Skip to main content

Configuring Mutual Certificate security b/w Netbeans service & WCF client

7 replies [Last post]
wkhattak
Offline
Joined: 2007-12-22

Hi,

I am trying to access a WS developed using NetBeans RC2 (using Mutual Certificate Security) from a WCF client. Have been fishing around couple of forums but didn't get luck to resolve the following probs/errors:

While configuring ws within netbeans, I am using xws-security-server within the keystore store, however, the truststore button is disabled as a result of which I cannot specify the client certificate within cacerts.jks.( I have created a client certificate using makecert.exe and then added it to the appropriate store, the certificate could be seen using the mmc.)

The communication from client to server seems to be alright as the wcf has no problem in locating the server's certificate (imported to CurrentUser store) and cleint private key (configured within the web.config file).

Within glassfish, the soap request could be seen. Although I have imported client's certificate within cacerts.jks, however, when the soap request is received, following error is thrown:

"sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ".

This to my understanding is 'cause of the fact that runtime cannot find the appropriate client certificate, which goes back to the original problem of the greyed out truststore button.

If no truststore setting is required then what should be the alias of the client certificate in the cacerts.jks assuming the runtime is looking into the default cacerts store?

Any help in this matter would be highly appreciated as I have spent a lot of time trying to resolve this problem.

Thanks,

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
shyam_rao
Offline
Joined: 2006-05-05

Try with today's wsit nightly build from here : https://jax-ws.dev.java.net/servlets/ProjectDocumentList?folderID=5472&e...

wkhattak
Offline
Joined: 2007-12-22

Hi,

Finally got it WORKING :-).

I haven't downloaded the current wsit build, however, these are the caveats that one needs to keep in mind while accessing java ws (configured with Mutual Certificate Security) from a wcf configured client:

[b]WCF Side[/b]
1. specify client & server certificate (server cert needs to be imported first):












2. The should resemble the following:


binding="customBinding" bindingConfiguration="NewFullNameWSDLBinding"
contract="WebApplication1.NewFullNameWS.NewFullNameWSDLPortType"
name="NewFullNameWSDLPort"
behaviorConfiguration="clientEndpointBehavior">




The dns entry needs to be there as the server cert is issued to "xwssecurityserver" not the localhost.

[b]NetBeans Side[/b]

1. Use the Mutual Certificate Security with "Development Defaults".

2. The client cert needs to be imported, however, please make sure that the client cert contains "Subject Key Identifier" which can be generated using Windows 2003 Certificate services and also make sure that "Issued To" & "Issued By" are same as the
machine name (localhost);

3. VERY IMPORTANT! within the wsdl (in NetBeans) make sure that within section, there is no tag, as having this in WSDL generates an error if the service is accessed.

I found out all of this the hard way, hopefully this would help out others as there are other trivial things that one needs to do in order to make all this work could not be found out from any documentation.

kumarjayanti & shyam_rao thanks for your valued help in this matter.

kumarjayanti
Offline
Joined: 2003-12-10

Thanks for spelling out the steps.

wkhattak
Offline
Joined: 2007-12-22

Thanks for the reply, however, even after re-creating a fresh certificate and installing it in cacerts.jks, the error remains the same. Here is the request message received by glassfish:





urn:uuid:25c50cc0-8638-4ba7-812a-b884f1efdb63

http://www.w3.org/2005/08/addressing/anonymous

http://windows2003vm:8081/TestWS/TestWebServiceService


2007-12-25T15:11:28.547Z
2007-12-25T15:16:28.547Z

MIIB9TCCAV6gAwIBAgIQs7OXmTsU2IBAZG8ZXFluqzANBgkqhkiG9w0BAQQFADAYMRYwFAYDVQQDEw1XaW5kb3dzMjAwM1ZNMB4XDTA3MDMxNzEwNDk1NloXDTA4MDMxNjE2NDk1NlowGDEWMBQGA1UEAxMNV2luZG93czIwMDNWTTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwZX73Jc/+QH3umsCZ9CW00rOCIlQ0Gb71Z4IZ9dg1iHx6U4SkFnjbWwLrhOvENo3kqkx/Ewy79DNSSY1DprI1u9Lex8Ptz58PRV4+3xk/YeZT75HGQogG+iqPtJXQcfR70ZcdvUidNoCQoMmOBJeXh1wq2808G8dMBkvzaIL9d8CAwEAAaNAMD4wEwYDVR0lBAwwCgYIKwYBBQUHAwEwJwYDVR0RBCAwHoINV2luZG93czIwMDNWTYINV2luZG93czIwMDNWTTANBgkqhkiG9w0BAQQFAAOBgQAvAMN0EKXwf2He8X50P/sRl5EdC1euh5MSA+tuJnCXZ/S+gzxK31wukXw6H8JMhUMbxtC8M0RTvzC9eKFLAqecVgY45KzZBb2Hq/3qgezP7cdK93UfhqYIXPwO7ljJbqz5tFZVZByBx0eICZIi0KmNBzdV3lwacKoATsKYE7yZpQ==






