Monday, February 16, 2004 | |
Securing a Web Service - Client Certificate I did some minor clean up on the previous security entries to make them consistent. Now we are ready to make our SSL client work with client certificates. So far we were only trusting the server but of course we want to have the server trust the client too. So first, let's create a client certificate and put it in our client.keystore keystore file: <JAVA_HOME>\jre\bin\keytool -genkey -alias oc4j-cl -dname "CN=Client, OU=STJPG O=Oracle L=Redwood Shores, S=CA, C=US" -keyalg RSA -keypass welcome -storepass welcome -keystore client.keystore <Note-March 4> </Note-March 4> Next, like before, we need to export this so we can import into the server's keystore: <Note-March 4> <JAVA_HOME>\jre\bin\keytool -export -alias oc4j-cl -storepass changeit </Note-March 4> Then, copy the file over to where the server key store is located: And finally, import this client certificate into the server keystore - by now this is probably seeming pretty straightforward: <JAVA_HOME>\jre\bin\keytool -import -v -trustcacerts -alias oc4j-cl -file client.cer -keystore server.keystore -keypass welcome -storepass welcome Here is a picture of these steps: Lastly, we want OC4J to ask the client for its certificate so that we get this mutual authentication. This is a quick change. Currently we have this configuration line in our secure-web-site.xml file: <ssl-config factory="com.evermind.ssl.JSSESSLServerSocketFactory" keystore="../../server.keystore" keystore-password="welcome"> which we need to add needs-client-auth attribute to the ssl-config element, bolded below: <ssl-config factory="com.evermind.ssl.JSSESSLServerSocketFactory" keystore="../../server.keystore" keystore-password="welcome" we need to run our client again, hopefully this time with a mutually trusted certificate exchange. java -Djavax.net.debug=all -jar oc4j.jar So is this topic finally beaten into the ground? Well, not quite. We still haven't explored Oracle's Certificate Authority to get real certificates nor have we explored WS-Security. Phew ... this is a big topic and as I work my way through hopefully you are starting to get a sense of the kind of tooling that would be useful to have for this kind of activity. A couple of Web articles that were instrumental in getting me this far along with the documentation I pointed out as I went along here and complement this rather OC4J centric exercise: comment [] 10:18:12 PM |