Skip to main content

Client Certificate authentication

14 replies [Last post]
lmx
Offline
Joined: 2007-02-27

Hi all!
I am not very familiar with digital certificates on glassfish, but we need to implement client certificate authentication using smartcards certificates. I have imported CA certificate into cacerts.jks and keystore.jks using keytool and configured web application as

CLIENT-CERT

When I open secure page in browser, server asks certificate and the one from smart card is used, but secure page does not open. Server logs says "[Web-Security] hasResource isGranted: false|#]"

I don't need mutual authorization and importing client certificates into cacerts.jks is not available.

Again, as I am new to certificates, I might doing or thinking completely wrong, but is there any suggestions about this?

Thanks

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
lmx
Offline
Joined: 2007-02-27

Any news on this?
I am desparate, because I am short in time and already wasted so many time trying to find answers. I have been told to try different JSSE provider, is there any alternative security provider ?

thanks

kumarjayanti
Offline
Joined: 2003-12-10

Hi,

Give me a couple of days, i will try to show code that can be used to replace the server side TrustManager.

Thanks.

kumarjayanti
Offline
Joined: 2003-12-10

Switching to a different provider may help. There are no other providers from Sun except the Sun Provider.

The one i know is www.bouncycastle.org. But as i said, i will try to get you the answer without having the switch the provider (if that is possible).

lmx
Offline
Joined: 2007-02-27

I just don't understand how to set my trust manager in web application - i tried to execute SSL init code from JSP page, also from ServletContextListener - my TrustManager is set but checkClientTrusted is not called.

Also, I tried IBM JDK5 - looks like there is no such problem, but seems like glassfish doesnt start using IBM JDK

lmx
Offline
Joined: 2007-02-27

I managed somehow to find workaround - but I am not sure whether it is because of different JSSE provider or because I tried it using "Sun JDK 1.5 on Linux", lol

kumarjayanti
Offline
Joined: 2003-12-10

If you can tell exactly what was the workaround it can help others.

lmx
Offline
Joined: 2007-02-27

I succeded trying certificate authentication on IMB WebSphere AS Community Edition using IBM Java5, so the bug I suppose is in Sun JSSE provider

lmx
Offline
Joined: 2007-02-27

tried to implement my X509TrustManager, but its check* methods does not seem to be called.

btw, when I imported client certificate into cacerts store - client was authenticated and this unsupported extension exception was not thrown ...

kumarjayanti
Offline
Joined: 2003-12-10

Hi,

Importing the CA certificate to keystore.jks is never necessary. Do you see anything else in the server log (exceptions ?).

If you can attach the entire web.xml and sun-web.xml and any exceptions in server log that would be helpful.

lmx
Offline
Joined: 2007-02-27

Thanks for reply.

My web.xml:


Constraint1

secure resource

/secure/*
GET
POST
HEAD
PUT
OPTIONS
TRACE
DELETE



authorized


CONFIDENTIAL


CLIENT-CERT



authorized

and piece of sun-web.xml:


authorized
authorized

where "authorized" is the group of certificate realm in glassfish.

I have enabled ssl debug in glassfish and these are last lines that might be of interest in glassfish log:

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
***|#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
httpSSLWorkerThread-8181-1, fatal error: 46: General SSLEngine problem
java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]|#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
%% Invalidated: [Session-5, SSL_RSA_WITH_RC4_128_MD5]|#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
httpSSLWorkerThread-8181-1|#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|, SEND TLSv1 ALERT: |#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|fatal, |#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|description = certificate_unknown|#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
httpSSLWorkerThread-8181-1, WRITE: TLSv1 Alert, length = 18|#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
httpSSLWorkerThread-8181-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem|#]

It might be certificate problem - I tried to import CA certificate chain from http://info.e-me.lv/en/dokumenti/LPproductionchain2.p7b but got keytool exception, so I had to import all 3 certificates manually

kumarjayanti
Offline
Joined: 2003-12-10

Hi,
Your reply seems to have the root cause info :

java.security.cert.CertificateException: Certificate contains unsupported critical extensions : [2.5.29.17]

I checked out that extension 2.5.29.17 stands for : SubjectAlternativeName.

now the JavaDoc for X509Extension : (http://java.sun.com/j2se/1.4.2/docs/api/java/security/cert/X509Extension...) says :

"Each extension in a certificate/CRL may be designated as critical or non-critical. A certificate/CRL-using system (an application validating a certificate/CRL) must reject the certificate/CRL if it encounters a critical extension it does not recognize. A non-critical extension may be ignored if it is not recognized."

Since the extension in your cert is marked critical and since it does not understand the extension it rejected the cert.

When i googled around i found the following link where the person is talking about downloading the CA cert from a different location in order to obtain the CA cert without the extension.

http://forum.springframework.org/showthread.php?t=42510

Can you try this workaround ?.

Meantime i will investigate why the particular extension is unrecognized.

lmx
Offline
Joined: 2007-02-27

this unsupported extension is in client certificate
btw, same problem exists deploy application to tomcat server
maybe there is some kind of jvm property for this extension

lmx
Offline
Joined: 2007-02-27

didn't manage to find workaround.
Tried different jee servers on different machines, same exception. Looks to me like it is some kind of java problem :(

kumarjayanti
Offline
Joined: 2003-12-10

I have asked our Java Experts and will get back if i hear from them. Meantime, IMO something like the following may work ( i have not testsed this)

you can write your own X509TrustManager (MyX509TrustManager) :
http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.htm...

And then in your WebApp init() you can do the following :

TrustManager[] myTMs = new TrustManager [] {
new MyX509TrustManager() };
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, myTMs, null);

Thanks.