Menu
▾
▴
ebxmlms-develop
|
From: Ronald v. K. <rv...@ab...> - 2003-03-17 13:34:21
|
Anyone already started working on this... Otherwise I'll be glad to look a little into this since we need it as well? -----Oorspronkelijk bericht----- Van: Patrick Yee [mailto:kc...@ce...] Verzonden: woensdag 12 maart 2003 6:02 Aan: ebx...@li... Onderwerp: Re: [ebxmlms-develop] Client certificate authentication Unfortunately, Hermes is not supporting the use of client certificate authentication right now. -Patrick ----- Original Message ----- From: Mayne, Peter <mailto:Pet...@ap...> To: 'ebx...@li...' <mailto:'ebx...@li...'> Sent: Wednesday, March 12, 2003 12:55 PM Subject: [ebxmlms-develop] Client certificate authentication I'm trying to send ebXML messages to an HTTPS site that requires client certificate authentication. I have the HTTPS part working, but only by putting the web site's certificate's CA certificate in the JAVA_HOME\jre\lib\security\cacerts file. Hermes doesn't seem to be seeing my definitions of javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword. Since it doesn't see those definitions, it probably won't see my definition of javax.net.ssl.keyStore et al either. What is the recommended way of telling Hermes where a trustStore is, and what client certificate to use when authenticating to an HTTPS site? Thanks. PJDM -- Peter Mayne Technology Consultant Spherion Technology Solutions Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 T: 61 2 62689727 F: 61 2 62689777 The information contained in this email and any attachments to it: (a) may be confidential and if you are not the intended recipient, any interference with, use, disclosure or copying of this material is unauthorised and prohibited; and (b) may contain personal information of the recipient and/or the sender as defined under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to collect, hold and use such information and any personal information contained in a response to this email, for any reasonable purpose in the ordinary course of Spherion's business, including forwarding this email internally or disclosing it to a third party. All personal information collected by Spherion will be handled in accordance with Spherion's Privacy Policy. If you have received this email in error, please notify the sender and delete it. (c) you agree not to employ or arrange employment for any candidate(s) supplied in this email and any attachments without first entering into a contractual agreement with Spherion. You further agree not to divulge any information contained in this document to any person(s) or entities without the express permission of Spherion. |
|
From: Patrick Y. <kc...@ce...> - 2003-03-18 01:39:38
|
Client certificate authenticationRonald,
I will be merging the code of our pki library to the source of hermes =
today. So, please wait for a while before making any patches. Thank you.
Regards, -Patrick
----- Original Message -----=20
From: Patrick Yee=20
To: ebx...@li...=20
Sent: Monday, March 17, 2003 10:02 PM
Subject: Re: [ebxmlms-develop] Client certificate authentication
Not here. So, it will be great if you can help to look into this. Of =
course, we are more than happy to discuss with you on how to do it. Many =
thanks.
Regards, -Patrick
----- Original Message -----=20
From: Ronald van Kuijk=20
To: 'ebx...@li...'=20
Sent: Monday, March 17, 2003 09:36 PM
Subject: RE: [ebxmlms-develop] Client certificate authentication
Anyone already started working on this... Otherwise I'll be glad to =
look a little into this since we need it as well?
-----Oorspronkelijk bericht-----
Van: Patrick Yee [mailto:kc...@ce...]
Verzonden: woensdag 12 maart 2003 6:02
Aan: ebx...@li...
Onderwerp: Re: [ebxmlms-develop] Client certificate authentication
Unfortunately, Hermes is not supporting the use of client =
certificate authentication right now. -Patrick
----- Original Message -----=20
From: Mayne, Peter=20
To: 'ebx...@li...'=20
Sent: Wednesday, March 12, 2003 12:55 PM
Subject: [ebxmlms-develop] Client certificate authentication
I'm trying to send ebXML messages to an HTTPS site that requires =
client certificate authentication.=20
I have the HTTPS part working, but only by putting the web =
site's certificate's CA certificate in the =
JAVA_HOME\jre\lib\security\cacerts file. Hermes doesn't seem to be =
seeing my definitions of javax.net.ssl.trustStore and =
javax.net.ssl.trustStorePassword.
Since it doesn't see those definitions, it probably won't see my =
definition of javax.net.ssl.keyStore et al either.=20
What is the recommended way of telling Hermes where a trustStore =
is, and what client certificate to use when authenticating to an HTTPS =
site?
