views:

304

answers:

2

I am developing a mobile application that is to run on a Windows Mobile PDA. The application is written in Java and to run it we are using the J9 JVM from IBM. The application communicates with an Apache Tomcat server over HTTP and we are trying to set it up now to use SSL.

I have generated public/private keys for both the client and the server, exported their self signed certificates and imported them into the respective keystores. Initially I tried to just get it working using only server side authentication and that was successful. But I am now trying to get mutual authentication by setting clientAuth="true" in the server.xml file in the apache conf directory.

I have enabled the SSL logging on the server and when the client connects the server reports an SSLProtocolException: handshake alert: no_certificate. The client logs also show an exception:

javax.net.ssl.SSLHandshakeException: unexpected_message
    at com.ibm.j9.jsse.SSLSocketImpl.completeHandshake(Unknown Source)
    at com.ibm.j9.jsse.SSLSocketImpl.startHandshake(Unknown Source)
    at com.ibm.oti.net.www.protocol.https.HttpsURLConnection.openSocket(Unknown Source)
    at com.ibm.oti.net.www.protocol.https.HttpsURLConnection.connect(Unknown Source)
    at com.ibm.oti.net.www.protocol.https.HttpsURLConnection.sendRequest(Unknown Source)
    at com.ibm.oti.net.www.protocol.https.HttpsURLConnection.doRequest(Unknown Source)
    at com.ibm.oti.net.www.protocol.https.HttpsURLConnection.getInputStream(Unknown Source)

The client keystore and truststore is configured by setting the following System Properties:

javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
javax.net.ssl.keyStore
javax.net.ssl.keyStorePassword

Does anyone have any ideas how I can set up client authentication on the J9 JVM?

A: 

Basically, the client is not sending the certificate. The server cannot authenticate the client: sometimes it does not receive the certificate, or is not the same CA_ROOT, etc and is not able to set the response. By the message 'no_certificate' is easy to imagine that the client is not sending anything. Check your files (your paths) or your tags: instead of 'trustStore', you should use truststoreFile, and instead of 'trustStorePassword', use truststorePass

juanp
The paths are fine. The truststore has nothing to do with it, it contains the server certificate. The keystore is more likely at fault, but I don't think changing it to keystoreFile and keystorePass makes any sense. The System properties are well documented as keyStore and keyStorePassword.
DaveJohnston
you are right, those parameters go in the server properties.have you tried using a web browser and installing the certificate, check if you can establish the ssl canal?Im sure the client is not providing the right certificate.Are you using PKCS12?
juanp
A: 

So the ultimate answer I came to was to switch to a different JVM. Very little support available from IBM and just trying to get someone to sell us licences for their JVM was proving very difficult. I guess they only like to deal with huge organisations.

Now using CEE-J from Skelmir and so far it is a lot more promising.

DaveJohnston