using the container's NSS stores for servlet outgoing ssl connections
843811Nov 14 2009 — edited Nov 17 2009Sorry if my google-skills are lacking, but I could not find a solution to this issue... or i am severely misunderstanding my problem.
the version of web server we deploy on uses NSS for it's truststore and keystore. incoming ssl connections work fine. the problem i'm having is that within the deployed servlet (at a much later time), i have to make an ssl connection to an external ldap server to do a lookup of the certificate presented by the client. during the handshake between the servlet/webserver and the ldap server, the ldap server presents it's server certificate, which is then quickly rejected by the servlet/webserver. i get the unknown_certificate error. the webserver's cert and the ldap server's cert are both issued/signed by the same CA, and that CA cert is inside the webserver's truststore (cert8.db). which is why this wasn't making sense to me. i turned ssl debug on and dug through the 100 pages of output that spits out and verified that the truststore it's initializing with the default jks file (cacerts) in a jre directory somewhere. i have not explicitly set the keystore or truststore via JVM args.
not only do i need to verify the ldap cert, but the webserver is going to have to present it's own cert to the ldap server to authenticate eventually, which doesn't seem possible now since i doubt it's going to use the NSS keystore if it's not using the NSS truststore. so to make things easier, i want my servlets to use the container's NSS truststore and keystore. how do i make that happen? i've tried setting javax.net.ssl.trust/keyStore=NONE and javax.net.ssl.trust/keyStoreType=PKCS11 to no avail. i thought i read somewhere that doing that might get me a truststore backed by my NSS store and internal token.
i must be missing something simple. all i know is that the call to DirectoryService.bind(...) is what causes the outgoing ssl connection to initialize. if i need to do some SSLSocketFactory calls or something to initialize something, i'm not sure where/when i need to do that. also, i'd like to avoid maintaining a separate jks store if possible. i have seen some JSS things, but don't really understand how i can easily implement it, this being my first real experience with PKI in this context. but it seems that's what i need to do.
to make matters a bit more complicated, this is being developed in a closed environment, with no outside internet access. so upgrading or using any third party libraries that may not be in a standard installation of SJSWS is going to be a last resort.
thanks in advance for any advice.