Anonymous_User Absent Member.
Absent Member.
350 views

How to use a pkcs12 certificate with SOAP-driver


Hi,

Anyone here that knows how I get this to work?

I have an external webservice that I have to "talk" to via SOAP
driver... 🙂

I have added certificates to my keystore-file from the external
webservices - and I can se that the SOAP driver gets at connection.
Where do I tell the driver(shim) to use a PKCS12 certificate or similar
to authenticate with, bacause it's receives this "handshake_failure"...
I have tried to put it into the keystore-file, bye converting it with
openssl first and then with keytool...

I have it all working i SoapUI, and I gets the same error
"handshake_falure" if I remove the PKCS12 certificate to the SoapUI
Project.

best regards
Brian


--
obrian
------------------------------------------------------------------------
obrian's Profile: https://forums.netiq.com/member.php?userid=311
View this thread: https://forums.netiq.com/showthread.php?t=48201

Labels (1)
0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: How to use a pkcs12 certificate with SOAP-driver

On 07/16/2013 09:14 AM, obrian wrote:
> I have it all working i SoapUI, and I gets the same error
> "handshake_falure" if I remove the PKCS12 certificate to the SoapUI
> Project.


Did you import it into the correct keystore? SoapUI likely uses a
different keystore than IDM (I would hope it does anyway); pulling apart a
pkcs12 and importing it into a keystore used by the application's JVM
should be functionally equivalent.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to use a pkcs12 certificate with SOAP-driver


Hi,

Thanks ab for reply.

Sorry, I did not specify my issue correctly...

The IDM-Meta directory is running on it's own SLES 🙂 and here I've
added the certificates for the external webservice, and I have imported
the PKCS12 certificate into a specific keystore (the one selected on the
SOAP-Drivers property-page under [Driver Configuration] -> [Driver
Parameters] -> Subscriber Options]). But still not working...
I will try adding the certificate to the JVM's keystore...

My SoapUI is running on my OpenSuse desktop, and is working with the
Client certificate PKCS12.

regards
Brian


--
obrian
------------------------------------------------------------------------
obrian's Profile: https://forums.netiq.com/member.php?userid=311
View this thread: https://forums.netiq.com/showthread.php?t=48201

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to use a pkcs12 certificate with SOAP-driver


Solution found... 🙂

First you have to import the server-certificate from the remote server
to the Truststore of the SOAP-Driver, I call it dirxml.keystore and have
placed it in /root/certs/dirxml.keystore

Then to make the Client-Certificate working - do this...
Get the Client-Certificate from the provider - normally you get it in
PKCS12 format, but the SOAP-Driver (java) is not fun about that so... to
make a "java-keystore" - run this :

keytool -importkeystore -srckeystore SOAPTest01.p12 -srcstoretype PKCS12
-srcstorepass Password -destkeystore client_cert.keystore -deststorepass
Password

and here it is *very important* that the -deststorepass is the same as
the password to the PKCS12, else you get an error like "Unable to decode
key"
then I've placed this keystore in the same folder, like this
/root/certs/client_cert.keystore
next you have to "tell" the driver to use it, go to [Subscriber Options]
and change the [Set mutual authentification parameters] to [show], type
in to [Keystore file] the path+name of the keystore and the password in
to the [Keystore password].

That's it 🙂

regards
Brian


--
obrian
------------------------------------------------------------------------
obrian's Profile: https://forums.netiq.com/member.php?userid=311
View this thread: https://forums.netiq.com/showthread.php?t=48201

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to use a pkcs12 certificate with SOAP-driver

These are great steps. If you can find places in the SOAP driver
documentation where improvements would help, please submit feedback. The
more details the better... maybe even include a link to this thread.

Good luck.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.