unsubscribe

2009-09-10 Thread Fernando Cesar Silva

unsubscribe

2009-09-08 Thread Fernando Cesar Silva

axis-user-unsubscribe

2009-08-28 Thread Fernando Cesar Silva 
 

 

  Fernando Cesar da Silva | analista
programador | Tel: +55 19 3794 1608 R.1688

  Synchro Solução Fiscal – 17 anos | SPED | NFe
| CTe | MCe

RES: Problems trying to access a secure WS using PKCS#11

2008-08-28 Thread Fernando Cesar Silva 
Hi Steve,

If you interested about to test SafeNet HSM, you can download SafeNet SDK
which has a HSM emulator at:
www.proteq.com.br/download/protecttoolkit_c_3_32_B.iso

You will need to install the package according to your OS. You can consult
the installation manual for PTKC to have more details.

Regards,

Fernando Cesar


-Mensagem original-
De: Fernando Cesar Silva [mailto:[EMAIL PROTECTED] 
Enviada em: quarta-feira, 27 de agosto de 2008 17:43
Para: 'axis-user@ws.apache.org'
Cc: Antonio Calandriello ([EMAIL PROTECTED]); 'Amaury, Fernando';
'Leandro'
Assunto: RES: Problems trying to access a secure WS using PKCS#11

Steve,

Answering your questions:

"Does your PKCS11 keystore have the same contents as the Java keystore?"
Exactly the same.


"How does Axis/Java know where to look for certificates if the keystore is
set to "NONE"?"
According to the JSSE Reference Guide, when a HSM or token is used, the
keystore have to be set to NONE. Java knows where to look for certificates
because there is a PKCS#11 Provider registered in the java.security file:

security.provider.7=sun.security.pkcs11.SunPKCS11 c:/pkcs11.cfg

And my pkcs11.cfg file point to the PKCS#11 Provider implementation, the
alias inside the HSM to be used and the HSM Slot to be used.


"Did the HSM come with its own implementation of parts of Java Cryptography?
The documentation might indicate different properties to set."
Yes. All required properties are already set.


Fernando Cesar

-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Enviada em: terça-feira, 26 de agosto de 2008 14:03
Para: axis-user@ws.apache.org
Assunto: Re: Problems trying to access a secure WS using PKCS#11

I've not worked with an HSM and not used client certificates much, but a
couple of things that may be helpful:

Does your PKCS11 keystore have the same contents as the Java keystore?

How does Axis/Java know where to look for certifucates if the keystore is
set to "NONE"?

Did the HSM come with its own implementation of parts of Java Cryptography?
The documentation might indicate different properties to set.

- Steve


"Fernando Cesar Silva" <[EMAIL PROTECTED]> wrote on 08/26/2008 11:01:52
AM:

> I'm experiencing some problems trying to connect to a WS using SSL with a
> PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS
is
> returning a message "HTTP 403.7 - Forbidden: Client certificate
required".
>
> When I try to connect the same WS, but using a JKS KeyStore, the
connection
> and handshake is done without any problem.
>
> Before I call the WS, I basically set the JCA system variables like that:
>
> Using a JKS KeyStore:
>
>
props.setProperty("javax.net.ssl.keyStore","C:/Certificados_TA/transpamerica

> na.jks");
> props.setProperty("javax.net.ssl.keyStorePassword", "x");
> props.setProperty("javax.net.ssl.keyStoreType", "JKS");
>
>
> Using HSM and PKCS #11:
>
> props.setProperty("javax.net.ssl.keyStore", "NONE");
> props.setProperty("javax.net.ssl.keyStorePassword", "");
> props.setProperty("javax.net.ssl.keyStoreType", "PKCS11");
>
> The server certificate where I'm trying to connect and his certificate
chain
> was imported to the \jre\lib\security\cacerts.
>
> Since I'm receiving the message "Client certificate required", I can
> conclude that Axis for some reason cannot get the private key from inside
> HSM. Hence, I'd like to know what exactly Axis is trying to do to read
this
> private key. Axis is trying to export the private key? If so, we've got a
> problem because the key isn't exportable.
>
> Any clue will be very helpful.
>
> Thanks.
>
> Fernando Cesar
> developer / researcher
>
> Phone:  +55 19 3794 1608
> Mobile: +55 19 9839 9989
> www.synchro.com.br
>
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RES: Problems trying to access a secure WS using PKCS#11

2008-08-27 Thread Fernando Cesar Silva 
Steve,

Answering your questions:

"Does your PKCS11 keystore have the same contents as the Java keystore?"
Exactly the same.