dVE29ysyFW/iD1la3ddePzM6IWo=



of/rygK+Kb7YbXUp9xTmL1MrL+rZuf0QaK1U8J0VG+U0VpLTMqzmlmBcbe/L1NxKj7nzFpurDksE1kwzm8D5dQfI1WZou63FdFXB1kppoRMUiIU+gNZxrbVVf7Asq6HJ6fdC6GIpgpWeyb0vTixDpthxeiOEYlI+Fz9Ey7AjU3g=














ZVHjWGm5wFUjv1CHMAj+FiHp+mA=






a8T/6AHa4bBGUI0zRJY5m1I0kYo=






f8uuulJHOdPOFIi5NSVASxbmr3E=






k69pykploFPkXhw5ogDHcjcJUI0=






e/GO2zGh1HlpY9vskjOyhu6gUfc=






Mo+TXSE/weKL9dxdEbBfwWkAbfU=


aSM6qD7aRptVM/DDLaz1K82k6m87VacjbLBfa3xh4Hm9br+skXDsxIN3ycvFrAz2U7k4jEJ+gS9Vd4dV/F3mLiYdFJQYmOeDSgTRcGMdrXGeac+f+HPg/UZY0r0sxMz43vVcuBuoS/RRXauAv4WQIaVomkaqEXAMkbXSojR/N54=












1K5nAGl5BCXW2eD/lSiTYMKZdiavIhG1yctHoywIXXzwHj+95UEaLURhxLw9W+BUWh/KKc3UQ0P8lQFpDqY1p0btPZbUNQ6gYtaCEcypUTJ9wfP3ZkFRtZDvaA6Ti32cSZdmrUupAxJ/kmUoemaYTX3dsG+YqMN4MiuunU+RbVqoHZsKpBB9ZQOk+8zM05lHKRVSCtRP0X6dj2ZEO2/zc8HIJ/bHeBY90JClW5UD/8JCnGqta9z9iuAbVBRxgfdnV1h+6d/s9epvJQLtYKeJu5wCTGvzxG/0RX7aQt0fBIQ=




============

By the looks of it, on the clinet side (WCF), the runtime is properly encrypting the outbound message but I am not sure if the client's certificate is transmitted as a part of message or not. May be you can advise me from the message content whether it carries a client certificate or not? In case if the client certificate is not transmitted, I have imported the client certificate into cacerts.jks, whereby the Issued By & Issued To fields are same (which I am assuming satisfies the self-signed condition). But the result remains the same. Is there any fundamental mistake that I might be making apart from this certificate business?

Message was edited by: wkhattak

Seem to have missed the following just before whne the Heade tag end, inbetween



Message was edited by: wkhattak

For some reason the very last text cannot be pasted if i try to do a copy paste :-(

Message was edited by: wkhattak

kumarjayanti
Offline
Joined: 2003-12-10

Hi,

the client cert is indeed present in the message as BinarySecurityToken element. I am investigating the cause of the failure and will get back.

kumarjayanti
Offline
Joined: 2003-12-10

Hi,

I tested our certificate validation code in a standalone program like this :
public static void main(String[] args) throws Exception {

//this is your client cert extracted from the message
String Cert ="MIIB9TCCAV6gAwIBAgIQs7OXmTsU2IBAZG8ZXFluqzANBgkqhkiG9w0BAQQFADAYMRYwFAYDVQQDEw1XaW5kb3dzMjAwM1ZNMB4XDTA3MDMxNzEwNDk1NloXDTA4MDMxNjE2NDk1NlowGDEWMBQGA1UEAxMNV2luZG93czIwMDNWTTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwZX73Jc/+QH3umsCZ9CW00rOCIlQ0Gb71Z4IZ9dg1iHx6U4SkFnjbWwLrhOvENo3kqkx/Ewy79DNSSY1DprI1u9Lex8Ptz58PRV4+3xk/YeZT75HGQogG+iqPtJXQcfR70ZcdvUidNoCQoMmOBJeXh1wq2808G8dMBkvzaIL9d8CAwEAAaNAMD4wEwYDVR0lBAwwCgYIKwYBBQUHAwEwJwYDVR0RBCAwHoINV2luZG93czIwMDNWTYINV2luZG93czIwMDNWTTANBgkqhkiG9w0BAQQFAAOBgQAvAMN0EKXwf2He8X50P/sRl5EdC1euh5MSA+tuJnCXZ/S+gzxK31wukXw6H8JMhUMbxtC8M0RTvzC9eKFLAqecVgY45KzZBb2Hq/3qgezP7cdK93UfhqYIXPwO7ljJbqz5tFZVZByBx0eICZIi0KmNBzdV3lwacKoATsKYE7yZpQ==";
byte[] arr = Base64.decode(Cert);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(arr));
System.out.println("Cert=" + cert);

KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream("D:\\UR1\\publish\\glassfish\\domains\\domain1\\config\\cacerts.jks"), "changeit".toCharArray());
trustStore.setCertificateEntry("clientselfcert", cert);

//This is the code that is used by Metro Security to validate the Certifcate
X509CertSelector certSelector = new X509CertSelector();
certSelector.setCertificate(cert);
PKIXBuilderParameters parameters;
CertPathBuilder builder;
parameters = new PKIXBuilderParameters(trustStore,certSelector);
// parameters.setRevocationEnabled(true);
builder = CertPathBuilder.getInstance("PKIX");
builder.build(parameters);

}

And what i found is the following :

Even if the certificate is a SelfSigned Certificate it appears that the certificate should be available in the TrustStore for the Validation to succeed. This is likely a limitation of the PKIXBuilder API ( I need to check with Java Security Experts on this).

So if i run the above code i see the following output :

---------------------------------------------
certpath: X509CertSelector.match(SN: -4c4c6866c4eb277fbf9b90e6a3a69155
Issuer: CN=Windows2003VM
Subject: CN=Windows2003VM)
certpath: X509CertSelector.match: maxPathLen too small (-1 < 0)
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=1
certpath: ForwardBuilder.verifyCert(SN: -4c4c6866 c4eb277f bf9b90e6 a3a69155
Issuer: CN=Windows2003VM)
Subject: CN=Windows2003VM)
certpath: SunCertPathBuilder.depthFirstSearchForward(): commencing final verification
certpath: SunCertPathBuilder.depthFirstSearchForward(): final verification succeeded - path completed!
certpath: SunCertPathBuilder.buildForward() returned from depthFirstSearchForward()
certpath: SunCertPathBuilder.engineBuild() pathCompleted
---------------------------------------

But if i comment the line (in the code above) which adds your self signed cert to the truststore
//trustStore.setCertificateEntry("clientselfcert", cert);
Then i too get the exception which you are getting :
-----------------------------------
certpath: X509CertSelector.match(SN: -4c4c6866c4eb277fbf9b90e6a3a69155
Issuer: CN=Windows2003VM
Subject: CN=Windows2003VM)
certpath: X509CertSelector.match: maxPathLen too small (-1 < 0)
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.buildForward() returned from depthFirstSearchForward()
Exception in thread "main" sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
at javaapplication1.Main.main(Main.java:90)

-------------------------------------

Note: I had enabled Java CertPath debugging to get this output : -Djava.security.debug=certpath

So can you make sure your self-signed client cert is present in the right cacerts.jks of your Glassfish installation. And then it should work IMO.

Thanks.

Message was edited by: kumarjayanti

kumarjayanti
Offline
Joined: 2003-12-10

Hi,

>
> Within glassfish, the soap request could be seen.
> Although I have imported client's certificate within
> cacerts.jks, however, when the soap request is
> received, following error is thrown:
>
> "sun.security.provider.certpath.SunCertPathBuilderExce
> ption: unable to find valid certification path to
> requested target ".
>
> This to my understanding is 'cause of the fact that
> runtime cannot find the appropriate client
> certificate, which goes back to the original problem
> of the greyed out truststore button.
>
> If no truststore setting is required then what should
> be the alias of the client certificate in the
> cacerts.jks assuming the runtime is looking into the
> default cacerts store?

This error actually means the CertPath Builder could not locate the Certificate of the CA which issued the client cert. Usually you never need to specify a Truststore alias for the server. When the client certificate arrives in the message, the certificate validation code tries to construct the Chain by trying to find out the issuer of the client cert.

So just make sure that if the
1. Client cert is a Self-Signed Cert and it is sent in the message then you should not require anything else
2. If the client cert is Self-Signed but is only referenced in the SOAP Message then make sure the client cert is added to cacerts.jks
3. If the client cert was issued by a CA then make sure the Cert(s) of the CA are present in cacerts.jks
> Any help in this matter would be highly appreciated
> as I have spent a lot of time trying to resolve this
> problem.
>
> Thanks,