2 way SSL setup with java client running on Tomcat server calling webservice hosted on Websphere server.

I want to know if this is possible to have 2 way SSL with tomcat acting as client to websphere server. I have configured key and trust store correctly in server.xml of tomcat and enabled SSL on both tomcat and Websphere.

My problem is : when challenged by websphere server to present client certificate , tomcat does not present a client certificate.

I know that SSL is configured correctly in tomcat as when I open a servlet hosted on tomcat in Internet explorer, tomcat does present its server certificate.
When this servlet internally call web service hosted on websphere server, websphere server presents its server certificate and demand tomcat client certificate which tomcat does not present thus causing  the SSL handshake failure.  

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mccarlIT Business Systems Analyst / Software DeveloperCommented:
with tomcat acting as client to websphere server
So, tomcat doesn't have anything built-in to provide service for calling out to web services. Therefore, you must (knowingly or unknowingly) be using some client library to make the calls to websphere in your code. Do you know what this might be? ie. it could be something like apache commons http components, Spring libraries, or perhaps just plain old java.net.HttpConnection's

Because the is no interaction between the code that is acting as a client calling out to websphere and Tomcat itself, that is why the client is not presenting any certificate. You will need to configure this in your http client library and hence that is why I am asking the question above, so that we can work out how you need to configure it.
btanExec ConsultantCommented:
This article is in relevant to your case (note they are using self-signed cert though but should not matter), may be old article but the steps should not differs. http://kadarla.blogspot.sg/2009/04/2-way-ssl-between-two-application.html

At client end, I assumed the following has been configured for the two Java option as example..
set JAVA_OPTS="-DJavax.net.ssl.trustStore=C:\path\to\keystore.key" set JAVA_OPTS="-DJavax.net.ssl.trustStorePassword=****"

Do note that when Tomcat is started it initiates the catalina.bat file (normally found in Tomcat\bin folder) and this file determines whether a "setenv.bat" file exists (typically) and if exist, runs this file to set the Java options above. This is more of Tomcat set up as a Windows service case.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
COUTLOOKAuthor Commented:
Thanks. I found that I do  not need to run tomcat in SSL mode . I also removed configuration of keystore and trust store  from server.xml and ran tomcat in http ( port 8080).

I  set the property in my java client code ( running on tomcat- no apache web server required).
The only change I made was to make sure all the websphere server certificates ( certificate chains including all the root certificates ) are imported in tomcat truststore file. Once I  imported websphere certificate chain, SSL handshake between  java client running on tomcat  and  Websphere server  was successful.

Thanks to all for your suggestions.
Here is my code ( works perfectly):

           String urlStr = "https://someSecureURL.com";
            System.setProperty("javax.net.ssl.trustStore", "C:\\Users\\DIR\\keystore1.jks");        
            System.setProperty("javax.net.ssl.trustStorePassword", "password1");                
            System.setProperty("javax.net.ssl.keyStore", "C:\\Users\\DIR\\keystore2.jks");        
            System.setProperty("javax.net.ssl.keyStorePassword", "password2");
            SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
            URL url = new URL(urlStr);

           HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
           InputStream inputstream = conn.getInputStream();
           InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
           BufferedReader bufferedreader = new BufferedReader(inputstreamreader);

           String string = null;
           while ((string = bufferedreader.readLine()) != null) {
               System.out.println("Received " + string);
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

btanExec ConsultantCommented:
thanks for sharing
COUTLOOKAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for COUTLOOK's comment #a40674742

for the following reason:

I was able to make it work after importing certificate chain.
btanExec ConsultantCommented:
noted if we have assisted in any means will appreciate your noting, regardless, thanks!
COUTLOOKAuthor Commented:
On further research , I found that there is no code change required  for tomcat to send client certificate to websphere for SSL handshake.

we just need to set JAVA_OPTS  in catalina.bat file and it takes care of handshake at containter level.

Please note that code change approach uses dos format for file path  

System.setProperty("javax.net.ssl.keyStore", "C:\\Users\\DIR\\keystore2.jks");        

but catalina.bat change use UNIX format for file path as shown below:
set JAVA_OPTS=%JAVA_OPTS% %LOGGING_CONFIG% -Djavax.net.ssl.trustStore="C:/Users/keystore1.jks" -Djavax.net.ssl.trustStorePassword="password1" -Djavax.net.ssl.keyStore="C:/Users//keyStore2.jks" -Djavax.net.ssl.keyStorePassword="password2"

Hope this helps.
btanExec ConsultantCommented:
then it would mean the solution is already in my reply, isnt it (which is why I am curious how would it have work)?
COUTLOOKAuthor Commented:
Yes. Much appreciated. Somehow it did not work for me. One reason I can think is location of quotes:

set JAVA_OPTS="-DJavax.net.ssl.trustStore=C:\path\to\keystore.key"


set JAVA_OPTS=-DJavax.net.ssl.trustStore="C:\path\to\keystore.key"

I spent 3 days researching  this and like the expert forum here very much.

I hope this will save others some time.

Thanks all for your opinion.
btanExec ConsultantCommented:
hope at least it has assisted then, regardless - thanks!
COUTLOOKAuthor Commented:
Yes. It definitely helped. Thanks  a lot !
btanExec ConsultantCommented:
thanks for sharing again
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.