Is there a way that I can do Mutual SSL without direct acces to the Websphere keystore in Java? -

March 15, 2011

i'm trying establish mutual ssl between 2 websphere 8.5.5 servers. i'll call them servera , serverb.

servera: client side, added serverb's ssl certificate defaulttrustkeystore.

serverb: server side, added servera's ssl certificate defaulttrustkeystore. installed war provide servlet receive http post message, log it, , response "ok" client. client auth mode set "required".

now got problem: traditional way of mutual ssl client side must read keystore directly retrieve private key, can use set our sslcontext client authentication. might have security flaw accessing keystore directly. need find way if can let servera's websphere me(or java code command websphere this).

can teach me how without accessing keystore directly, please?

update:

hi dbreaux.

i tried way loop-back connection, seem not working.

here's ssl debug log last section:

[2017/9/3   21:06:25:284 cst] 00000099 systemout     o jssejce:  using keygenerator ibmtlsprf provider tbd via init  [2017/9/3   21:06:25:284 cst] 00000099 systemout     o handshakemessage:  tls keygenerator ibmtlsprf  provider init ibmjce version 1.8 [2017/9/3   21:06:25:284 cst] 00000099 systemout     o webcontainer : 3, write: tlsv1 change cipher spec, length = 1 [2017/9/3   21:06:25:285 cst] 00000099 systemout     o jssejce:  using cipher aes/cbc/nopadding provider tbd via init  [2017/9/3   21:06:25:285 cst] 00000099 systemout     o cipherbox:  using cipher aes/cbc/nopadding provider init ibmjce version 1.8 [2017/9/3   21:06:25:285 cst] 00000099 systemout     o jssejce:  using mac hmacsha1 provider tbd via init  [2017/9/3   21:06:25:285 cst] 00000099 systemout     o mac:  using messagedigest hmacsha1 provider ibmjce version 1.8 [2017/9/3   21:06:25:285 cst] 00000099 systemout     o *** finished [2017/9/3   21:06:25:285 cst] 00000099 systemout     o verify_data:  { 226, 248, 159, 68, 107, 196, 76, 219, 134, 227, 129, 58 } [2017/9/3   21:06:25:285 cst] 00000099 systemout     o *** [2017/9/3   21:06:25:285 cst] 00000099 systemout     o webcontainer : 3, write: tlsv1 handshake, length = 48 [2017/9/3   21:06:25:285 cst] 00000099 systemout     o webcontainer : 3, waiting close_notify or alert: state 1 [2017/9/3   21:06:25:285 cst] 00000099 systemout     o webcontainer : 3, exception while waiting close java.net.socketexception: software caused connection abort: recv failed [2017/9/3   21:06:25:285 cst] 00000099 systemout     o %% invalidated:  [session-27, ssl_ecdhe_rsa_with_aes_128_cbc_sha] [2017/9/3   21:06:25:285 cst] 00000099 systemout     o webcontainer : 3, send tlsv1 alert:  fatal, description = handshake_failure [2017/9/3   21:06:25:285 cst] 00000099 systemout     o webcontainer : 3, write: tlsv1 alert, length = 32 [2017/9/3   21:06:25:285 cst] 00000099 systemout     o webcontainer : 3, exception sending alert: java.net.socketexception: software caused connection abort: socket write error [2017/9/3   21:06:25:285 cst] 00000099 systemout     o webcontainer : 3, called closesocket() [2017/9/3   21:06:25:285 cst] 00000099 systemout     o webcontainer : 3, handling exception: javax.net.ssl.sslhandshakeexception: java.net.socketexception: software caused connection abort: recv failed

i'm using defaultkeystores generated. since dynamic outbound endpoint page keep giving me cwpki0681e error, applied first way.

does work on yours? or it's because i'm using default ca generated?

in websphere configuration, appears need specify client certificate keystore present when making outbound connection. (i don't know if can edit keystore set default. don't see way admin console, might able outside that. or maybe it's set, isn't sufficient.)

but way can set explicitly in ssl configurations. believe of these levels should work, confess haven't tried them personally.

you can set in cell/node default ssl settings: