I'm interested if Google App Engine provides a way to use a X.509 Certificate to create a HTTPS connection (the server where I have to connect provides the public certificate - to encrypt data that I send and the private key to decrypt the data received from that server).
According to this post https://groups.google.com/forum/?fromgroups#!topic/google-appengine-python/C9RSDGeIraE it's not possible but 3 years passed since this answer was posted.
SSL client certificates are not currently supported. The feature request is here.
AppEngine has the ability to work with SSL certificate on your custom domain, that means the you can assign a certificate to a domain that is running on the AppEngine.
You cannot AFAIK make a request and provide a custom certificate per request.
Documentation on AppEngine SSL.
Related
I stuck with problem how to authorize java client application that consume rest api and need to autorize by ceritication issued by internal CA. So I have CA certificate, then Client certificate and client private key generate by OpenSSL. I'm looking for guide/ example how to tell OkHttpClient to sign request with Client certificate to bypass Apache SSL autorization. All is done on internal network. Can you guys help me?! I tried so much ways that I'm lost. I need good example. The stack is Retrofit with OkHTTPClient.
here is example via cURL what I need to implement in java in smart way
https://downey.io/notes/dev/curl-using-mutual-tls/
** SOLUTION BELOW **
how to add SSL certificates to okHttp mutual TLS connection?
In my case was mistake in private key format. I got pkcs1 and it must by pkcs8.
I'm currently developing an application for Android thay will allow users to back up their data on a server, which I am also developing in Java. I've pretty much completed the development of the features such as file transfer, registering and logging in and so on (mysql database keeping records of users and passwords) and so on. I've come to a halt in my development when trying to implement security features. I want to use asymmetric cryptography for authentication and symmetric cryptography for encrypting communication between client and server. So here is the deal:
The communication between client and server will be doing using AES. This relies on a Preshared key between both parties. This Preshared key will be generated on the client side each time a session is initiated and will be sent to the server, encrypted using the servers public key. That way, only the server that posses the private key will be able to decrypt the Preshared key and read the communication. Where I am a bit confused is the sharing of the servers public key. Now I know the best way to do this is to use a digital certificate containing the servers public key. I also know this certificate should come from a trusted CA.
My question is, how do I go about getting a digital certificate for my server? Will my android application request for this certificate from the server or the CA? My initial thought is that it has to receive this certificate from a CA, as if it receives it from the server, it may be fraudulent. What is the process and the correct way of going about this? Anywhere I read, it just talks about https connection from client to Web server. I am writing a server in java that will communicate over sockets with my android application. How do I go about creating, receiving and verifying certificates in relation to trusted CAs?
Thanks
I've generated classes from wsdl with wsimport, wsdl location: https://somehost/wsdl. There was no problem with generation.
But when I tried to send soap request, I've received exception:
com.sun.xml.internal.ws.client.ClientTransportException: The server sent HTTP status code 403: Client certificate required
I find out, surfing the internet, that I have to add certificate in my keystore. I've done it, but this doesn't help.
And I have no idea what to do or even what to google.
Can anybody help me?(
It sounds like a mutual authentication problem.
The server is requiring that your client use a known digital certificate to sign your messages and send that information within the request. It is like a user/password mechanism, but you and the server agree to use a known key-pair for identification.
This situation usually means that the web service server administrator will generate a key-pair and send the private part of the certificate to you.
But you can send the public certificate for him as well if you created it yourself. The server must have access to the public certificate, and it maybe you will have to publish it to a Certification Authority. In some cases it has to be a commercial certificate (you will have to buy it).
You will then use the private key to digitally sign your messages.
I've found some links that may help:
Authentication Mechanisms
Java client for the X.509 secured web-service
Java HTTPS client certificate authentication
If you already did those steps, then something is wrong with your implementation or the certificate/keys provided are invalid.
I recommend you to use a mock server to make sure you are implementing the client authentication properly before you try to connect to the real service. Making it to work locally will set the knowledge you need to call the real functions. You can also ask the web service administrator to send you debug information.
i have an existing java client code which calls an asmx webservice. However the asmx webservice is being deprovisioned and is migrating to a secure webservice(svc).
As far i can understand i have to change the endpoint url and https from http in the url.
and then recreate the client code using the new WSDL.
However i also have to send a certificate along with every request, can anyone help me on how to do that using java?
Let me know if you need more information.
Many Thanks
You have to import the public key of the server you want to communicate in the client trust store. JDK provided Keytool can be used to import certificate into the truststore.
You have to specify the trust store details in the client VM. The following parameters have to bet set on the client VM to specify the trust store:
javax.net.ssl.trustStore - The location of the trust store file which has the public keys of the servers it wants to communicate.
javax.net.ssl.trustStorePassword - The passowrd of the trust store.
References:
Java SSL
Key Store Vs Trust Store
I have a Java CXF client that connects to a SSL secured Web Service with mutual authentication.
I have my keystore and my truststore properly configured on the client-side and it works fine.
I am concerned here by the fact that my keystore contains only one client certificate and on the CXF configuration it is not possible to say "ok for this SSL communication you'll use this certificate".
As I only have one certificate it's not difficult to choose the good one for CXF durign SSL handshake.
But this client will be deployed in a environment where it will be used with multiple possible client having their own certificate and each of them will be signed by the same certification authority. When the server will ask for a client certificate that is signed by a specific authority, there will be no way to distinguish one certificate from another.
How can I tell CXF (or Java) to use the proper certificate in this context?
Do I need to build as many SSL context as client certificates? (ie. having N keystore each of them containing only one certificate).
Or is there a way (in CXF conf or in Java) to say "use this certificate in this context"?
Thanks in advance for your help.
All the certificates must refer to the same client, otherwise the CAs are derelect in their duty. So they should all have for example the same subjectX500Principal. So why do you need a specific certificate? All of them identify the same client, so from an authentication point of view they are all equivalent.
It's starting to sound as though you want to use a particular certificate for authorization purposes, not just to establish identity via authentication. If so it is the wrong approach, a misuse of PKI. Authorization is an application-controlled step once you have an authenticated identity: get the identity of of the peer certificate and look up your authorization database to see if that identity is allowed to access this part of the application. Don't try to use a cacerts file as an authorization database, that's not what it's for.
I don't know if this is an option for you but I've done dynamic alias selection using WSIT before (i.e. one keystore, many private key entries). See this article for more detail. (Let me know if that article isn't enough - I can post more detail if you need)