [20/Sep/2002:11:51:00] info ( 1985): [LS ls1] https://xx-sun.yy.com, port 444 ready to accept requests
  [20/Sep/2002:11:51:00] info ( 1985): A new configuration was successfully installed
  [20/Sep/2002:11:51:01] info ( 1985): Using the Solaris VM v1.2.2 from Sun Microsystems Inc.
  [20/Sep/2002:11:51:01] info ( 1985): Java VM classpath: /usr/netscape/servers/plugins/servlets/examples/legacy/beans.10/SDKBeans10.jar:/usr/n
  etscape/servers/bin/https/jar/NSServletLayer.jar:/usr/netscape/servers/bin/https/jar/NSJavaUtil.jar:/usr/netscape/servers/bin/https/jar/Admin
  NativeUtil.jar:/usr/netscape/servers/bin/https/jar/NSJavaMiscUtil.jar:/usr/netscape/servers/bin/https/jar/servlet.jar:/usr/netscape/servers/b
  in/https/jar/servlet-2.3-filters-api.jar:/usr/netscape/servers/bin/https/jar/jsp092.jar:/usr/netscape/servers/bin/https/jar/jaxp.jar:/usr/net
  scape/servers/bin/https/jar/crimson.jar:/usr/netscape/servers/bin/https/jar/xalan.jar:/usr/netscape/servers/bin/https/jar/jspengine.jar:
  [20/Sep/2002:11:51:01] info ( 1985): Loading IWSSessionManager by default.
  [20/Sep/2002:11:51:01] info ( 1985): IWSSessionManager: Maximum number of sessions is 1000
  [20/Sep/2002:11:51:01] config ( 1985): for host 0.0.0.0 trying to GET /, Client-Auth reports: get-client-cert requires that security and SSL3
  be enabled.
  [20/Sep/2002:11:51:01] failure ( 1985): for host 0.0.0.0 trying to GET /, vsCheckClientCert reports: Couldn't get a client authentication cer
  tificate
  [20/Sep/2002:11:51:02] config ( 1985): for host 0.0.0.0 trying to GET /, Client-Auth reports: get-client-cert requires that security and SSL3
  be enabled.
  [20/Sep/2002:11:51:02] failure ( 1985): for host 0.0.0.0 trying to GET /, vsCheckClientCert reports: Couldn't get a client authentication cer
  tificate
  [20/Sep/2002:11:51:02] failure ( 1985): vs(https-cvm-test-444)Error getting document-root for this virtual server; please check your server c
  onfiguration.
  [20/Sep/2002:11:51:02] failure ( 1985): vs(https-cvm-test-444)Cannot create web applications virtual server environment.
  [20/Sep/2002:11:51:02] failure ( 1985): Internal Error: Failed to initialize web application environment (web-apps.xml) for virtual server (h
  ttps-cvm-test-444)
  [20/Sep/2002:11:51:02] info ( 1985): Internal Error: Failed to initialize web application environment (web-apps.xml) for virtual server (http
  s-cvm-test-444)
  [20/Sep/2002:11:51:02] failure ( 1985): The new configuration was rejected, rolling back

  Thanks for the reply!!
  My SAF (vsCheckClientCert) works fine if I disable the servlets. It also works by disabling the Web Application State in server.xml
  <VSCLASS id="defaultclass" objectfile="obj.conf" rootobject="default" acceptlanguage="off">
  <VS id="https-cvm-test-444" state="on" urlhosts="psingal-sun.verisign.com" mime="mime1" aclids="acl1" connections="group1">
  ===> <VARS webapps_file="web-apps.xml" webapps_enable="off"/>
  </VS>
  </VSCLASS>
  I am facing the problem only with iPlanet 6.0, the SAF worked fine with "Servlet Enabled" in the previous releases of iPlanet 4.x. Is there any way by which my SAF works with default server settings i.e. Servlet Enabled and Web Application State On?

• MY IOS does not support EKU Server-Auth/Client-Auth

  Hello,
  I have a cisco router with  Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T8.   im trying to set it up as my CA Server where I need to enroll my AnyConnect clients.
  But while I trying to configure my crypto pki server command,  I do not see   EKU Server-Auth or EKU Client-Auth   feature
  can any one tell why it does not have this feature ??

  it was added into 12.2T.    but for me it does not have this feature available .  any ideas ?

• Client-Auth errors

  Hi all,
  I have a SOWS 6.1 and I am getting the following error eache time a user try to get the page:
  Client-Auth reports: Unexpected error receiving data: -5938
  Do you know what it should be?
  Thanks in advance

  Can you tell us the exact configuration you have.
  Send a request to the server to capture the details of initial handshake which performs the client authentication through ssltap. Save the output. Also, when the
  certificates are exchanged ssltap will save them to a file (see the output of
  ssltap for the filenames it used). Get those cert files as well.

• Client-Auth reports: HTTP4031: Unexpected error receiving data

  I noticed that the below error logged in errors log
  trying to GET /my/jsp/passo/, Client-Auth reports: HTTP4031: Unexpected error receiving data (End of file)
  I configured obj.conf for the above one
  <If $uri =~ "/my(/passo.*)">
  NameTrans fn="restart" from="$uri" uri="/ap/jsp$1"
  </If>
  <Object ppath="/my/jsp/passo/*">
  PathCheck fn="get-client-cert" dorequest="1"
  </Object>
  Please correct me if i am wrong in the configuration. If i removed those lines it is started working. but i am not sure this will enforce the request to provide certificate from the client.
  I highly be appreciated if any one responded.