"How does Axis/Java know where to look for certificates if the keystore is
set to "NONE"?"
According to the JSSE Reference Guide, when a HSM or token is used, the
keystore have to be set to NONE. Java knows where to look for certificates
because there is a PKCS#11 Provider registered in the java.security file:

security.provider.7=sun.security.pkcs11.SunPKCS11 c:/pkcs11.cfg

And my pkcs11.cfg file point to the PKCS#11 Provider implementation, the
alias inside the HSM to be used and the HSM Slot to be used.


"Did the HSM come with its own implementation of parts of Java Cryptography?
The documentation might indicate different properties to set."
Yes. All required properties are already set.


Fernando Cesar

-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Enviada em: terça-feira, 26 de agosto de 2008 14:03
Para: axis-user@ws.apache.org
Assunto: Re: Problems trying to access a secure WS using PKCS#11

I've not worked with an HSM and not used client certificates much, but a
couple of things that may be helpful:

Does your PKCS11 keystore have the same contents as the Java keystore?

How does Axis/Java know where to look for certifucates if the keystore is
set to "NONE"?

Did the HSM come with its own implementation of parts of Java Cryptography?
The documentation might indicate different properties to set.

- Steve


"Fernando Cesar Silva" <[EMAIL PROTECTED]> wrote on 08/26/2008 11:01:52
AM:

> I'm experiencing some problems trying to connect to a WS using SSL with a
> PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS
is
> returning a message "HTTP 403.7 - Forbidden: Client certificate
required".
>
> When I try to connect the same WS, but using a JKS KeyStore, the
connection
> and handshake is done without any problem.
>
> Before I call the WS, I basically set the JCA system variables like that:
>
> Using a JKS KeyStore:
>
>
props.setProperty("javax.net.ssl.keyStore","C:/Certificados_TA/transpamerica

> na.jks");
> props.setProperty("javax.net.ssl.keyStorePassword", "x");
> props.setProperty("javax.net.ssl.keyStoreType", "JKS");
>
>
> Using HSM and PKCS #11:
>
> props.setProperty("javax.net.ssl.keyStore", "NONE");
> props.setProperty("javax.net.ssl.keyStorePassword", "");
> props.setProperty("javax.net.ssl.keyStoreType", "PKCS11");
>
> The server certificate where I'm trying to connect and his certificate
chain
> was imported to the \jre\lib\security\cacerts.
>
> Since I'm receiving the message "Client certificate required", I can
> conclude that Axis for some reason cannot get the private key from inside
> HSM. Hence, I'd like to know what exactly Axis is trying to do to read
this
> private key. Axis is trying to export the private key? If so, we've got a
> problem because the key isn't exportable.
>
> Any clue will be very helpful.
>
> Thanks.
>
> Fernando Cesar
> developer / researcher
>
> Phone:  +55 19 3794 1608
> Mobile: +55 19 9839 9989
> www.synchro.com.br
>
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RES: Axis 2 - SSL with Client Authentication

2008-08-27 Thread Fernando Cesar Silva 
Hi Stefan,

I will assume that your server configuration is OK (that I don't know very
well) and I will focus on the client part.

Here, I had to call a secure webservice from the Brazilian government that
requires client authentication.

Before I call the secure webservice, I only set in my client the necessary
system properties that JSSE will consider to do the SSL.

final Properties props = System.getProperties();
props.setProperty("javax.net.ssl.trustStore", "C:/Certificados
/sefazrssef.jks");
props.setProperty("javax.net.ssl.trustStorePassword", "xxx");
props.setProperty("javax.net.ssl.trustStoreType", "JKS");

props.setProperty("javax.net.ssl.keyStore",
"C:/Certificados/transpamericana.jks");
props.setProperty("javax.net.ssl.keyStorePassword", "xxx");
props.setProperty("javax.net.ssl.keyStoreType", "JKS");

System.setProperties(props);

Your truststore have to contain the server certificate (public key) and his
certificate chain.

