You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-user@axis.apache.org by Fernando Cesar Silva <fs...@synchro.com.br> on 2008/08/26 17:01:52 UTC

Problems trying to access a secure WS using PKCS#11

Hi all,

I'm experiencing some problems trying to connect to a WS using SSL with a
PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS is
returning a message "HTTP 403.7 - Forbidden: Client certificate required".

When I try to connect the same WS, but using a JKS KeyStore, the connection
and handshake is done without any problem.

Before I call the WS, I basically set the JCA system variables like that:

Using a JKS KeyStore:

props.setProperty("javax.net.ssl.keyStore","C:/Certificados_TA/transpamerica
na.jks");
props.setProperty("javax.net.ssl.keyStorePassword", "xxxxx");
props.setProperty("javax.net.ssl.keyStoreType", "JKS");


Using HSM and PKCS #11:

props.setProperty("javax.net.ssl.keyStore", "NONE");
props.setProperty("javax.net.ssl.keyStorePassword", "xxxx");
props.setProperty("javax.net.ssl.keyStoreType", "PKCS11"); 

The server certificate where I'm trying to connect and his certificate chain
was imported to the <JAVA_HOME>\jre\lib\security\cacerts.

Since I'm receiving the message "Client certificate required", I can
conclude that Axis for some reason cannot get the private key from inside
HSM. Hence, I'd like to know what exactly Axis is trying to do to read this
private key. Axis is trying to export the private key? If so, we've got a
problem because the key isn't exportable.

Any clue will be very helpful.

Thanks.

Fernando Cesar
developer / researcher

Phone:  +55 19 3794 1608
Mobile: +55 19 9839 9989
www.synchro.com.br




---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org

RES: Problems trying to access a secure WS using PKCS#11

Posted by Fernando Cesar Silva <fs...@synchro.com.br>.

Steve,

Answering your questions:

"Does your PKCS11 keystore have the same contents as the Java keystore?"
Exactly the same.


"How does Axis/Java know where to look for certificates if the keystore is
set to "NONE"?"
According to the JSSE Reference Guide, when a HSM or token is used, the
keystore have to be set to NONE. Java knows where to look for certificates
because there is a PKCS#11 Provider registered in the java.security file:

security.provider.7=sun.security.pkcs11.SunPKCS11 c:/pkcs11.cfg

And my pkcs11.cfg file point to the PKCS#11 Provider implementation, the
alias inside the HSM to be used and the HSM Slot to be used.


"Did the HSM come with its own implementation of parts of Java Cryptography?
The documentation might indicate different properties to set."
Yes. All required properties are already set.


Fernando Cesar

-----Mensagem original-----
De: SGruverman@intellicare.com [mailto:SGruverman@intellicare.com] 
Enviada em: terça-feira, 26 de agosto de 2008 14:03
Para: axis-user@ws.apache.org
Assunto: Re: Problems trying to access a secure WS using PKCS#11

I've not worked with an HSM and not used client certificates much, but a
couple of things that may be helpful:

Does your PKCS11 keystore have the same contents as the Java keystore?

How does Axis/Java know where to look for certifucates if the keystore is
set to "NONE"?

Did the HSM come with its own implementation of parts of Java Cryptography?
The documentation might indicate different properties to set.

- Steve


"Fernando Cesar Silva" <fs...@synchro.com.br> wrote on 08/26/2008 11:01:52
AM:

> I'm experiencing some problems trying to connect to a WS using SSL with a
> PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS
is
> returning a message "HTTP 403.7 - Forbidden: Client certificate
required".
>
> When I try to connect the same WS, but using a JKS KeyStore, the
connection
> and handshake is done without any problem.
>
> Before I call the WS, I basically set the JCA system variables like that:
>
> Using a JKS KeyStore:
>
>
props.setProperty("javax.net.ssl.keyStore","C:/Certificados_TA/transpamerica

> na.jks");
> props.setProperty("javax.net.ssl.keyStorePassword", "xxxxx");
> props.setProperty("javax.net.ssl.keyStoreType", "JKS");
>
>
> Using HSM and PKCS #11:
>
> props.setProperty("javax.net.ssl.keyStore", "NONE");
> props.setProperty("javax.net.ssl.keyStorePassword", "xxxx");
> props.setProperty("javax.net.ssl.keyStoreType", "PKCS11");
>
> The server certificate where I'm trying to connect and his certificate
chain
> was imported to the <JAVA_HOME>\jre\lib\security\cacerts.
>
> Since I'm receiving the message "Client certificate required", I can
> conclude that Axis for some reason cannot get the private key from inside
> HSM. Hence, I'd like to know what exactly Axis is trying to do to read
this
> private key. Axis is trying to export the private key? If so, we've got a
> problem because the key isn't exportable.
>
> Any clue will be very helpful.
>
> Thanks.
>
> Fernando Cesar
> developer / researcher
>
> Phone:  +55 19 3794 1608
> Mobile: +55 19 9839 9989
> www.synchro.com.br
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org

Re: Problems trying to access a secure WS using PKCS#11

Posted by SG...@intellicare.com.

I've not worked with an HSM and not used client certificates much, but a
couple of things that may be helpful:

Does your PKCS11 keystore have the same contents as the Java keystore?

How does Axis/Java know where to look for certifucates if the keystore is
set to "NONE"?

Did the HSM come with its own implementation of parts of Java Cryptography?
The documentation might indicate different properties to set.

- Steve


"Fernando Cesar Silva" <fs...@synchro.com.br> wrote on 08/26/2008 11:01:52
AM:

> I'm experiencing some problems trying to connect to a WS using SSL with a
> PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS
is
> returning a message "HTTP 403.7 - Forbidden: Client certificate
required".
>
> When I try to connect the same WS, but using a JKS KeyStore, the
connection
> and handshake is done without any problem.
>
> Before I call the WS, I basically set the JCA system variables like that:
>
> Using a JKS KeyStore:
>
>
props.setProperty("javax.net.ssl.keyStore","C:/Certificados_TA/transpamerica

> na.jks");
> props.setProperty("javax.net.ssl.keyStorePassword", "xxxxx");
> props.setProperty("javax.net.ssl.keyStoreType", "JKS");
>
>
> Using HSM and PKCS #11:
>
> props.setProperty("javax.net.ssl.keyStore", "NONE");
> props.setProperty("javax.net.ssl.keyStorePassword", "xxxx");
> props.setProperty("javax.net.ssl.keyStoreType", "PKCS11");
>
> The server certificate where I'm trying to connect and his certificate
chain
> was imported to the <JAVA_HOME>\jre\lib\security\cacerts.
>
> Since I'm receiving the message "Client certificate required", I can
> conclude that Axis for some reason cannot get the private key from inside
> HSM. Hence, I'd like to know what exactly Axis is trying to do to read
this
> private key. Axis is trying to export the private key? If so, we've got a
> problem because the key isn't exportable.
>
> Any clue will be very helpful.
>
> Thanks.
>
> Fernando Cesar
> developer / researcher
>
> Phone:  +55 19 3794 1608
> Mobile: +55 19 9839 9989
> www.synchro.com.br
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org