  The below one is the correct configurations
  <If $uri =~ "/my(/passo.*)">
  NameTrans fn="restart" from="$uri" uri="/my/jsp$1"
  </If>
  <Object ppath="/my/jsp/passo/*">
  PathCheck fn="get-client-cert" dorequest="1"
  </Object>

• Specifying Client Auth Cert in Anyconnect NAM

  Hi guys,
  Currently i have set up an SSID which uses EAP-FAST to perform user certificate authentication against an Identity store in ISE connected to AD. On the client devices I have install the Anyconnect NAM to act as the dot1x supplicant and have been in the process of setting up the profile using the Anyconnect Profile Editor.
  The issue that I am having is users on the network have several certs assigned to them from AD. Orindarily it the NAM just prompts the user to select the correct certificate when they attempt to connect, which is not feasible.
  Can I configure the NAM to use a specific user Cert to authenticate to the SSID (without prompting the user on connection)? And if so how?
  Thanks

  Hello Evan,
  Please check the following Cisco doc for specifying client auth cert in anyconnect. Hope it helps!
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/ac02asaconfig.html

• How to invalidate the client part of a HTTPS Session with client auth

  Hi to everybody here,
  I'm having an issue with HTTPS and client authentication related with how SSLHandshake works and the behavior of the client browser. I hope you can help.
  I'm setting up a web application that ask for a valid session in order to allow access to the application. If the user has no valid session, he's redirected to the login form, and if the auth process is ok, the user gets a session and is redirected again to the secured pages.
  We are in the way to create a new login service with client certificates, so the user identificates himself with a certificate valid on the application server.
  We have an application server with a secure listener in port 8443. It's configured to request client certificates so we can access to the certificate and validate it and create a session for the user automatically. The user just type his pin code in the browser, no passwords at all. This process is working and sessions are created. The problem comes up when we are trying to log the user out.
  We invalidate the session using a logout.jsp, but if the user goes to the secured pages again, we have observed that the authentication takes place automatically and the user can see the secured pages, so he thinks the logout.jsp doesn't work.
  My questions are: can we access to delete or modify the client browser ssl part in order to reset the https connection established against our application server? Are there any other ways to avoid this behavior?
  Thanks in advance.
  Miss.

  An enduser presents a certificate from a CAC for authentication to our website.
  They pick the Cert off the inserted CAC and submit it. Get logged into the application successfully.
  The user removes the card form the reader and the SSO session times out.
  In the same browser the user clicks log in with CAC and is not prompted for the cert this time the browser just goes ahead and presents the cached cert even though the card is no longer in the reader. The user logs in successfully.
  The desired behavior would be to prompt the user for for a cert again obviously.
  I am wondering how to turn this off as well.

• Client Auth failure:SSLException Received fatal alert: bad_certificate

  Friends,
  I have managed to establish a one -way https connection between the client and the tomcat-server by keeping the client-Authentication=false
  <Connector
  enableLookups="true"
  port="8443"
  scheme="https"
  secure="true"
  maxProcessors="75"
  debug="0"
  clientAuth="false"
  keystorePass="arps3241"
  keystoreFile="/usr/local/tomcat/bin/arps-dev.keystore"
  className="org.apache.coyote.tomcat5.CoyoteConnector"
            minProcessors="5"
  sslProtocol="TLS">
  </Connector>
  . However , when i switch- 'on' the client-Authetication parameter i.e.clientAuth="true" in the server.xml for 2 way trust, I get the following error :-
  javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:117)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1584)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:866)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
       at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
       at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
       at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:827)
       at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1975)
       at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
       at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
       at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
  Can any body please guide me?

  The server's truststore doesn't trust or possibly even recognize the client's certificate which came from the client's keystore.

• Using SSL with client auth from a JNLP-launched app

  We have an application that is launched by JNLP, and which needs to make a mutually authenticated SSL connection to a server. The client cert and trusted certs that it needs to do this are stored in the Sun\Java\Deployment\security directory where JNLP knows to look for them. And Java WebStart itself seems to be able to use these certs just fine. However, our app seems blithely unaware of the location of the keystore/truststore unless we explicitly set the system properties javax.net.ssl.keystore and truststore. But we don't want to do that (it could be different for different users), and we shouldn't have to do that. So the question is, how can we use the same KeyManager/TrustManager that Java WebStart itself is using? Are they somehow available for the JNLP-launched app to use?
  Failing that, is there a way for a JNLP-launched app to query the deployment properties? There are a bunch of properties to direct the behavior of Java WebStart (see [http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/properties.html]), such as deployment.user.security.trusted.cacerts. These don't seem to be System properties. Can the app see them, or are the "private" to Java WebStart itself?

  HI:
  see also shine enterprise pattern.
  I have worked with it and it helps me and results spead up.
  it has a class which is named "code" and does encryption and ... by md5. it is incredibly secure! tey it.
  you can download it via links bellow:
  http://groups.google.com/group/j2sos.
  http://sourceforge.net/projects/shine-enterpris/
  it has also document