Link to home
Start Free TrialLog in
Avatar of COUTLOOK
COUTLOOK

asked on

2 way SSL setup with java client running on Tomcat server calling webservice hosted on Websphere server.

I want to know if this is possible to have 2 way SSL with tomcat acting as client to websphere server. I have configured key and trust store correctly in server.xml of tomcat and enabled SSL on both tomcat and Websphere.

My problem is : when challenged by websphere server to present client certificate , tomcat does not present a client certificate.

I know that SSL is configured correctly in tomcat as when I open a servlet hosted on tomcat in Internet explorer, tomcat does present its server certificate.
When this servlet internally call web service hosted on websphere server, websphere server presents its server certificate and demand tomcat client certificate which tomcat does not present thus causing  the SSL handshake failure.  

Thanks,
Satish
Avatar of mccarl
mccarl
Flag of Australia image
with tomcat acting as client to websphere server
So, tomcat doesn't have anything built-in to provide service for calling out to web services. Therefore, you must (knowingly or unknowingly) be using some client library to make the calls to websphere in your code. Do you know what this might be? ie. it could be something like apache commons http components, Spring libraries, or perhaps just plain old java.net.HttpConnection's

Because the is no interaction between the code that is acting as a client calling out to websphere and Tomcat itself, that is why the client is not presenting any certificate. You will need to configure this in your http client library and hence that is why I am asking the question above, so that we can work out how you need to configure it.
ASKER CERTIFIED SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of COUTLOOK
COUTLOOK

ASKER

Thanks. I found that I do  not need to run tomcat in SSL mode . I also removed configuration of keystore and trust store  from server.xml and ran tomcat in http ( port 8080).

I  set the property in my java client code ( running on tomcat- no apache web server required).
The only change I made was to make sure all the websphere server certificates ( certificate chains including all the root certificates ) are imported in tomcat truststore file. Once I  imported websphere certificate chain, SSL handshake between  java client running on tomcat  and  Websphere server  was successful.

Thanks to all for your suggestions.
 
Here is my code ( works perfectly):
       


           String urlStr = "https://someSecureURL.com";
             
            System.setProperty("javax.net.ssl.trustStore", "C:\\Users\\DIR\\keystore1.jks");        
            System.setProperty("javax.net.ssl.trustStorePassword", "password1");                
             
     
            System.setProperty("javax.net.ssl.keyStore", "C:\\Users\\DIR\\keystore2.jks");        
            System.setProperty("javax.net.ssl.keyStorePassword", "password2");
           
            SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
            URL url = new URL(urlStr);

           HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
           conn.setConnectTimeout(3000);
           conn.setReadTimeout(3000);
           conn.setUseCaches(false);
           conn.setRequestMethod("GET");
           conn.setSSLSocketFactory(sslsocketfactory);
           InputStream inputstream = conn.getInputStream();
           InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
           BufferedReader bufferedreader = new BufferedReader(inputstreamreader);

           String string = null;
           while ((string = bufferedreader.readLine()) != null) {
               System.out.println("Received " + string);
           }
           conn.disconnect();
Avatar of btan
btan
thanks for sharing
Avatar of COUTLOOK
COUTLOOK

ASKER

I've requested that this question be closed as follows:

Accepted answer: 0 points for COUTLOOK's comment #a40674742

for the following reason:

I was able to make it work after importing certificate chain.
Avatar of btan
btan
noted if we have assisted in any means will appreciate your noting, regardless, thanks!
Avatar of COUTLOOK
COUTLOOK

ASKER

On further research , I found that there is no code change required  for tomcat to send client certificate to websphere for SSL handshake.

we just need to set JAVA_OPTS  in catalina.bat file and it takes care of handshake at containter level.

Please note that code change approach uses dos format for file path  

System.setProperty("javax.net.ssl.keyStore", "C:\\Users\\DIR\\keystore2.jks");        

but catalina.bat change use UNIX format for file path as shown below:
set JAVA_OPTS=%JAVA_OPTS% %LOGGING_CONFIG% -Djavax.net.ssl.trustStore="C:/Users/keystore1.jks" -Djavax.net.ssl.trustStorePassword="password1" -Djavax.net.ssl.keyStore="C:/Users//keyStore2.jks" -Djavax.net.ssl.keyStorePassword="password2"

Hope this helps.
Avatar of COUTLOOK
COUTLOOK

ASKER

Yes. Much appreciated. Somehow it did not work for me. One reason I can think is location of quotes:

set JAVA_OPTS="-DJavax.net.ssl.trustStore=C:\path\to\keystore.key"

vs  

set JAVA_OPTS=-DJavax.net.ssl.trustStore="C:\path\to\keystore.key"


I spent 3 days researching  this and like the expert forum here very much.

I hope this will save others some time.


Thanks all for your opinion.
Avatar of btan
btan
hope at least it has assisted then, regardless - thanks!
Avatar of COUTLOOK
COUTLOOK

ASKER

Yes. It definitely helped. Thanks  a lot !
Avatar of btan
btan
thanks for sharing again