NeedClientAuth
I have configured two hosts with mes-as2 wich work fine on SSL mode.
To communicate with one of my customer, I must use client certificate in SSL v3.
To test it, each of my hosts has in both as2/certificates.p12 and jetty/etc/keystore :
Its own key pair,
the certificate of the other peer,
the certification authority's certificate.
When I send a file from one host to the other, with ssl activated, everything works fine. If I activate client's authentication by modifing etc/jetty.xml and adding a line with true the transferts fail with the followin errors in the mec-as2 log :
[4:14:40 PM] mec_as2-1182435280059-81272@as2-test: Outgoing message signed with the algorithm SHA-1,using keystore alias "potez-as2-test".
[4:14:40 PM] mec_as2-1182435280059-81272@as2-test: Outgoing message encrypted with the algorithm 3DES, using keystore alias "as2.potez.com (potez aeronautique authority)".
[4:14:40 PM] mec_as2-1182435280059-81272@as2-test: Outbound AS2 message created from "jetty.xml" for the receiver "POTEZ_AERONAUTIQUE", raw message size: 14.00 KB
[4:14:41 PM] mec_as2-1182435280059-81272@as2-test: Sending message to https://as2.potez.com:8443/mec_as2/HttpReceiver, sync MDN requested.
[4:14:41 PM] mec_as2-1182435280059-81272@as2-test: Software caused connection abort: recv failed
[4:14:41 PM] mec_as2-1182435280059-81272@as2-test=: Connection problem, failed to transmit data.
plgarcia,
as far as I understand this you are trying to connect to a URL that needs an authentication with user and password?
This is not supported in m-e-c as2 and I think it is not even supported in the AS2 standard (but I may be wrong).
That means you have set the receiver ULR in a format like user:password@yourURL? And the same for the MDN URL? Do you have a as2 product that supports this and could send me a sample message that has been produced using this configuration?
On the other side, what is the idea behind it? If you are using SSL the authentication is done by the client certificate?
hmm, perhaps I still didn't get the point so far?
Regards
Heller
No, The goal is to have an authentication made by both the server certificate and the client certificate at the SSL level ; the option NeedClientAuth of jetty is to ask jetty to require that the client must present a certificate in order to send the file.
Right ?
plgarcia,
Ok, you would like to establish an SSL connection to your partner? There is no NeedClientAuth necessary in jetty for this. Please have a look at the thread SSL Problems, it contains information on how to set it up.
Regards
Heller
SSL connection is fine (see previous posts) but I need SSL with both server certificate and client certificate (by default SSL needs only server certificate) so NeedClientAuth is the option needed to say to jetty that authentication is to be done mutually between the client and the server.
Regards
Pierre-Luc
I downloaded the source files of mec-as2 and after a few time, I just added the following lines after the this.startDBServer() in AS2Server.java and this solved the certificate based client authentication problem :
//Added by Pierre-Luc GARCIA 07/02/2007
System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
// Needed for validation of the server certificate
System.setProperty("javax.net.ssl.trustStore",new PreferencesAS2().get(PreferencesAS2.KEYSTORE_HTTPS_SEND));
// Needed for providing a clint certificate for client authentication
System.setProperty("javax.net.ssl.keyStore", new PreferencesAS2().get(PreferencesAS2.KEYSTORE_HTTPS_SEND));
System.setProperty("javax.net.ssl.keyStorePassword",new PreferencesAS2().get(PreferencesAS2.KEYSTORE_HTTPS_SEND_PASS));
//end Modifications by Pierre-Luc GARCIA
If you can make a new build with this mods, I will be very happy.
Thank you
Pierre-Luc
Pierre-Luc,
you could find the settings for the truststore in the class "de.mendelson.comm.as2.send.MessageHttpUploader". The code is executed before the message is sent (else it would be impossible to use the https protocol).
We tested it in several environments and it seems to work fine, same for the community members who set up certificate based SSL communication.
I still do not understand why there exists a problem in the SSL communication in the existing code, there seems to be no difference if the truststore code is executed in the send module of the as2 server or the as2 server itself?
