geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: where to find information about pkcs-11 certificate store manipulation in geronimo, for example for mutual authentication
Date Fri, 13 Jul 2007 18:03:18 GMT

On Jul 13, 2007, at 11:30 AM, legolas wrote:

> Hi
> thank you for reading my post
> Is there any article or tutorial that shows how we can use Geronimo  
> with a
> pkcs-11 store for mutual authentication ?
> For example a swing based client in client side and some web  
> services in
> server side deployed into Geronimo, Now i want to be able to have  
> mutual
> authentication between this two objects based on thier digital
> certifications.

i'm not exactly a certificate expert, but I'm not clear on exactly  
why pkcs-11 is necessary or sufficient here.  Do you need to securely  
identify your geronimo server with a hardware token?  I would expect  
in many circumstances you'd only use a hardware token for the client.

In any case you need to set up your web service to use a jetty or  
tomcat web connector that requires a client certificate.

Whether your client is a plain swing app or a geronimo javaee app  
client, you can log in using the sun pkcs11 login module.  I don't  
think this would require setting up pkcs11 as a geronimo keystore  
instance gbean.  I don't recall what if anything else you need to do  
to make the client cert available to the http client that the web  
services client uses.  I'm pretty sure we have had client certs for  
web services working.  There may even be an example somewhere.

Does this relate to what you are trying to do?

If you do need more geronimo management of the pkcs11 keystore, it  
looks to me from a glance at 
guide/security/p11guide.html and the KeystoreInstance interface that  
the first step would be to implement a PKCS11KeystoreInstance gbean  
more or less similar to the FileKeystoreInstance gbean.

There's some slightly related discussion about PKCS12 at https://

david jencks
> thanks
> -- 
> View this message in context: 
> information-about-pkcs-11-certificate-store-manipulation-in-geronimo 
> %2C-for-example-for-mutual-authentication-tf4075148s134.html#a11581860
> Sent from the Apache Geronimo - Users mailing list archive at  

View raw message