Solved

SSLSocket in Applet

Posted on 2012-03-18
28
285 Views
Last Modified: 2012-03-21
Hello,
I have an applet that allows users to upload files to a server. When the user uploads the file(s) the applet makes a connection using a SSLSocket and the users smart card. The applet is unable to upload any files , it always gets a 403.7 error.
I wrote a small console app and it is able to make the connection and return a page, the exact same code fails in the applet with the 403.7 error. I have verified that the applet is reading the certs off the smart card.
Thanks
0
Comment
Question by:cdfly
  • 13
  • 11
  • 4
28 Comments
 
LVL 47

Expert Comment

by:for_yan
ID: 37735765
Is this a signed applet?

Does it make a connection to the same server from which it was loaded (from which was served the HTML page with the applet tag) ?
0
 
LVL 47

Expert Comment

by:for_yan
ID: 37735768
It is probably signed applet as otherwise it would not read a smart card, correct ?
0
 
LVL 47

Expert Comment

by:for_yan
ID: 37735776
0
 
LVL 47

Expert Comment

by:for_yan
ID: 37735821
did you see these trails:
I don't think there is a solution there, but the sitautaion seesm to be very similar:

http://www.tek-tips.com/viewthread.cfm?qid=1673598

https://forums.oracle.com/forums/thread.jspa?threadID=2241443
0
 

Author Comment

by:cdfly
ID: 37735926
The tek-tips post is actually one of my old posts. This is a self-signed applet, not sure why the console code works but it has a problem in the applet
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 37736998
Please post the full output from the Java Console, if necessary putting the trace level up to max (5)

You will of course need to import the server cert into your client's truststore unless the cert is a 'proper' official one with intact chain
0
 

Author Comment

by:cdfly
ID: 37737152
Hi,
I'm attaching the trace file.

Thanks for the help
console-trace.txt
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 37737327
It looks like a client cert problem rather than a server cert problem. If your application manages to work with the same IIS server, make sure that the same trust store is being used in the applet. Your app working implies that you have got a client cert installed and being used when a client of that IIS server
0
 

Author Comment

by:cdfly
ID: 37737349
I'm not sure I understand. In the code both in the console app and the applet I get the keysore from the smart card using an alias that I know exists. Are you thinking that my app is using something else?
When I first tried my console app it was faling with the same 403 error untill I specified the alias and then it started working.

Can you tell me how to be sure the applet is using the same trust store as the console app


Thanks
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 37737356
C:\PROGRA~1\Java\JRE15~2.0_0\lib\security\cacerts is what the applet is using. If you run the app with

 java -Djavax.net.debug=ssl

Open in new window


it will tell you.

btw, by what means are you telling

a. the applet which alias to use?
b. the application which alias to use?
0
 

Author Comment

by:cdfly
ID: 37737408
This is what I had to add to make my console app work, I had to use the alias on the smart card.
   String alias="cert alias";

   managers = new KeyManager[] { new AliasKeyManager(keyStore, alias, aSmartCardPIN) };

  private static class AliasKeyManager implements X509KeyManager
	{

		private KeyStore _ks;
		private String _alias;
		private String _password;

		public  AliasKeyManager(KeyStore ks, String alias, String password)
		{
			_ks = ks;
			_alias = alias;
			_password = password;
		}

		public String chooseClientAlias(String[] str, Principal[] principal, Socket socket)
		{
			return _alias;
		}

		public String chooseServerAlias(String str, Principal[] principal, Socket socket)
		{
			return _alias;
		}

		public X509Certificate[] getCertificateChain(String alias)
		{
			try
			{
				return (X509Certificate[])_ks.getCertificateChain(alias);
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getClientAliases(String str, Principal[] principal)
		{
			return new String[] { _alias };
		}

		public PrivateKey getPrivateKey(String alias)
		{
			try
			{
				return (PrivateKey)_ks.getKey(alias, _password == null ? null : _password.toCharArray());
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getServerAliases(String str, Principal[] principal)
		{
			return new String[] { _alias };
		}

	}

Open in new window

0
 
LVL 86

Expert Comment

by:CEHJ
ID: 37737431
And you're doing that in the applet too?
0
 

Author Comment

by:cdfly
ID: 37737466
Correct, all the code is the same in the console app and the applet
0
 
LVL 86

Accepted Solution

by:
CEHJ earned 500 total points
ID: 37737706
I would add logging code in your alias manager class. For one thing, you need to establish whether it's been used at all

Of course you could always simply distribute your working app with Web Start, then you might no longer need your applet
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:cdfly
ID: 37737781
I will try that. The console app was just a test to see if I could get connected, the applet is what I really need to get working.
Going through the trace I see
Loading Root CA certificates from C:\PROGRA~1\Java\JRE15~2.0_0\lib\security\cacerts I think we should be using java 1.5_06,maybe it's using the wrong trust store, that would be an easy fix
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 37738394
Going through the trace I see ...

