tags:

views:

28

answers:

1

Hi All,

I am trying to run a java client with 2way SSL which uses CAC card as keystore for the client. I have addded the following system property in my client program to make it work and change the java.security file to add pcks11 provider.

System.setProperty("javax.net.ssl.keyStoreType", "pkcs11"); System.setProperty("javax.net.debug", "ssl");

The program works fine and handshake is successfully done . But the problem is when i have more than one trusted certificate in the CAC card, it take a default certificate. I want to specify the certificate that should be used to do the client auth maybe specify the alias name . I didn't find any system property to do so. Please let me know how to specify alias name as system property so that the 2way SSL used the specified alias for the client auth or is there any other way to specify the alias name. As in case i access the server URL from any browser i get a certificate selection prompt and the connection is established with the selected certificate.

Thanks in advanced,

A: 

For choosing a client certificate, the default implementation (sun.security.ssl.X509KeyManagerImpl, assuming you're using the Sun JRE) chooses the first certificate that it can use for the request.

PKCS#11 is a slightly specific case. As far as I'm aware, there would only be one private key + certificate chain per slot. If no slot is specified in your PKCS#11 provider configuration, the default one will be 0.

Bruno
Thanks Bruno for your response. In my case, I am using a CAC card which has more than one trusted certificate in it.My question is to select one particular certificate for handshake. Let me know is there a way to do this.
Thangaraj P
What does your PKCS#11 configuration look like?
Bruno
In Some forum I got the info that writing a CustomKeyfactory would resolve the issue ,AxisProperties.setProperty("axis.socketSecureFactory","com.ssl.MySSLSocketFactory");But I never get a call back to get the key factory or the context in the custom key factory.Any idea?
Thangaraj P
If you're using a PKCS#11 provider, it will most likely be configurable by the `slot` option in your PKCS#11 configuration file (configured with the provider). If you don't provide more details about the config, it's hard to tell... I doubt `axis.socketSecureFactory` is where to choose the cert from the PKCS#11 token.
Bruno