Your keystore have to contain the client private key (issued by a trusted
CA).

You can work with another key and truststore's types as well, changing "JKS"
for another type (e.g. "PKCS12").

You can turn on the SSL debug passing the parameter:
props.setProperty("javax.net.debug", "ssl");

For more information take a look at:
http://wiki.apache.org/ws/FrontPage/Axis/AxisClientConfiguration/Ssl

http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#Cu
stomization

Hope this helps.

Fernando Cesar


-Mensagem original-
De: StrongSteve [mailto:[EMAIL PROTECTED] 
Enviada em: quarta-feira, 27 de agosto de 2008 09:39
Para: axis-user@ws.apache.org
Assunto: Axis 2 - SSL with Client Authentication


Hi Everybody!

I am really stuck with the problem below, but I am looking forward that
someone can help me! ;)
(Or give me at least a useful hint on were to search for more
information...)

Basically I have a running webservice based on AXIS 2. 

Now I have to make it secure. Be secure I mean the following to things:
   - Transport via SSL (Https)
   - Client Authentication using a Client Certificate

Basically all messages have to be transferred over https and only "trusted"
clients - whoses certificates reside in the server's .truststore - shall be
worked with.

After one and a half day of browsing the internet, I have no really come
across a solution.

What I did till now is the following:
   - Enable https in Tomcat 6 after generating a server key
   - If I import this server key into the client's .truststore I can call me
webservice by passing a https in the existing endpointreference

The problem I am really stuck with is the part with the client certificates
and I have nearly no clue on which steps are to be performed... :(

I already tried uncommenting the following block in the Axis2.xml, as I
think that this is the part that I need, but I just results in a
NullPointerException when starting my tomcat.

 


 


[INFO]
java.lang.NullPointerException
at
org.apache.axis2.transport.nhttp.HttpCoreNIOSSLListener.getSSLContext(HttpCo
reNIOSSLListener.java:9
6)
at
org.apache.axis2.transport.nhttp.HttpCoreNIOListener.init(HttpCoreNIOListene
r.java:151)
at
org.apache.axis2.engine.ListenerManager.start(ListenerManager.java:125)
at
org.apache.axis2.transport.http.AxisServlet.init(AxisServlet.java:442)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:11
72)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:992)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:
4058)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4371)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:7
91)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:926)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:889
)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:492)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSuppor
t.java:117)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at
org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
at
org.apache.catalina.core.StandardServer.start(StandardServer.jav

Problems trying to access a secure WS using PKCS#11

2008-08-26 Thread Fernando Cesar Silva 
Hi all,

I'm experiencing some problems trying to connect to a WS using SSL with a
PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS is
returning a message "HTTP 403.7 - Forbidden: Client certificate required".

When I try to connect the same WS, but using a JKS KeyStore, the connection
and handshake is done without any problem.

Before I call the WS, I basically set the JCA system variables like that:

Using a JKS KeyStore:

props.setProperty("javax.net.ssl.keyStore","C:/Certificados_TA/transpamerica
na.jks");
props.setProperty("javax.net.ssl.keyStorePassword", "x");
props.setProperty("javax.net.ssl.keyStoreType", "JKS");


Using HSM and PKCS #11:

props.setProperty("javax.net.ssl.keyStore", "NONE");
props.setProperty("javax.net.ssl.keyStorePassword", "");
props.setProperty("javax.net.ssl.keyStoreType", "PKCS11"); 

The server certificate where I'm trying to connect and his certificate chain
was imported to the \jre\lib\security\cacerts.

Since I'm receiving the message "Client certificate required", I can
conclude that Axis for some reason cannot get the private key from inside
HSM. Hence, I'd like to know what exactly Axis is trying to do to read this
private key. Axis is trying to export the private key? If so, we've got a
problem because the key isn't exportable.

Any clue will be very helpful.

Thanks.

Fernando Cesar
developer / researcher

Phone:  +55 19 3794 1608
Mobile: +55 19 9839 9989
www.synchro.com.br




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]