eBase v 4.5.1 - web service resource call using client authentication

Post any questions you have about using the Verj.io Studio, including client and server-side programming with Javascript or FPL, and integration with databases, web services etc.

Moderators: Jon, Steve, Ian, Dave

User avatar
Jez
Ebase User
Posts: 31
Joined: Thu Aug 21, 2008 11:03 am
Location: Hampshire County Council

eBase v 4.5.1 - web service resource call using client authentication

#1

Postby Jez » Wed Sep 11, 2019 7:50 am

Hi

I am trying to make an eBase web service resource call to a server that requires the client certificate to be sent in order to authenticate the client (using TLS v1.2).

The certificates have been added to the Java CACERTS but when I attempt the call I get the following error

SocketException invoking https://xxxxxx : Software caused connection abort: recv failed

For further information I then turned on debugging using -Djavax.net.debug=all and found the following error in the log

Warning: no suitable certificate found - continuing without client authentication

The Java CACERTS is the correct one as the keystore information has been set using the -Djavax.net.ssl Java options in the Tomcat startup

Is there any more configuration needed to get an eBase form/web service resource to make a call to a server using client authentication?

Thanks
0 x
--------------------------------------
Jez Hollinshead - Hampshire CC

Steve
Moderator
Moderator
Posts: 414
Joined: Fri Sep 07, 2007 3:44 pm
Location: Sandy, UK
Contact:

Re: eBase v 4.5.1 - web service resource call using client authentication

#2

Postby Steve » Wed Sep 11, 2019 9:56 am

Hi Jez,

For client communications (outbound form the server) you need to configure the "truststore" and not the "keystore". The keystore is used if you are acting as a server and you store your certificates in here.

You need to configure the the system property:

-Djavax.net.ssl.trustStore=<path-to-truststore>
-Djavax.net.ssl.trustStorePassword=<password-for-trustore>

You could also put the certificate into Java's default trustore location:

<Ebase-Install-Dir>/jre/lib/security/cacerts


Here is some useful information:

https://stackoverflow.com/questions/587 ... t-keystore

Kind regards

Steve Upton
0 x

User avatar
Jez
Ebase User
Posts: 31
Joined: Thu Aug 21, 2008 11:03 am
Location: Hampshire County Council

Re: eBase v 4.5.1 - web service resource call using client authentication

#3

Postby Jez » Fri Sep 20, 2019 8:03 am

Hi Steve,

Thanks very much for your reply. I have configured the Java Option property -Djavax.net.ssl.trustStore / trustStorePassword in the Tomcat service startup and have also added the certificate to the cacerts but I am still getting the same results of 'Warning: no suitable certificate found - continuing without client authentication'.

The handshake debug is referencing the store specified in the Java Option property and we are seeing the correct certificates listed.

The certificates and key we are using are definitely valid as we've tested them on the same machine using a Java test class, which results in a matching alias being found once the 'ServerHelloDone' message is complete in the Handshake debug.

I should mention that we are using an OS install of Java JRE 1.8 rather than the one packaged with eBase (v4.5.4), but because our Java test class works as expected, we're pretty sure this issue is not down to the Java setup.

Are there any other areas regarding eBase that may require config/investigation in order to fix this problem?

Cheers
0 x
--------------------------------------
Jez Hollinshead - Hampshire CC

Steve
Moderator
Moderator
Posts: 414
Joined: Fri Sep 07, 2007 3:44 pm
Location: Sandy, UK
Contact:

Re: eBase v 4.5.1 - web service resource call using client authentication

#4

Postby Steve » Fri Sep 20, 2019 9:56 am

Hi Jez,

When you say you have put the certificate in the cacerts... is this the cacerts in the jre/lib/security folder? If this is the case then you do NOT need to specify the -Djavax.net.ssl.trustStore / trustStorePassword

If you put the certificate in a different truststore e.g c:/temp/myTrustore, then you would need to specify:

-Djavax.net.ssl.trustStore=c:/temp/myTrustore
-Djavax.net.ssl.trustStorePassword=myTruststorePassword

If you are satisfied that this is right, then perhaps you have not got the entire certificate chain in the truststore? When you view the certificate in IE, is there multiple levels to the certificate? If so, you might need to import ALL of them... including the root CA

Failing that... could you email support@ebasetech.com:

1) Your logs from the SSL conversation (with the SSL debug)
2) The URL you are calling if it is public facing?
3) The JRE version you are using, you can tell this from the Ebase designer --> Help --> About

Then I will try and create a truststore for you.

Kind regards

Steve
0 x


Who is online

Users browsing this forum: Google [Bot] and 4 guests