Yes, i mentioned that here

What did the application claim it was using as its truststore?
0
 

Author Comment

by:cdfly
ID: 37738415
I didn't see that in the application, I will look again when I get back to the shop
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 37738428
java -Djavax.net.debug=ssl YourApp >application.txt 2>&1

Open in new window


should save it to file for you
0
 

Author Comment

by:cdfly
ID: 37741465
I looked at the file I'm not seeing the version though. I'm attaching both the ssl debug and  all debug
application-debug-all.txt
application-debug-ssl.txt
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 37742257
I looked at the file I'm not seeing the version though.

That's strange. What command did you give to the app?

Also what was the result of adding debug code to your programmatic key management routines - are they called?
0
 

Author Comment

by:cdfly
ID: 37742454
I ran the command you gave me
                                            
        1:java -Djavax.net.debug=ssl YourApp >application.txt 2>&1
        2:java -Djavax.net.debug=all YourApp >application.txt 2>&1

Open in new window

I didn't add debug code to key management routines yet, I will do that and post the results
0
 

Author Comment

by:cdfly
ID: 37742921
The key managment class is being created in both the console app and the applet, but the two following methods are being called in the application but not the applet

      chooseClientAlias      
    getCertificateChain

Full code of key managment class
private static class AliasKeyManager implements X509KeyManager
	{

		private KeyStore _ks;
		private String _alias;
		private String _password;

		


		public  AliasKeyManager(KeyStore ks, String alias, String password)
		{
			System.out.println("Init ALiasKeyManager");
			_ks = ks;
			_alias = alias;
			_password = password;
		}

		public String chooseClientAlias(String[] str, Principal[] principal, Socket socket)
		{
			System.out.println("In ALiasKeyManager.chooseClientAlias returning alias:"+ _alias);
			return _alias;
		}

		public String chooseServerAlias(String str, Principal[] principal, Socket socket)
		{
			System.out.println("In ALiasKeyManager.chooseServerAlias returning alias:" + _alias);
			return _alias;
		}

		public X509Certificate[] getCertificateChain(String alias)
		{
			try
			{
				System.out.println("In ALiasKeyManager.getCertificateChain returning chain for alias:" + _alias);
				return (X509Certificate[])_ks.getCertificateChain(alias);
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getClientAliases(String str, Principal[] principal)
		{
			System.out.println("In ALiasKeyManager.getClientAliases returning alias:" + _alias);
			return new String[] { _alias };
		}

		public PrivateKey getPrivateKey(String alias)
		{
			try
			{
				
				return (PrivateKey)_ks.getKey(alias, _password == null ? null : _password.toCharArray());
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getServerAliases(String str, Principal[] principal)
		{
			return new String[] { _alias };
		}

	}

Open in new window

0
 
LVL 86

Expert Comment

by:CEHJ
ID: 37744138
the two following methods are being called in the application but not the applet

I thought that might be the case. In which applet method are you invoking the key management routines?
0
 

Author Comment

by:cdfly
ID: 37744610
Before I left I noticed that when I compiled my application from the command line it compiled fine. I use Eclipse to compile my applet and I noticed that their implementation of the X509KeyManager calls for a couple other methods. I need to double check when I get back to the office to see what methods the applet has that the application doesn't, but the  chooseClientAlias     and    getCertificateChain methods are actually being called in my applet it was just using methods with different signatures. When I get back tomorrow I will verify that those methods are actually returning something.
I have a  method called testConnection and that is running when the applet starts up this is the method that is invoking the key management class .
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 37745201
when the applet starts up

Which method? The ctor?
0
 

Author Comment

by:cdfly
ID: 37745481
I'm not sure I understand the question.
0
 

Author Comment

by:cdfly
ID: 37746504
Ok, it's working now. When Eclipse added the other methods to the X509KeyManager class there were two chooseClientAlias methods, the method being called by the applet was different than the method being called in the console app and it was returning null. I changed the value being returned from null to _alias and all seems well now.
I appreciate all you help on this. I'm new to Exchange Experts but I think I accepted you answer correctly,if not let me know

Take care.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 37746602
Good - glad you got it working :)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

For customizing the look of your lightweight component and making it look lucid like it was made of glass. Or: how to make your component more Apple-ish ;) This tip assumes your component to be of rectangular shape and completely opaque. (COD…
Java contains several comparison operators (e.g., <, <=, >, >=, ==, !=) that allow you to compare primitive values. However, these operators cannot be used to compare the contents of objects. Interface Comparable is used to allow objects of a cl…
Viewers learn about the scanner class in this video and are introduced to receiving user input for their programs. Additionally, objects, conditional statements, and loops are used to help reinforce the concepts. Introduce Scanner class: Importing…
The viewer will learn how to implement Singleton Design Pattern in Java.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now