tags:

views:

28

answers:

1
+1  Q: 

How to specify alias name in system property while making 2way SSL con ?

Hi All,

I am trying to run a java client with 2way SSL which uses CAC card as keystore for the client. I have addded the following system property in my client program to make it work and change the java.security file to add pcks11 provider.

System.setProperty("javax.net.ssl.keyStoreType", "pkcs11"); System.setProperty("javax.net.debug", "ssl");

The program works fine and handshake is successfully done . But the problem is when i have more than one trusted certificate in the CAC card, it take a default certificate. I want to specify the certificate that should be used to do the client auth maybe specify the alias name . I didn't find any system property to do so. Please let me know how to specify alias name as system property so that the 2way SSL used the specified alias for the client auth or is there any other way to specify the alias name. As in case i access the server URL from any browser i get a certificate selection prompt and the connection is established with the selected certificate.

Thanks in advanced,

A: 

For choosing a client certificate, the default implementation (sun.security.ssl.X509KeyManagerImpl, assuming you're using the Sun JRE) chooses the first certificate that it can use for the request.

PKCS#11 is a slightly specific case. As far as I'm aware, there would only be one private key + certificate chain per slot. If no slot is specified in your PKCS#11 provider configuration, the default one will be 0.

Bruno  2010-07-14 08:26:24
Thanks Bruno for your response. In my case, I am using a CAC card which has more than one trusted certificate in it.My question is to select one particular certificate for handshake. Let me know is there a way to do this.
Thangaraj P  2010-07-14 08:51:12
What does your PKCS#11 configuration look like?
Bruno  2010-07-14 08:52:55
In Some forum I got the info that writing a CustomKeyfactory would resolve the issue ,AxisProperties.setProperty("axis.socketSecureFactory","com.ssl.MySSLSocketFactory");But I never get a call back to get the key factory or the context in the custom key factory.Any idea?
Thangaraj P  2010-07-14 09:49:07
If you're using a PKCS#11 provider, it will most likely be configurable by the `slot` option in your PKCS#11 configuration file (configured with the provider). If you don't provide more details about the config, it's hard to tell... I doubt `axis.socketSecureFactory` is where to choose the cert from the PKCS#11 token.
Bruno  2010-07-14 10:40:13

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL