Hi
I am trying to make an eBase web service resource call to a server that requires the client certificate to be sent in order to authenticate the client (using TLS v1.2).
The certificates have been added to the Java CACERTS but when I attempt the call I get the following error
SocketException invoking https://xxxxxx : Software caused connection abort: recv failed
For further information I then turned on debugging using -Djavax.net.debug=all and found the following error in the log
Warning: no suitable certificate found - continuing without client authentication
The Java CACERTS is the correct one as the keystore information has been set using the -Djavax.net.ssl Java options in the Tomcat startup
Is there any more configuration needed to get an eBase form/web service resource to make a call to a server using client authentication?
Thanks
eBase v 4.5.1 - web service resource call using client authentication
Moderators: Jon, Steve, Ian, Dave
- Jez
- Ebase User
- Posts: 31
- Joined: Thu Aug 21, 2008 11:03 am
- Location: Hampshire County Council
eBase v 4.5.1 - web service resource call using client authentication
0 x
--------------------------------------
Jez Hollinshead - Hampshire CC
Jez Hollinshead - Hampshire CC
-
- Moderator
- Posts: 414
- Joined: Fri Sep 07, 2007 3:44 pm
- Location: Sandy, UK
- Contact:
Re: eBase v 4.5.1 - web service resource call using client authentication
Hi Jez,
For client communications (outbound form the server) you need to configure the "truststore" and not the "keystore". The keystore is used if you are acting as a server and you store your certificates in here.
You need to configure the the system property:
-Djavax.net.ssl.trustStore=<path-to-truststore>
-Djavax.net.ssl.trustStorePassword=<password-for-trustore>
You could also put the certificate into Java's default trustore location:
<Ebase-Install-Dir>/jre/lib/security/cacerts
Here is some useful information:
https://stackoverflow.com/questions/587 ... t-keystore
Kind regards
Steve Upton
For client communications (outbound form the server) you need to configure the "truststore" and not the "keystore". The keystore is used if you are acting as a server and you store your certificates in here.
You need to configure the the system property:
-Djavax.net.ssl.trustStore=<path-to-truststore>
-Djavax.net.ssl.trustStorePassword=<password-for-trustore>
You could also put the certificate into Java's default trustore location:
<Ebase-Install-Dir>/jre/lib/security/cacerts
Here is some useful information:
https://stackoverflow.com/questions/587 ... t-keystore
Kind regards
Steve Upton
0 x
- Jez
- Ebase User
- Posts: 31
- Joined: Thu Aug 21, 2008 11:03 am
- Location: Hampshire County Council
Re: eBase v 4.5.1 - web service resource call using client authentication
Hi Steve,
Thanks very much for your reply. I have configured the Java Option property -Djavax.net.ssl.trustStore / trustStorePassword in the Tomcat service startup and have also added the certificate to the cacerts but I am still getting the same results of 'Warning: no suitable certificate found - continuing without client authentication'.
The handshake debug is referencing the store specified in the Java Option property and we are seeing the correct certificates listed.
The certificates and key we are using are definitely valid as we've tested them on the same machine using a Java test class, which results in a matching alias being found once the 'ServerHelloDone' message is complete in the Handshake debug.
I should mention that we are using an OS install of Java JRE 1.8 rather than the one packaged with eBase (v4.5.4), but because our Java test class works as expected, we're pretty sure this issue is not down to the Java setup.
Are there any other areas regarding eBase that may require config/investigation in order to fix this problem?
Cheers
Thanks very much for your reply. I have configured the Java Option property -Djavax.net.ssl.trustStore / trustStorePassword in the Tomcat service startup and have also added the certificate to the cacerts but I am still getting the same results of 'Warning: no suitable certificate found - continuing without client authentication'.
The handshake debug is referencing the store specified in the Java Option property and we are seeing the correct certificates listed.
The certificates and key we are using are definitely valid as we've tested them on the same machine using a Java test class, which results in a matching alias being found once the 'ServerHelloDone' message is complete in the Handshake debug.
I should mention that we are using an OS install of Java JRE 1.8 rather than the one packaged with eBase (v4.5.4), but because our Java test class works as expected, we're pretty sure this issue is not down to the Java setup.
Are there any other areas regarding eBase that may require config/investigation in order to fix this problem?
Cheers
0 x
--------------------------------------
Jez Hollinshead - Hampshire CC
Jez Hollinshead - Hampshire CC
-
- Moderator
- Posts: 414
- Joined: Fri Sep 07, 2007 3:44 pm
- Location: Sandy, UK
- Contact:
Re: eBase v 4.5.1 - web service resource call using client authentication
Hi Jez,
When you say you have put the certificate in the cacerts... is this the cacerts in the jre/lib/security folder? If this is the case then you do NOT need to specify the -Djavax.net.ssl.trustStore / trustStorePassword
If you put the certificate in a different truststore e.g c:/temp/myTrustore, then you would need to specify:
-Djavax.net.ssl.trustStore=c:/temp/myTrustore
-Djavax.net.ssl.trustStorePassword=myTruststorePassword
If you are satisfied that this is right, then perhaps you have not got the entire certificate chain in the truststore? When you view the certificate in IE, is there multiple levels to the certificate? If so, you might need to import ALL of them... including the root CA
Failing that... could you email support@ebasetech.com:
1) Your logs from the SSL conversation (with the SSL debug)
2) The URL you are calling if it is public facing?
3) The JRE version you are using, you can tell this from the Ebase designer --> Help --> About
Then I will try and create a truststore for you.
Kind regards
Steve
When you say you have put the certificate in the cacerts... is this the cacerts in the jre/lib/security folder? If this is the case then you do NOT need to specify the -Djavax.net.ssl.trustStore / trustStorePassword
If you put the certificate in a different truststore e.g c:/temp/myTrustore, then you would need to specify:
-Djavax.net.ssl.trustStore=c:/temp/myTrustore
-Djavax.net.ssl.trustStorePassword=myTruststorePassword
If you are satisfied that this is right, then perhaps you have not got the entire certificate chain in the truststore? When you view the certificate in IE, is there multiple levels to the certificate? If so, you might need to import ALL of them... including the root CA
Failing that... could you email support@ebasetech.com:
1) Your logs from the SSL conversation (with the SSL debug)
2) The URL you are calling if it is public facing?
3) The JRE version you are using, you can tell this from the Ebase designer --> Help --> About
Then I will try and create a truststore for you.
Kind regards
Steve
0 x
Who is online
Users browsing this forum: No registered users and 9 guests