on 05-06-2008 7:29 AM
Hello,
I am trying to use the SOAP Receiver Adapter with SSL. I imported the client certificate into the Key Store with the Visual Admin. But when I try to configure the channel to use this certificate, then the certificate is not in the list. (I guess, because it is a certificate and not a key).
Is there anybody out there who has experienced such a problem or a link on good documentation?
Regards
Christian
Christian,
In which key store did you store your client certificate ? Even if these stores use the "key" concept, they can also contains certificates (another sort of key)
I just checked one of my SOAP adapter, and I can see keys defined in service_ssl or TicketKeystore (default keystore view)
Rgds
Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Chris,
thank you for your suggestions. I tried and put the certificate into the Standard Views and also restarted the J2EE-Server. But they still do not show up in the Directory. If I create a test key, then it shows up in the directory list.
Do you have any other suggestion? Do you use certificates for Authetication?
Regards
Christian
I used to use BC too, with client certificates ... Maybe I can try to get one of its certificate and see if I can do like you did
Chris
PS: one last thought, are you able to get your certificate in a PKCS format (check which flavors are supported by the KeyStorage service thru VA) ? It seems to be the only way to export a certificate and its corresponding private key (which is required to be used a client certificate) ...
Edited by: Christophe PFERTZEL on May 6, 2008 10:24 PM
Hello Chris,
if I look at those certificates they do not show any private key. Although there seems to be noe Key in them they work to authenticate with our partners. (using the "Client certificates" View in BC).
Hm. Do you know any tool to examine the certificates en detail? Maybe there is some Key, which is part of the Client Certificate file?!
Regards
Christian
Christian,
I'm running out of ideas, but another confirmation please : your scenario is :
you -> xi -(soap)-> partner
or
partner -(soap)-> xi -> you ?
Your last statement confuses me, cuz if I remember right, the "client certs" in BC are used to authenticate external partners againt BC user (in this case, it would be a sender system in XI world) ... I'm not sure though, because I've stopped using BC a long time ago
Chris
Edited by: Christophe PFERTZEL on May 7, 2008 12:11 PM
Hi again,
Thanks for confirming I've checked BC's help file, and here is what it says about "client certificates" :
"Use the Client Certificates screen to view the list of clients whose certificates are accepted by your server. You also use this screen to add (import) and delete certificates from this list.
Note: If your SSL port is configured to "require" client certificates, the port will accept requests from only those clients whose certificates are in this list."
So you're right, it is used to authenticate you, as client, when reaching your target thru SSL (meaning target requires certificate from you instead of user/pwd or nothing)
For you, who and how was this certificate generated ?
Chris
Edited by: Christophe PFERTZEL on May 7, 2008 12:26 PM
Hi
I am using certificates to authenticate with an external provider. I have no certificate configuration in the adapter, but in Visual Admin there is a service called SSL Provider. Here you can choose Dispatcher -> Active Sockets. For each active socket choose the tab client authentication -> tick the radiobutton "Request Client Certificate" and add your certificate from the Trusted CAs view. This is enough for me to make this work...
regards Ole
Christian,
I've reviewed my own configuration for receiver HTTPS adapter (I think SSL settings must be done the same way for SOAP, as technical layer is the same), and here is what I've done :
1 - imported all root CAs chain (sent by our partner, but also retrieved using IE when test their url) ! Note : their client (lowest) certificat has not been loaded into the KeyStore
2 - I've created XI's SSL server certificat issued (using CSR) by VeriSign and assigned it to SSL provider as its server identity
3 - I've sent XI SSL certificate (client cert + its VeriSign root CA) to our partner
4 - they have imported our client cert into their own system
5 - I have assigned the created SSL key (private key) to the HTTP adapter
Now, it is working fine this way:
1 - when we sent them a document, XI checks partner's server certificate against its known root CAs from its TrustedCAs view,
2 - XI presents its own certificate to the partner, that checks our certificate is trusted on their side (root CAs) and is mapped against an internal user with required credentials,
3 - SSL handshage is successful, HTTPS link created
Is there any difference with your own implementation ?
Chris
There seems to be a lot of confusion here.
You CANNOT use client certificates (with only public key) to authenticate yourself on a SSL connection. SSL communication demands data to be encrypted, and in order to encrypt anything you need the pricate key certificate.
Also, from the BC documentation:
<i>Use the Client Certificates screen to view the list of clients whose certificates are accepted by your server. You also use this screen to add (import) and delete certificates from this list.</i>
It says that these client certificates are <i>accepted by your server</i>. It's not like you're going to use them to authenticate yourself, but rather accept these from clients who may try to connect to your server.
Regards,
Henrique.
Henrique,
Thanks for confirming/clarifying Maybe I haven't been able to explain my implementation correctly, but client certificate (public key) is only used to "show" your identity (trusted or not) to the target point of the connection.
In order to encrypt the flow, private keys (I admit I often misused the term "certificate" for both types) must be used internally, but public key are also involved to "decrypt"
Chris
Hello,
thank you all for your posts. I just misunderstood the concept of SSL I think. We now imported our private key corresponding to the certificates which we gave to our partners and everything works fine.
What still is a bit ugly, is that when you import the private key the VA asks twice for the password and certificate chain... And you need to press "Cancel" to end him asking for more certificates.
Regards
Christian
User | Count |
---|---|
76 | |
9 | |
8 | |
7 | |
6 | |
5 | |
5 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.