Thanks.=20
PJDM=20
--=20
Peter Mayne=20
Technology Consultant=20
Spherion Technology Solutions=20
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602=20
T: 61 2 62689727 F: 61 2 62689777=20
The information contained in this email and any attachments to it:
(a) may be confidential and if you are not the intended recipient, any =
interference with,=20
use, disclosure or copying of this material is unauthorised and =
prohibited; and
(b) may contain personal information of the recipient and/or the sender =
as defined=20
under the Privacy Act 1988 (Cth). Consent is hereby given by the =
recipient(s) to=20
collect, hold and use such information and any personal information =
contained in a=20
response to this email, for any reasonable purpose in the ordinary =
course of=20
Spherion's=20
business, including forwarding this email internally or disclosing it to =
a third party. All=20
personal information collected by Spherion will be handled in accordance =
with=20
Spherion's Privacy Policy. If you have received this email in error, =
please notify the=20
sender and delete it.
(c) you agree not to employ or arrange employment for any candidate(s) =
supplied in=20
this email and any attachments without first entering into a contractual =
agreement with=20
Spherion. You further agree not to divulge any information contained in =
this document=20
to any person(s) or entities without the express permission of Spherion.
|
|
From: Ronald v. K. <rv...@ab...> - 2003-03-18 17:35:45
|
It is not to difficult to switch from BA to Cert based authentication. Yes sure it takes a little more work, but mainly if you want it as a completely stand-alone application. For that reason running it in a servlet container (tomcat/jboss/bea/websphere) that does al these things for you makes it that more easy. One can refer to documentation of those containers to get it working. That is the way we want to go, including making use of connectionpools that the server provides for us. Is that already possible? I did not look into that yet. If you implement it using JAAS, everybody can chose the way they want to iimplement it, LDAP, flat-file, database fingerprint, whatever. -----Oorspronkelijk bericht----- Van: Patrick Yee [mailto:kc...@ce...] Verzonden: dinsdag 18 maart 2003 16:14 Aan: ebx...@li... Onderwerp: Re: [ebxmlms-develop] Client certificate authentication Nope. Currently, Hermes does not support any HTTP level authentication. However, Hermes supports authentication in SMTP. :-) So, we think we can add HTTP authentication. The question is: which level should Hermes support. Basic client authentication is simpler, but client certificate authentication definitely is the most secure method. But this involves more complicated development work as well as set up work when deploying Hermes (specifying certificates, alias, password, etc.). What do you guys think? Regards, -Patrick ----- Original Message ----- From: Mayne, Peter <mailto:Pet...@ap...> To: 'ebx...@li...' <mailto:'ebx...@li...'> Sent: Tuesday, March 18, 2003 01:10 PM Subject: RE: [ebxmlms-develop] Client certificate authentication I'm not sure if we'll be using certificates or something simpler (eg basic authentication). Does Hermes allow for client basic authentication? PJDM -- Peter Mayne Technology Consultant Spherion Technology Solutions Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 T: 61 2 62689727 F: 61 2 62689777 The information contained in this email and any attachments to it: (a) may be confidential and if you are not the intended recipient, any interference with, use, disclosure or copying of this material is unauthorised and prohibited; and (b) may contain personal information of the recipient and/or the sender as defined under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to collect, hold and use such information and any personal information contained in a response to this email, for any reasonable purpose in the ordinary course of Spherion's business, including forwarding this email internally or disclosing it to a third party. All personal information collected by Spherion will be handled in accordance with Spherion's Privacy Policy. If you have received this email in error, please notify the sender and delete it. (c) you agree not to employ or arrange employment for any candidate(s) supplied in this email and any attachments without first entering into a contractual agreement with Spherion. You further agree not to divulge any information contained in this document to any person(s) or entities without the express permission of Spherion. |
|
From: Ronald v. K. <rv...@ab...> - 2003-03-18 23:04:41
|
Yes, I know, this isn't to difficult either, assuming no strange things occure in Hermes. We've done this with jaxm (with the default sun jsse from jdk1.4) in several applications. (and ran into a strange padding bug with this jdk and verisign certificates) -----Oorspronkelijk bericht----- Van: Mayne, Peter [mailto:Pet...@ap...] Verzonden: dinsdag 18 maart 2003 22:49 Aan: 'ebx...@li...' Onderwerp: RE: [ebxmlms-develop] Client certificate authentication Note that I'm referring to authentication where Hermes is the client, and must authenticate to another web server. I already have client authentication at the server end working: I just put Apache in front of Tomcat and let it do all that (as well as HTTPS). PJDM -- Peter Mayne Technology Consultant Spherion Technology Solutions Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 T: 61 2 62689727 F: 61 2 62689777 -----Original Message----- From: Ronald van Kuijk [ mailto:rv...