Regards
Heller
Your current code is :
this.preferences.get( PreferencesAS2.KEYSTORE_HTTPS_SEND ));
System.setProperty("javax.net.ssl.trustStorePassword",
this.preferences.get(
PreferencesAS2.KEYSTORE_HTTPS_SEND_PASS ));
Which initilize the trusted keystore and the code I added yersterday is :
System.setProperty("javax.net.ssl.keyStore", new PreferencesAS2().get(PreferencesAS2.KEYSTORE_HTTPS_SEND));
System.setProperty("javax.net.ssl.keyStorePassword",new PreferencesAS2().get(PreferencesAS2.KEYSTORE_HTTPS_SEND_PASS));
which initilize the KeyStore. I moved the following code after your initilization code in MessageHttpUploader
and it works fine :
// Needed for providing a clint certificate for client authentication
System.setProperty("javax.net.ssl.keyStore", this.preferences.get(PreferencesAS2.KEYSTORE_HTTPS_SEND));
System.setProperty("javax.net.ssl.keyStorePassword",this.preferences.get(PreferencesAS2.KEYSTORE_HTTPS_SEND_PASS));
Hi All,
How was this solved exactly?
Scenario is like this:
I have two hosts with mes-as2, 'A' and 'B'.
'A' wants to send a file to 'B' using SSL(works fine without client-authentication).
'A's Jetty's kestore has trusted 'B's certificate, but 'B's Jetty's kestore has NOT trusted 'A's certificate.
Now,'A' can send files to 'B', regardless of 'A's own certificate trusted/not-trusted in it's Jetty's kestore.
Just adding (in the client, 'A')
'<'Set name="NeedClientAuth"'>' true ''
in the jetty.xml and Trusting own certificate(for client certificate) should configure client-authentication?
When I add above modifications still 'A' can send files to 'B', even if the 'B's certificate is not trusted yet in 'A',meaning client-authentication is NOT working properly?
Thanks in advance
Regards,
Angelo
Angelof,
The changes were that now the truststore and the keystore is set to the path that you set up in the preferences. That means that you should also include the CA certificates into this keystore for the certificates being trusted.
Just to clearify the issue:
-----------------------------
1. Server Authentication - Server program must have access to the server's "full" certificate, which contains the server's identity, public key and private key. During handshake process, the server will extract the server's "public" certificate and send it to the client. On the client side, the client program must be able to authenticate the server's identity by validating the server's "public" certificate. One way to identify the server's identity is to install server's "public" certificate to client program as a trusted certificate. Server authentication seems to be always required.
2. Client Authentication - This is the 100% mirror process of server authentication. However, client authentication is optional for SSL communication.
---------------------------------
The client authentication could be set up in the underlaying webserver, please have a look at http://jetty.mortbay.org/jetty5/faq/faq_s_400-Security_t_Client Certificates.html
I looks like you have to make changes in the files web.xml of the mec_as2.war and also in the jetty/etc/jetty.xml file, but I have never tested that.
Regards
Heller
Hi Heller,
To configure client authentication, I needed to add just
'<'Set name="NeedClientAuth">true'<'/Set/'>'
in the Jetty.xml.
Any other changes you suggested were not required.
You can test this from the browser aswell.
So with the above setting added to the jetty.xml, browse
https://localhost:8443/mec_as2/,
then inaddition to the browser asking us to trust the server's certificate(server authentication), browser has to submit it's certificate to the server aswell, if no certificate had been imported to the browser beforehand, this will fail and the browser would display a message saying so.
King regards,
Angelo
Hello Angelof,
I tried to follow your instructions to configure the Client Auth, but it fails.
My server ssl works perfectly for both inbound and outbound cases its just when I try Client Auth does this fail.
You have mentioned that we need to add in jetty.xml
'<'Set name="NeedClientAuth">true'<'/Set/'>'
Where should this be added in the Jetty.xml? I tried to add this to the addConnector part for the SSL, but it doesnt do the magic I was hoping it would do.
Can you please help me out on what I would have missed possibly?
Thanks,
Bhavesh
Hello Bhavesh,
I have replied to your email and attached a sample Jetty.xml file.
NOTE: I used the latest version of mec as2 adaptor, and check specifically whether the trusting of the client's SSL certificate in the server is done properly.
Kind regards,
Angelo
© 1999-2008 mendelson-e-commerce GmbH. All right reserved.
I try to make client certificate authentication working but I get
Software caused connection abort: recv failed
Connection problem, failed to transmit data.
1-SSL works fine in mec-as2 without client authentication
2-Client authentication works fine from internet explorer to my mec-as2 server.
I really don't know where to go from there !
Thank you for your help
Pierre-Luc