David,
On 1/12/16 7:43 AM, David Sills wrote:
> All:
>
> I'm trying to set up clientAuth SSL connection between a batch process and
> Tomcat (7.0.55, Java 8 64-bit server). One-way SSL works wonderfully. I set
> up a server certificate (self-signed) and used this configuration in Tomcat
> (server.xml):
>
> <Connector port="${https.port}"
> protocol="org.apache.coyote.http11.Http11Protocol"
> maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true" sslProtocol="TLS"
> keystoreFile="conf/dsikeystore.jks"
> keystorePass="keystorePassword"
> clientAuth="false"
> />
>
> In the client, I used
>
> java -cp ws-client.jar -Djavax.net.ssl.trustStore=clientkeystore2.jks
> -Djavax.net.ssl.trustStorePassword=changeme
> com.datasourceinc.abis.ws.pds.ServiceClient
>
> It seemed to me pretty straightforward that to set up client authentication,
> I would need to
>
>
> 1. Generate another (self-signed) certificate
>
> 2. Export that certificate to a *.crt file
>
> 3. Create another keystore on the server
>
> 4. Import the certificate from #2
>
> 5. Mark that in the configuration as the trust store
>
> So,
>
> <Connector port="${https.port}"
> protocol="org.apache.coyote.http11.Http11Protocol"
> maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true" sslProtocol="TLS"
> keystoreFile="conf/dsikeystore.jks"
> keystorePass="keystorePassword"
> clientAuth="true"
> truststoreFile="conf/clienttrustkeystore.jks"
> truststorePass="changeme"
> />
Pretty much, yes.
> And change the client (which has the original self-signed certificate) thus
>
> java -cp ws-client.jar -Djavax.net.ssl.keyStore=clientkeystore.jks
> -Djavax.net.ssl.keyStorePassword=changeme
> -Djavax.net.ssl.trustStore=clientkeystore2.jks
> -Djavax.net.ssl.trustStorePassword=changeme
> com.datasourceinc.abis.ws.pds.ServiceClient
No, the client doesn't need a trust store. The client needs to specify
the keystore where the client certificate exists. Also, the client needs
to know which key to present to the server. Is the client you are using
known to work correctly? I'm tempted to recommend that you use another
tool known to do client-certs correctly, just in case your home-brewed
tool is not doing what it should.
>
> All keystores have been verified.
>
> I have to have done something wrong or missed a step, because I keep butting
> up against this error, even after having tried all the fixes I read online,
> including restarting my (Windows 7) machine and of course restarting the
> server:
>
> java.net.SocketException: Software caused connection abort: recv failed
> at java.net.SocketInputStream.socketRead0(Native Method)
> at java.net.SocketInputStream.read(Unknown Source)
> at java.net.SocketInputStream.read(Unknown Source)
> at sun.security.ssl.InputRecord.readFully(Unknown Source)
> at sun.security.ssl.InputRecord.read(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.waitForClose(Unknown Source)
> at sun.security.ssl.HandshakeOutStream.flush(Unknown Source)
> at sun.security.ssl.Handshaker.sendChangeCipherSpec(Unknown Source)
> at
> sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source)
> at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
> at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
> at sun.security.ssl.Handshaker.processLoop(Unknown Source)
> at sun.security.ssl.Handshaker.process_record(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at
> org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
> at
> org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
> at
> org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
> at
> org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
>
> at
> org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
> at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> at org.apache.axis.client.Call.invoke(Call.java:2767)
> at org.apache.axis.client.Call.invoke(Call.java:2443)
> at org.apache.axis.client.Call.invoke(Call.java:2366)
> at org.apache.axis.client.Call.invoke(Call.java:1812)
> at
> com.datasourceinc.abis.ws.pds.server.generated.IRS_PDS_ABIS_ServiceSOAP12BindingStub.update(IRS_PDS_ABIS_ServiceSOAP12BindingStub.java:164)
> at
> com.datasourceinc.abis.ws.pds.PdsServiceClient.main(PdsServiceClient.java:47)
>
> {http://xml.apache.org/axis/}hostname:DSI-DEV03
>
> java.net.SocketException: Software caused connection abort: recv failed
> at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
> at
> org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154)
>
> at
> org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
> at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> at org.apache.axis.client.Call.invoke(Call.java:2767)
> at org.apache.axis.client.Call.invoke(Call.java:2443)
> at org.apache.axis.client.Call.invoke(Call.java:2366)
> at org.apache.axis.client.Call.invoke(Call.java:1812)
> at
> com.datasourceinc.abis.ws.pds.server.generated.IRS_PDS_ABIS_ServiceSOAP12BindingStub.update(IRS_PDS_ABIS_ServiceSOAP12BindingStub.java:164)
> at
> com.datasourceinc.abis.ws.pds.PdsServiceClient.main(PdsServiceClient.java:47)
> Caused by: java.net.SocketException: Software caused connection abort: recv
> failed
> at java.net.SocketInputStream.socketRead0(Native Method)
> at java.net.SocketInputStream.read(Unknown Source)
> at java.net.SocketInputStream.read(Unknown Source)
> at sun.security.ssl.InputRecord.readFully(Unknown Source)
> at sun.security.ssl.InputRecord.read(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.waitForClose(Unknown Source)
> at sun.security.ssl.HandshakeOutStream.flush(Unknown Source)
> at sun.security.ssl.Handshaker.sendChangeCipherSpec(Unknown Source)
> at
> sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source)
> at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
> at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
> at sun.security.ssl.Handshaker.processLoop(Unknown Source)
> at sun.security.ssl.Handshaker.process_record(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at
> org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
> at
> org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
> at
> org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
> at
> org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
>
> ... 11 more
>
> Does anyone have any ideas that might help?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
