Https private key authentification

Julien_Szczurek · December 29, 2015, 11:06am

Hello

I am trying to connect to a web API via https.
This sort of web service use an https connection.
I have to use 2 jks :

jks1 containing a private key and a certificate
jks2 containing only one certificate

both jks contents are necessary to connect to the API

I am trying to use using the pub.security.keystore:setKeyAndChain service
This service needs the folowing input parameters : keyStoreAlias and keyAlias
I can use this to include the jks1 in my ssl connection but how can I include the jks2 certificate ?

Additionnal note : I try to reproduce a java service into a flow service, may be the following code can help you to understand :

Properties file content :
safeUrl=The url I try to join
jksPath=/was/DOD_certificats/dodPublicCertificateCecurity.jks
jksPasswd=aaaaaa
keystorePath=/was/DOD_certificats/dodUserCertificateCecurity.jks
keystoreType=JKS
keystorePass=bbbbbb

java source :


// 1 Client certificate
FileInputStream kis = new FileInputStream(keystorePath);
KeyStore clientKey = KeyStore.getInstance(keystoreType);
clientKey.load(kis, keystorePass.toCharArray());

KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

kmf.init(clientKey, keystorePass.toCharArray());

// 2 web server certificate
InputStream ksstr = new FileInputStream(jksPath);
KeyStore ks = KeyStore.getInstance("jks");
ks.load(ksstr, jksPasswd.toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(ks);

// SSL context 

SSLContext sslctx = SSLContext.getInstance("TLS");
sslctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
SSLSocketFactory ssf = sslctx.getSocketFactory();

Thanks in advance for your help

Julien_Szczurek · December 29, 2015, 3:57pm

I have edited first post to more understandable.

Tong_Wang · December 29, 2015, 7:59pm

For SSL/TLS authentication with a client cert, you need to have two settings:
–your server key: both the public key chain and private key of your server. This is your jsk1 key store
–your trust store: this should include all the CA root/intermediate certs of the systems that you will connect to. your jsk2 may serve this purpose. But you will need not only your own root cert, but the root/intermediate of the target system you want to connect to. you config this on Security > Keystore page, as truststore. and on Security > Certificates page too. The system will use it as the trust store by default.
HTH,

Julien_Szczurek · December 30, 2015, 4:11pm

Sorry, it is not working. But you are right for the jks : one contain server key and the other one some certificates

Does a tutorial exists for such thing ? It appear to me to be simple to do in java code.
It should be the same with WM, or let’s say “not irrealistic”

Julien_Szczurek · December 31, 2015, 3:38pm

Some news :
I have tried with a simple browser to join my https URL
For this I have installed in my browser the private key (I requested my admin to extract it in .p12 format)
I can join the URL with success.

Now in webMethods, I created a keystore :

I just try to join the same url URL using a flow service :

step 1 (pub.security.keystore:setKeyAndChain) keyStoreAlias = testJulien and keyAlias =lyreco_consultation
step 2 (pub.client:http) url= https///… and method = POST

The distant server says me that I use a wrong certificate.

Do you know where I am wrong ?