RES: Problems trying to access a secure WS using PKCS#11
Hi Steve, If you interested about to test SafeNet HSM, you can download SafeNet SDK which has a HSM emulator at: www.proteq.com.br/download/protecttoolkit_c_3_32_B.iso You will need to install the package according to your OS. You can consult the installation manual for PTKC to have more details. Regards, Fernando Cesar -Mensagem original- De: Fernando Cesar Silva [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 27 de agosto de 2008 17:43 Para: 'axis-user@ws.apache.org' Cc: Antonio Calandriello ([EMAIL PROTECTED]); 'Amaury, Fernando'; 'Leandro' Assunto: RES: Problems trying to access a secure WS using PKCS#11 Steve, Answering your questions: "Does your PKCS11 keystore have the same contents as the Java keystore?" Exactly the same. "How does Axis/Java know where to look for certificates if the keystore is set to "NONE"?" According to the JSSE Reference Guide, when a HSM or token is used, the keystore have to be set to NONE. Java knows where to look for certificates because there is a PKCS#11 Provider registered in the java.security file: security.provider.7=sun.security.pkcs11.SunPKCS11 c:/pkcs11.cfg And my pkcs11.cfg file point to the PKCS#11 Provider implementation, the alias inside the HSM to be used and the HSM Slot to be used. "Did the HSM come with its own implementation of parts of Java Cryptography? The documentation might indicate different properties to set." Yes. All required properties are already set. Fernando Cesar -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Enviada em: terça-feira, 26 de agosto de 2008 14:03 Para: axis-user@ws.apache.org Assunto: Re: Problems trying to access a secure WS using PKCS#11 I've not worked with an HSM and not used client certificates much, but a couple of things that may be helpful: Does your PKCS11 keystore have the same contents as the Java keystore? How does Axis/Java know where to look for certifucates if the keystore is set to "NONE"? Did the HSM come with its own implementation of parts of Java Cryptography? The documentation might indicate different properties to set. - Steve "Fernando Cesar Silva" <[EMAIL PROTECTED]> wrote on 08/26/2008 11:01:52 AM: > I'm experiencing some problems trying to connect to a WS using SSL with a > PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS is > returning a message "HTTP 403.7 - Forbidden: Client certificate required". > > When I try to connect the same WS, but using a JKS KeyStore, the connection > and handshake is done without any problem. > > Before I call the WS, I basically set the JCA system variables like that: > > Using a JKS KeyStore: > > props.setProperty("javax.net.ssl.keyStore","C:/Certificados_TA/transpamerica > na.jks"); > props.setProperty("javax.net.ssl.keyStorePassword", "x"); > props.setProperty("javax.net.ssl.keyStoreType", "JKS"); > > > Using HSM and PKCS #11: > > props.setProperty("javax.net.ssl.keyStore", "NONE"); > props.setProperty("javax.net.ssl.keyStorePassword", ""); > props.setProperty("javax.net.ssl.keyStoreType", "PKCS11"); > > The server certificate where I'm trying to connect and his certificate chain > was imported to the \jre\lib\security\cacerts. > > Since I'm receiving the message "Client certificate required", I can > conclude that Axis for some reason cannot get the private key from inside > HSM. Hence, I'd like to know what exactly Axis is trying to do to read this > private key. Axis is trying to export the private key? If so, we've got a > problem because the key isn't exportable. > > Any clue will be very helpful. > > Thanks. > > Fernando Cesar > developer / researcher > > Phone: +55 19 3794 1608 > Mobile: +55 19 9839 9989 > www.synchro.com.br > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: Problems trying to access a secure WS using PKCS#11
Steve, Answering your questions: "Does your PKCS11 keystore have the same contents as the Java keystore?" Exactly the same. "How does Axis/Java know where to look for certificates if the keystore is set to "NONE"?" According to the JSSE Reference Guide, when a HSM or token is used, the keystore have to be set to NONE. Java knows where to look for certificates because there is a PKCS#11 Provider registered in the java.security file: security.provider.7=sun.security.pkcs11.SunPKCS11 c:/pkcs11.cfg And my pkcs11.cfg file point to the PKCS#11 Provider implementation, the alias inside the HSM to be used and the HSM Slot to be used. "Did the HSM come with its own implementation of parts of Java Cryptography? The documentation might indicate different properties to set." Yes. All required properties are already set. Fernando Cesar -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Enviada em: terça-feira, 26 de agosto de 2008 14:03 Para: axis-user@ws.apache.org Assunto: Re: Problems trying to access a secure WS using PKCS#11 I've not worked with an HSM and not used client certificates much, but a couple of things that may be helpful: Does your PKCS11 keystore have the same contents as the Java keystore? How does Axis/Java know where to look for certifucates if the keystore is set to "NONE"? Did the HSM come with its own implementation of parts of Java Cryptography? The documentation might indicate different properties to set. - Steve "Fernando Cesar Silva" <[EMAIL PROTECTED]> wrote on 08/26/2008 11:01:52 AM: > I'm experiencing some problems trying to connect to a WS using SSL with a > PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS is > returning a message "HTTP 403.7 - Forbidden: Client certificate required". > > When I try to connect the same WS, but using a JKS KeyStore, the connection > and handshake is done without any problem. > > Before I call the WS, I basically set the JCA system variables like that: > > Using a JKS KeyStore: > > props.setProperty("javax.net.ssl.keyStore","C:/Certificados_TA/transpamerica > na.jks"); > props.setProperty("javax.net.ssl.keyStorePassword", "x"); > props.setProperty("javax.net.ssl.keyStoreType", "JKS"); > > > Using HSM and PKCS #11: > > props.setProperty("javax.net.ssl.keyStore", "NONE"); > props.setProperty("javax.net.ssl.keyStorePassword", ""); > props.setProperty("javax.net.ssl.keyStoreType", "PKCS11"); > > The server certificate where I'm trying to connect and his certificate chain > was imported to the \jre\lib\security\cacerts. > > Since I'm receiving the message "Client certificate required", I can > conclude that Axis for some reason cannot get the private key from inside > HSM. Hence, I'd like to know what exactly Axis is trying to do to read this > private key. Axis is trying to export the private key? If so, we've got a > problem because the key isn't exportable. > > Any clue will be very helpful. > > Thanks. > > Fernando Cesar > developer / researcher > > Phone: +55 19 3794 1608 > Mobile: +55 19 9839 9989 > www.synchro.com.br > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems trying to access a secure WS using PKCS#11
I've not worked with an HSM and not used client certificates much, but a couple of things that may be helpful: Does your PKCS11 keystore have the same contents as the Java keystore? How does Axis/Java know where to look for certifucates if the keystore is set to "NONE"? Did the HSM come with its own implementation of parts of Java Cryptography? The documentation might indicate different properties to set. - Steve "Fernando Cesar Silva" <[EMAIL PROTECTED]> wrote on 08/26/2008 11:01:52 AM: > I'm experiencing some problems trying to connect to a WS using SSL with a > PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS is > returning a message "HTTP 403.7 - Forbidden: Client certificate required". > > When I try to connect the same WS, but using a JKS KeyStore, the connection > and handshake is done without any problem. > > Before I call the WS, I basically set the JCA system variables like that: > > Using a JKS KeyStore: > > props.setProperty("javax.net.ssl.keyStore","C:/Certificados_TA/transpamerica > na.jks"); > props.setProperty("javax.net.ssl.keyStorePassword", "x"); > props.setProperty("javax.net.ssl.keyStoreType", "JKS"); > > > Using HSM and PKCS #11: > > props.setProperty("javax.net.ssl.keyStore", "NONE"); > props.setProperty("javax.net.ssl.keyStorePassword", ""); > props.setProperty("javax.net.ssl.keyStoreType", "PKCS11"); > > The server certificate where I'm trying to connect and his certificate chain > was imported to the \jre\lib\security\cacerts. > > Since I'm receiving the message "Client certificate required", I can > conclude that Axis for some reason cannot get the private key from inside > HSM. Hence, I'd like to know what exactly Axis is trying to do to read this > private key. Axis is trying to export the private key? If so, we've got a > problem because the key isn't exportable. > > Any clue will be very helpful. > > Thanks. > > Fernando Cesar > developer / researcher > > Phone: +55 19 3794 1608 > Mobile: +55 19 9839 9989 > www.synchro.com.br > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problems trying to access a secure WS using PKCS#11
Hi all, I'm experiencing some problems trying to connect to a WS using SSL with a PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS is returning a message "HTTP 403.7 - Forbidden: Client certificate required". When I try to connect the same WS, but using a JKS KeyStore, the connection and handshake is done without any problem. Before I call the WS, I basically set the JCA system variables like that: Using a JKS KeyStore: props.setProperty("javax.net.ssl.keyStore","C:/Certificados_TA/transpamerica na.jks"); props.setProperty("javax.net.ssl.keyStorePassword", "x"); props.setProperty("javax.net.ssl.keyStoreType", "JKS"); Using HSM and PKCS #11: props.setProperty("javax.net.ssl.keyStore", "NONE"); props.setProperty("javax.net.ssl.keyStorePassword", ""); props.setProperty("javax.net.ssl.keyStoreType", "PKCS11"); The server certificate where I'm trying to connect and his certificate chain was imported to the \jre\lib\security\cacerts. Since I'm receiving the message "Client certificate required", I can conclude that Axis for some reason cannot get the private key from inside HSM. Hence, I'd like to know what exactly Axis is trying to do to read this private key. Axis is trying to export the private key? If so, we've got a problem because the key isn't exportable. Any clue will be very helpful. Thanks. Fernando Cesar developer / researcher Phone: +55 19 3794 1608 Mobile: +55 19 9839 9989 www.synchro.com.br - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]