axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fernando Cesar Silva" <fsi...@synchro.com.br>
Subject Problems trying to access a secure WS using PKCS#11
Date Thu, 28 Aug 2008 20:21:20 GMT
Hi Axis Developers,

I'm experiencing some problems trying to connect to a WS using SSL with a
PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS is
returning a message "HTTP 403.7 - Forbidden: Client certificate required".

When I try to connect the same WS, but using a JKS KeyStore, the connection
and handshake is done without any problem.

Before I call the WS, I basically set the JCA system variables like that:

Using a JKS KeyStore:

props.setProperty("javax.net.ssl.keyStore","C:/Certificados/xpto.jks");
props.setProperty("javax.net.ssl.keyStorePassword", "xxxxx");
props.setProperty("javax.net.ssl.keyStoreType", "JKS");


Using HSM and PKCS #11:

props.setProperty("javax.net.ssl.keyStore", "NONE");
props.setProperty("javax.net.ssl.keyStorePassword", "xxxx");
props.setProperty("javax.net.ssl.keyStoreType", "PKCS11"); 

The server certificate where I'm trying to connect and his certificate chain
was imported to the <JAVA_HOME>\jre\lib\security\cacerts.

Since I'm receiving the message "Client certificate required", I can
conclude that Axis for some reason cannot get the private key from inside
HSM. Hence, I'd like to know what exactly Axis is trying to do to read this
private key. Is Axis trying to export the private key? If so, we've got a
problem because the key isn't exportable.

I already check my PKCS#11 configurations according to "JavaTM Secure Socket
Extension (JSSE) Reference Guide" and everything seems to be OK.
I spent my last weeks trying to figure out this issue, so, any clue will be
very helpful.

Fernando Cesar


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org


Mime
View raw message