Subject: RE: Two step (mutual authentication) SSL - CVP/Tomcat - 403 response
Replied by: Hemal Mehta on 07-08-2012 01:39:34 PM
What are the commands you used to import the security certs into tomcat. Did you import a .cer ?
This document was generated from CDN thread
Created by: Jason Jackson on 07-08-2012 11:16:49 AM
Hi everyone.
I'm in the process of helping our application developers figure out an issue.
In summary:
We have an application that lives on the vxml app server (tomcat). This application is required to hit a webservice from a third party using https. We are required to use SSL obvisouly and we are also required to present a .pfx (digitl certificate) when challenged.
We have the digital cert and all the certificate chains loaded up properly (at least I think we do). I can do a list on the keystore and see my personal key entry and the cert chains. A packet capture proves we get the SSL handshake started but when challenged for the cert I don't think tomcat knows what to do or which certificate to present to the third party.
This writes an error out in the STD out log in the Tomcat folder complaining about a 403 failure. Which it's probably a 403.4 or 403.7 (SSL required) error. I've loaded the certs up in the windows key store and can hit the same URL from the IE browser. IE prompts me to select the cert I want to use when challenged and then SSL starts and I can see the data from the webservice.
So - is two step or mutual SSL even possible on CVP (tomcat) version 8.5.1(ES4)? If so, is there any other way to debug SSL and figure out why tomcat can't or does not present the correct cert?
Thanks in advance,
Jason
Subject: RE: Two step (mutual authentication) SSL - CVP/Tomcat - 403 response
Replied by: Jason Jackson on 07-08-2012 02:51:45 PM
What are the commands you used to import the security certs into tomcat. Did you import a .cer ?
Hi.
We were issued a .pfx file. In that file is the private key, and the certificate chain. We point our keytore to a specific keystore using the java options in the tomcat confing.
Here is the command I used to import the file:
keytool -importkeystore -srckeystore C:\mycert.pfx -srcstoretype PKCS12 -destkeystore C:\cvp.keystore
Everything seemed to work with the keytool. I can do a list on the keystore and the private key entry is there.
Subject: RE: Two step (mutual authentication) SSL - CVP/Tomcat - 403 response
Replied by: Hemal Mehta on 08-08-2012 09:12:55 AM
Did you import the root certificate also. I do this all the time. I mainly work with .cer though I store it on cacerts. Can you make sure and check the certs using the command:
C:\Cisco\CVP\jre1.6\lib\security>C:\Cisco\CVP\jre1.6\bin\keytool -list -v -keyst
ore cacerts
replace it with your dir and keystore
Subject: RE: Two step (mutual authentication) SSL - CVP/Tomcat - 403 response
Replied by: Jason Jackson on 08-08-2012 02:31:51 PM
Did you import the root certificate also. I do this all the time. I mainly work with .cer though I store it on cacerts. Can you make sure and check the certs using the command:
C:\Cisco\CVP\jre1.6\lib\security>C:\Cisco\CVP\jre1.6\bin\keytool -list -v -keyst
ore cacerts
replace it with your dir and keystore
Hi.
Yes, the list command shows all the certs and no issues.
I actually just got word back from Cisco TAC that mutual SSL is not even supported on tomcat/cvp 8.5(1) ES4 yet. I'm not sure I buy that answer yet but I will keep digging.
Subject: RE: Two step (mutual authentication) SSL - CVP/Tomcat - 403 response
Replied by: Jason Jackson on 17-08-2012 10:54:22 AM
Did you import the root certificate also. I do this all the time. I mainly work with .cer though I store it on cacerts. Can you make sure and check the certs using the command:
C:\Cisco\CVP\jre1.6\lib\security>C:\Cisco\CVP\jre1.6\bin\keytool -list -v -keyst
ore cacerts
replace it with your dir and keystore
Hi.
Yes, the list command shows all the certs and no issues.
I actually just got word back from Cisco TAC that mutual SSL is not even supported on tomcat/cvp 8.5(1) ES4 yet. I'm not sure I buy that answer yet but I will keep digging.
Last update on this:
Turns out that CVP/TOMCAT will not do this internally but we were told it can be done from the application perspective with java. Developers are still researching how to make that actually work.
If anyone has any code snippets I can send over that would be great.
