SSL Handshake between two WebApps
I have a webapp-1 deployed on a SUNWappserver that requires two way SSL authentication. I can write a java client-1 for it, and it works just fine.
However, when I write a client-2 for webapp-1 as a webservice (instead of a standalone java program), I am having problems.
I am deploying client-2 on a jetty-8 server. During SSL-handshake, Jetty first gets the certificate from SUNWappserver (which is okay: Found trusted Certificate), Jetty then receives a CertificateRequest from the SUNWappserver (along with the Cert Authorities). However, Jetty then just replies with an empty Certificate chain.
.
.
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
****<CNs removed from here>****
*** ServerHelloDone
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
.
.
I am not sure whats happening there. Is there some setting in the jetty-ssl.xml configuration that I need to enable, so that it replies with the certificate chain? Here are the options that I am using right now
<Set name="KeyStore"><SystemProperty name="jetty.home" default="." />/server-certs/keyStore.jks</Set>
<Set name="KeyStorePassword">$PASS</Set>
<Set name="KeyManagerPassword">$PASS</Set>
<Set name="TrustStore"><SystemProperty name="jetty.ho开发者_C百科me" default="." />/server-certs/trustStore.jks</Set>
<Set name="TrustStorePassword">$PASS</Set>
<Set name="certAlias">$CORRECT_ALIAS</Set>
<Set name="wantClientAuth">true</Set>
My trustStore and keyStore are fine as they work when I use client as a standalone java application (instead of deploying on a jetty server). Jetty is reading the keyStore and trustStore correctly when I start Jetty server. I have also tried giving -Djavax.net.ssl.trustStore etc. as the jvm options while starting the Jetty server.
Just figured out what was going on. My client-2 that I was deploying on the jetty server was a cxf client. It turned out that in addition to setting up the keyStore and trustStore in the jetty-ssl.xml, I need to set it up for cxf also (in the java-code or using cxf.xml)
Otherwise, the client (deployed on jetty server) was not giving out any error message (e.g., cxf keyStore not found etc. etc.) and was just sending the blank certificate chain back to the SUNWappserver. Some kind of message would have been helpful in finding out the reason.
On a related note, we should also set the following in the jetty-ssl.xml.
<Set name="needClientAuth">true</Set>
Otherwise, even if the client (that is connecting to jetty server) sends a blank of wrong certificate to the jetty server, the server will ignore and would not give any error message.
精彩评论