Re: Problems trying to access a secure WS using PKCS#11

Tue, 26 Aug 2008 10:03:52 -0700 

I've not worked with an HSM and not used client certificates much, but a
couple of things that may be helpful:

Does your PKCS11 keystore have the same contents as the Java keystore?

How does Axis/Java know where to look for certifucates if the keystore is
set to "NONE"?

Did the HSM come with its own implementation of parts of Java Cryptography?
The documentation might indicate different properties to set.

- Steve


"Fernando Cesar Silva" <[EMAIL PROTECTED]> wrote on 08/26/2008 11:01:52
AM:

> I'm experiencing some problems trying to connect to a WS using SSL with a
> PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS
is
> returning a message "HTTP 403.7 - Forbidden: Client certificate
required".
>
> When I try to connect the same WS, but using a JKS KeyStore, the
connection
> and handshake is done without any problem.
>
> Before I call the WS, I basically set the JCA system variables like that:
>
> Using a JKS KeyStore:
>
>
props.setProperty("javax.net.ssl.keyStore","C:/Certificados_TA/transpamerica

> na.jks");
> props.setProperty("javax.net.ssl.keyStorePassword", "xxxxx");
> props.setProperty("javax.net.ssl.keyStoreType", "JKS");
>
>
> Using HSM and PKCS #11:
>
> props.setProperty("javax.net.ssl.keyStore", "NONE");
> props.setProperty("javax.net.ssl.keyStorePassword", "xxxx");
> props.setProperty("javax.net.ssl.keyStoreType", "PKCS11");
>
> The server certificate where I'm trying to connect and his certificate
chain
> was imported to the <JAVA_HOME>\jre\lib\security\cacerts.
>
> Since I'm receiving the message "Client certificate required", I can
> conclude that Axis for some reason cannot get the private key from inside
> HSM. Hence, I'd like to know what exactly Axis is trying to do to read
this
> private key. Axis is trying to export the private key? If so, we've got a
> problem because the key isn't exportable.
>
> Any clue will be very helpful.
>
> Thanks.
>
> Fernando Cesar
> developer / researcher
>
> Phone:  +55 19 3794 1608
> Mobile: +55 19 9839 9989
> www.synchro.com.br
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to