Avias Avias - 8 days ago 5
Java Question

How do you set a client side certificate in Websphere 8.5.5.9 for mSSL?

I have an application that is currently deployed in WAS 8.5.5.9. This application connects to another server via webservice and the host of the other server requires me to connect using TLS 1.2 and through a mutual SSL connection.

I have already successfully imported the (other) server's host certificate in the truststore of my WAS but as this is mSSL and not regular 1 way SSL, I also need to set up the client certificate to be sent back to the other server to verify the connection.

How do I do this? I cannot seem to find any options in the WAS admin console that specifies a client certificate to be sent to a remote server for mSSL.

Some points to consider:


  • I have already selected TLSv1.2 in the SSL configuration in WAS and it seems to be working

  • The client certificate was provided to me by the owner of the remote host based on a CSR creation done in IKEYMAN by us.

  • I have tried importing the client certificate in the WAS trust and key stores but I still get a handshake_failure exception when I try to process a transaction.

  • A TCP dump on the remote server side indicates that the server is getting 0 length when receiving the client certificate

  • Logs on my side indicates that initial handshake is successful. ClientHello and ServerHello messages pushes through. But at the very end I get this message (although it does not tell much):




[11/28/16 20:57:15:836 CST] 000000e9 SystemOut O [Raw read]: length = 5
[11/28/16 20:57:15:836 CST] 000000e9 SystemOut O 0000: 15 03 03 00 02 .....

[11/28/16 20:57:15:836 CST] 000000e9 SystemOut O [Raw read]: length = 2
[11/28/16 20:57:15:836 CST] 000000e9 SystemOut O 0000: 02 28 ..


[11/28/16 20:57:15:836 CST] 000000e9 SystemOut O Thread-142, READ: TLSv1.2 Alert, length = 2
[11/28/16 20:57:15:836 CST] 000000e9 SystemOut O Thread-142, RECV TLSv1.2 ALERT: fatal, handshake_failure

Answer

You can use the 'Dynamic outbound endpoint' functionality to associate a certificate with connections to the target server. To set up the Dynamic outbound endpoint, see: Associating a Secure Sockets Layer configuration dynamically with an outbound protocol and remote secure endpoint.

The connection information is of the form *,hostname,port. Once you select your existing SSL configuration (CellDefaultSSLSettings), click on the 'Get certificate aliases' button. Then select your client-side certificate from the drop-down.

This should allow you to perform mutual authentication correctly. Note that your client-side certificate must also be present in the trust store of your target server.