RES: Problems trying to access a secure WS using PKCS#11
Hi Steve,
If you interested about to test SafeNet HSM, you can download SafeNet SDK
which has a HSM emulator at:
www.proteq.com.br/download/protecttoolkit_c_3_32_B.iso
You will need to install the package according to your OS. You can consult
the installation manual for PTKC to have more details.
Regards,
Fernando Cesar
-Mensagem original-
De: Fernando Cesar Silva [mailto:[EMAIL PROTECTED]
Enviada em: quarta-feira, 27 de agosto de 2008 17:43
Para: 'axis-user@ws.apache.org'
Cc: Antonio Calandriello ([EMAIL PROTECTED]); 'Amaury, Fernando';
'Leandro'
Assunto: RES: Problems trying to access a secure WS using PKCS#11
Steve,
Answering your questions:
"Does your PKCS11 keystore have the same contents as the Java keystore?"
Exactly the same.
"How does Axis/Java know where to look for certificates if the keystore is
set to "NONE"?"
According to the JSSE Reference Guide, when a HSM or token is used, the
keystore have to be set to NONE. Java knows where to look for certificates
because there is a PKCS#11 Provider registered in the java.security file:
security.provider.7=sun.security.pkcs11.SunPKCS11 c:/pkcs11.cfg
And my pkcs11.cfg file point to the PKCS#11 Provider implementation, the
alias inside the HSM to be used and the HSM Slot to be used.
"Did the HSM come with its own implementation of parts of Java Cryptography?
The documentation might indicate different properties to set."
Yes. All required properties are already set.
Fernando Cesar
-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Enviada em: terça-feira, 26 de agosto de 2008 14:03
Para: axis-user@ws.apache.org
Assunto: Re: Problems trying to access a secure WS using PKCS#11
I've not worked with an HSM and not used client certificates much, but a
couple of things that may be helpful:
Does your PKCS11 keystore have the same contents as the Java keystore?
How does Axis/Java know where to look for certifucates if the keystore is
set to "NONE"?
Did the HSM come with its own implementation of parts of Java Cryptography?
The documentation might indicate different properties to set.
- Steve
"Fernando Cesar Silva" <[EMAIL PROTECTED]> wrote on 08/26/2008 11:01:52
AM:
> I'm experiencing some problems trying to connect to a WS using SSL with a
> PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS
is
> returning a message "HTTP 403.7 - Forbidden: Client certificate
required".
>
> When I try to connect the same WS, but using a JKS KeyStore, the
connection
> and handshake is done without any problem.
>
> Before I call the WS, I basically set the JCA system variables like that:
>
> Using a JKS KeyStore:
>
>
props.setProperty("javax.net.ssl.keyStore","C:/Certificados_TA/transpamerica
> na.jks");
> props.setProperty("javax.net.ssl.keyStorePassword", "x");
> props.setProperty("javax.net.ssl.keyStoreType", "JKS");
>
>
> Using HSM and PKCS #11:
>
> props.setProperty("javax.net.ssl.keyStore", "NONE");
> props.setProperty("javax.net.ssl.keyStorePassword", "");
> props.setProperty("javax.net.ssl.keyStoreType", "PKCS11");
>
> The server certificate where I'm trying to connect and his certificate
chain
> was imported to the \jre\lib\security\cacerts.
>
> Since I'm receiving the message "Client certificate required", I can
> conclude that Axis for some reason cannot get the private key from inside
> HSM. Hence, I'd like to know what exactly Axis is trying to do to read
this
> private key. Axis is trying to export the private key? If so, we've got a
> problem because the key isn't exportable.
>
> Any clue will be very helpful.
>
> Thanks.
>
> Fernando Cesar
> developer / researcher
>
> Phone: +55 19 3794 1608
> Mobile: +55 19 9839 9989
> www.synchro.com.br
>
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RES: Problems trying to access a secure WS using PKCS#11
Steve,
Answering your questions:
"Does your PKCS11 keystore have the same contents as the Java keystore?"
Exactly the same.
"How does Axis/Java know where to look for certificates if the keystore is
set to "NONE"?"
According to the JSSE Reference Guide, when a HSM or token is used, the
keystore have to be set to NONE. Java knows where to look for certificates
because there is a PKCS#11 Provider registered in the java.security file:
security.provider.7=sun.security.pkcs11.SunPKCS11 c:/pkcs11.cfg
And my pkcs11.cfg file point to the PKCS#11 Provider implementation, the
alias inside the HSM to be used and the HSM Slot to be used.
"Did the HSM come with its own implementation of parts of Java Cryptography?
The documentation might indicate different properties to set."
Yes. All required properties are already set.
Fernando Cesar
-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Enviada em: terça-feira, 26 de agosto de 2008 14:03
Para: axis-user@ws.apache.org
Assunto: Re: Problems trying to access a secure WS using PKCS#11
I've not worked with an HSM and not used client certificates much, but a
couple of things that may be helpful:
Does your PKCS11 keystore have the same contents as the Java keystore?
How does Axis/Java know where to look for certifucates if the keystore is
set to "NONE"?
Did the HSM come with its own implementation of parts of Java Cryptography?
The documentation might indicate different properties to set.
