Java Security

I thought having struggled with this client authentication problem for about 4 days and not managed to get too much valuable info from similar threads, I'd share with you how I got an SSL connection working with both server and client authentication, where I wanted to generate certificates using openssl.

The server in this case was Oracle 9ias with Apache web server sitting in front. This is not really important as the server-side is fairly straight forward - in this case just tell Apache where your Oracle Wallet (just a pkcs12 keystore) is and it'll use that. It holds the server's public key certificate and the CA's (who signed the server's) public key certificate and the server's private key for encryption/decryption purposes.

When I switched on SSLVerifyClient in Apache, I got all sorts of errors (eg Socket exceptions), the like of which pepper this forum. Even once I used the java keytool to construct a truststore and a keystore for the client to use, I still got these errors. It was pretty clear why - the client did not have a private key in its keystore to do encryption/decryption with. Keytool doesn't allow you to add one if it has not generated it itself. Also, when you generate a key pair with keytool, I couldn't see any way to sign the certificate request using openssl, which is what I wanted. Looking at the ssl handshake by specifying the -Djavax.net.debug=all on the command line showed that the server certificates were being used okay, but there was no certificate being used on the client side. So I had to find a way to get the private key into the client's keystore.

I won't go into the details of what DIDN'T work, as this would make this novel longer, but what I had to do in the end was:
Create your server wallet as normal, i.e. openssl to create the ca.* , then Oracle Wallet Manager for the server.req and openssl signs it, then import back into the wallet.

Then, for the client, create a truststore by doing:
keytool -import -alias tstore -file ca.crt -keystore ./clientstore/client.truststore
This is the truststore to use in the java code. Now for the keystore.

Create a keystore by creating a new wallet in OWM, import the ca.crt and create a new request for the client certificate, then export the client request and sign it with openssl. Import back into the wallet and save it as usual. Then import the ewallet.p12 that is created by OWM into Mozilla, then export it out again. This resulting file is the one to use as the keystore in the java code, with the password that you entered on exporting from Mozilla (probably safest to use the same as for the osr/wc private key).

Well that was what finally worked for me. Sorry if it's a bit Oracle Wallet Manager specific, but openssl's pkcs12 tool didn't work for me - again I couldn't get the private key in with the certificate. It seems that the key step was using the pkcs12 file that Mozilla produces, as this seems to make it usable by java.

Hope someone gets some help out of this and doesn't spend as many hours on the problem as I had to. If anyone wants any more specific details, let me know on the address below and I'll happily do my best to help you out.
cheers,
Ian
forum.java.sun@SPAMREMOVEianmcintosh.net