views:

183

answers:

1

I'm attempting to enable SSL communication from a web service client (Axis2) using the certificate on the user's CAC card. Works like a charm....UNTIL the web server is CAC enabled. At that point the SSL connection is rejected with the error message that the other certificates in the chain were not included.

I have ensured that the provider is available, either by adding it to the security.properties file or creating it programatically.

My current approach is to simply set the system properties: System.setProperty("javax.net.ssl.keyStore", "NONE"); System.setProperty("javax.net.ssl.keyStoreType", "PKCS11");

I understand from this question/answer that this approach only sends the "end entity" certificate. Apparently I need to implement my own X509KeyManager. This is new ground for me, can anyone suggest a good reference or provide samples of how to do so?

Appreciate the assistance.

A: 
erickson
If you know the intermediates and control the server you're connecting to then you can add needed intermediates to the server configuration instead of changing the client.
martin
Possibly. It depends on the server. When a server is misconfigured with an incomplete chain, it isn't unreasonable for clients to treat it as a bug. Likewise, it is reasonable to have the same expectation for client authentication. In this question, the poster has indicated that they control the client, and has asked for help in implementing a key manager—an approach that satisfies the expectation to provide a complete chain.
erickson
Thanks for the feedback. I'm going to try this out with a regular socket and then figure out how to insert the same change into the Axis2 configuration.
DBCowboy