@ab... <mailto:rv...@ab...> ] Sent: Wednesday, 19 March 2003 4:38 AM To: 'ebx...@li...' Subject: RE: [ebxmlms-develop] Client certificate authentication It is not to difficult to switch from BA to Cert based authentication. Yes sure it takes a little more work, but mainly if you want it as a completely stand-alone application. For that reason running it in a servlet container (tomcat/jboss/bea/websphere) that does al these things for you makes it that more easy. One can refer to documentation of those containers to get it working. That is the way we want to go, including making use of connectionpools that the server provides for us. Is that already possible? I did not look into that yet. If you implement it using JAAS, everybody can chose the way they want to iimplement it, LDAP, flat-file, database fingerprint, whatever. -----Oorspronkelijk bericht----- Van: Patrick Yee [ mailto:kc...@ce... <mailto:kc...@ce...> ] Verzonden: dinsdag 18 maart 2003 16:14 Aan: ebx...@li... Onderwerp: Re: [ebxmlms-develop] Client certificate authentication Nope. Currently, Hermes does not support any HTTP level authentication. However, Hermes supports authentication in SMTP. :-) So, we think we can add HTTP authentication. The question is: which level should Hermes support. Basic client authentication is simpler, but client certificate authentication definitely is the most secure method. But this involves more complicated development work as well as set up work when deploying Hermes (specifying certificates, alias, password, etc.). What do you guys think? Regards, -Patrick ----- Original Message ----- From: Mayne, Peter To: 'ebx...@li...' Sent: Tuesday, March 18, 2003 01:10 PM Subject: RE: [ebxmlms-develop] Client certificate authentication I'm not sure if we'll be using certificates or something simpler (eg basic authentication). Does Hermes allow for client basic authentication? PJDM -- Peter Mayne Technology Consultant Spherion Technology Solutions Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 T: 61 2 62689727 F: 61 2 62689777 The information contained in this email and any attachments to it: (a) may be confidential and if you are not the intended recipient, any interference with, use, disclosure or copying of this material is unauthorised and prohibited; and (b) may contain personal information of the recipient and/or the sender as defined under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to collect, hold and use such information and any personal information contained in a response to this email, for any reasonable purpose in the ordinary course of Spherion's business, including forwarding this email internally or disclosing it to a third party. All personal information collected by Spherion will be handled in accordance with Spherion's Privacy Policy. If you have received this email in error, please notify the sender and delete it. (c) you agree not to employ or arrange employment for any candidate(s) supplied in this email and any attachments without first entering into a contractual agreement with Spherion. You further agree not to divulge any information contained in this document to any person(s) or entities without the express permission of Spherion. |
|
From: Ronald v. K. <rv...@ab...> - 2003-03-26 11:09:46
|
I haven't been able to pick this up for the moment due to some operational issues on other projects. Discussing this is always an option. I'll try do put some ideas in a mail tonight (CET). -----Oorspronkelijk bericht----- Van: Mayne, Peter [mailto:Pet...@ap...] Verzonden: woensdag 26 maart 2003 6:07 Aan: 'ebx...@li...' Onderwerp: RE: [ebxmlms-develop] Client certificate authentication We're going to need to be able to send client certificate authentication from Hermes real soon now. If nobody has started to implement this, can we please have at least a rudimentary discussion on how this should be done, so I can build it in for our use without going too far off the track? Thanks. PJDM -- Peter Mayne Technology Consultant Spherion Technology Solutions Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 T: 61 2 62689727 F: 61 2 62689777 The information contained in this email and any attachments to it: (a) may be confidential and if you are not the intended recipient, any interference with, use, disclosure or copying of this material is unauthorised and prohibited; and (b) may contain personal information of the recipient and/or the sender as defined under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to collect, hold and use such information and any personal information contained in a response to this email, for any reasonable purpose in the ordinary course of Spherion's business, including forwarding this email internally or disclosing it to a third party. All personal information collected by Spherion will be handled in accordance with Spherion's Privacy Policy. If you have received this email in error, please notify the sender and delete it. (c) you agree not to employ or arrange employment for any candidate(s) supplied in this email and any attachments without first entering into a contractual agreement with Spherion. You further agree not to divulge any information contained in this document to any person(s) or entities without the express permission of Spherion. |
|
From: Ronald v. K. <rv...@ab...> - 2003-03-31 06:47:29
|
exactely... and using an alias is only needed if all the fowllowing are met: - you have to connect to 2 different mhs - the both accept certificates by the same root issuer and there is not a different intermediate CA - you have 2 certificates from this issuer (e.g. because both mhs are a separate community and require the subject of the certificate to have a specific value in it) - .... So it probably will not occur to often in real life. Ronald -----Oorspronkelijk bericht----- Van: Mayne, Peter [mailto:Pet...@ap...] Verzonden: maandag 31 maart 2003 5:45 Aan: 'ebx...@li...' Onderwerp: RE: [ebxmlms-develop] Client certificate authentication > Anybody know how to select a specific keystore alias in Java? Aha! Custom SSL for advanced JSSE developers Use JSSE to customize the properties of your SSL connections http://www-106.ibm.com/developerworks/java/library/j-customssl/index.html <http://www-106.ibm.com/developerworks/java/library/j-customssl/index.html> So, all we need now is HermesHttpSoapConnectionImpl. :-) PJDM -- Peter Mayne Technology Consultant Spherion Technology Solutions Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 T: 61 2 62689727 F: 61 2 62689777 The information contained in this email and any attachments to it: (a) may be confidential and if you are not the intended recipient, any interference with, use, disclosure or copying of this material is unauthorised and prohibited; and (b) may contain personal information of the recipient and/or the sender as defined under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to collect, hold and use such information and any personal information contained in a response to this email, for any reasonable purpose in the ordinary course of Spherion's business, including forwarding this email internally or disclosing it to a third party. All personal information collected by Spherion will be handled in accordance with Spherion's Privacy Policy. If you have received this email in error, please notify the sender and delete it. (c) you agree not to employ or arrange employment for any candidate(s) supplied in this email and any attachments without first entering into a contractual agreement with Spherion. You further agree not to divulge any information contained in this document to any person(s) or entities without the express permission of Spherion. |
|
From: Patrick Y. <kc...@ce...> - 2003-03-17 13:58:36
|
Client certificate authenticationNot here. So, it will be great if you =
can help to look into this. Of course, we are more than happy to discuss =
with you on how to do it. Many thanks.
Regards, -Patrick
----- Original Message -----=20
From: Ronald van Kuijk=20
To: 'ebx...@li...'=20
Sent: Monday, March 17, 2003 09:36 PM
Subject: RE: [ebxmlms-develop] Client certificate authentication
Anyone already started working on this... Otherwise I'll be glad to =
look a little into this since we need it as well?
-----Oorspronkelijk bericht-----
Van: Patrick Yee [mailto:kc...@ce...]
Verzonden: woensdag 12 maart 2003 6:02
Aan: ebx...@li...
Onderwerp: Re: [ebxmlms-develop] Client certificate authentication
Unfortunately, Hermes is not supporting the use of client =
certificate authentication right now. -Patrick
----- Original Message -----=20
From: Mayne, Peter=20
To: 'ebx...@li...'=20
Sent: Wednesday, March 12, 2003 12:55 PM
Subject: [ebxmlms-develop] Client certificate authentication
I'm trying to send ebXML messages to an HTTPS site that requires =
client certificate authentication.=20
I have the HTTPS part working, but only by putting the web site's =
certificate's CA certificate in the JAVA_HOME\jre\lib\security\cacerts =
file. Hermes doesn't seem to be seeing my definitions of =
javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword.
Since it doesn't see those definitions, it probably won't see my =
definition of javax.net.ssl.keyStore et al either.=20
What is the recommended way of telling Hermes where a trustStore =
is, and what client certificate to use when authenticating to an HTTPS =
site?
Thanks.=20
PJDM=20
--=20
Peter Mayne=20
Technology Consultant=20
Spherion Technology Solutions=20
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602=20
T: 61 2 62689727 F: 61 2 62689777=20
The information contained in this email and any attachments to it:
(a) may be confidential and if you are not the intended recipient, any =
interference with,=20
use, disclosure or copying of this material is unauthorised and =
prohibited; and
(b) may contain personal information of the recipient and/or the sender =
as defined=20
under the Privacy Act 1988 (Cth). Consent is hereby given by the =
recipient(s) to=20
collect, hold and use such information and any personal information =
contained in a=20
response to this email, for any reasonable purpose in the ordinary =
course of=20
Spherion's=20
business, including forwarding this email internally or disclosing it to =
a third party. All=20
personal information collected by Spherion will be handled in accordance =
with=20
Spherion's Privacy Policy. If you have received this email in error, =
please notify the=20
sender and delete it.
(c) you agree not to employ or arrange employment for any candidate(s) =
supplied in=20
this email and any attachments without first entering into a contractual =
agreement with=20
Spherion. You further agree not to divulge any information contained in =
this document=20
to any person(s) or entities without the express permission of Spherion.
|