- Steve
"Fernando Cesar Silva" <[EMAIL PROTECTED]> wrote on 08/26/2008 11:01:52
AM:
> I'm experiencing some problems trying to connect to a WS using SSL with a
> PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS
is
> returning a message "HTTP 403.7 - Forbidden: Client certificate
required".
>
> When I try to connect the same WS, but using a JKS KeyStore, the
connection
> and handshake is done without any problem.
>
> Before I call the WS, I basically set the JCA system variables like that:
>
> Using a JKS KeyStore:
>
>
props.setProperty("javax.net.ssl.keyStore","C:/Certificados_TA/transpamerica
> na.jks");
> props.setProperty("javax.net.ssl.keyStorePassword", "x");
> props.setProperty("javax.net.ssl.keyStoreType", "JKS");
>
>
> Using HSM and PKCS #11:
>
> props.setProperty("javax.net.ssl.keyStore", "NONE");
> props.setProperty("javax.net.ssl.keyStorePassword", "");
> props.setProperty("javax.net.ssl.keyStoreType", "PKCS11");
>
> The server certificate where I'm trying to connect and his certificate
chain
> was imported to the \jre\lib\security\cacerts.
>
> Since I'm receiving the message "Client certificate required", I can
> conclude that Axis for some reason cannot get the private key from inside
> HSM. Hence, I'd like to know what exactly Axis is trying to do to read
this
> private key. Axis is trying to export the private key? If so, we've got a
> problem because the key isn't exportable.
>
> Any clue will be very helpful.
>
> Thanks.
>
> Fernando Cesar
> developer / researcher
>
> Phone: +55 19 3794 1608
> Mobile: +55 19 9839 9989
> www.synchro.com.br
>
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems trying to access a secure WS using PKCS#11
I've not worked with an HSM and not used client certificates much, but a
couple of things that may be helpful:
Does your PKCS11 keystore have the same contents as the Java keystore?
How does Axis/Java know where to look for certifucates if the keystore is
set to "NONE"?
Did the HSM come with its own implementation of parts of Java Cryptography?
The documentation might indicate different properties to set.
- Steve
"Fernando Cesar Silva" <[EMAIL PROTECTED]> wrote on 08/26/2008 11:01:52
AM:
> I'm experiencing some problems trying to connect to a WS using SSL with a
> PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS
is
> returning a message "HTTP 403.7 - Forbidden: Client certificate
required".
>
> When I try to connect the same WS, but using a JKS KeyStore, the
connection
> and handshake is done without any problem.
>
> Before I call the WS, I basically set the JCA system variables like that:
>
> Using a JKS KeyStore:
>
>
props.setProperty("javax.net.ssl.keyStore","C:/Certificados_TA/transpamerica
> na.jks");
> props.setProperty("javax.net.ssl.keyStorePassword", "x");
> props.setProperty("javax.net.ssl.keyStoreType", "JKS");
>
>
> Using HSM and PKCS #11:
>
> props.setProperty("javax.net.ssl.keyStore", "NONE");
> props.setProperty("javax.net.ssl.keyStorePassword", "");
> props.setProperty("javax.net.ssl.keyStoreType", "PKCS11");
>
> The server certificate where I'm trying to connect and his certificate
chain
> was imported to the \jre\lib\security\cacerts.
>
> Since I'm receiving the message "Client certificate required", I can
> conclude that Axis for some reason cannot get the private key from inside
> HSM. Hence, I'd like to know what exactly Axis is trying to do to read
this
> private key. Axis is trying to export the private key? If so, we've got a
> problem because the key isn't exportable.
>
> Any clue will be very helpful.
>
> Thanks.
>
> Fernando Cesar
> developer / researcher
>
> Phone: +55 19 3794 1608
> Mobile: +55 19 9839 9989
> www.synchro.com.br
>
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Problems trying to access a secure WS using PKCS#11
Hi all,
I'm experiencing some problems trying to connect to a WS using SSL with a
PKCS#11 Provider and a HSM (Hardware Security Module). The destination WS is
returning a message "HTTP 403.7 - Forbidden: Client certificate required".
When I try to connect the same WS, but using a JKS KeyStore, the connection
and handshake is done without any problem.
Before I call the WS, I basically set the JCA system variables like that:
Using a JKS KeyStore:
props.setProperty("javax.net.ssl.keyStore","C:/Certificados_TA/transpamerica
na.jks");
props.setProperty("javax.net.ssl.keyStorePassword", "x");
props.setProperty("javax.net.ssl.keyStoreType", "JKS");
Using HSM and PKCS #11:
props.setProperty("javax.net.ssl.keyStore", "NONE");
props.setProperty("javax.net.ssl.keyStorePassword", "");
props.setProperty("javax.net.ssl.keyStoreType", "PKCS11");
The server certificate where I'm trying to connect and his certificate chain
was imported to the \jre\lib\security\cacerts.
Since I'm receiving the message "Client certificate required", I can
conclude that Axis for some reason cannot get the private key from inside
HSM. Hence, I'd like to know what exactly Axis is trying to do to read this
private key. Axis is trying to export the private key? If so, we've got a
problem because the key isn't exportable.
Any clue will be very helpful.
Thanks.
Fernando Cesar
developer / researcher
Phone: +55 19 3794 1608
Mobile: +55 19 9839 9989
www.synchro.com.br
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
