This discussion is archived
9 Replies Latest reply: Oct 16, 2012 11:39 PM by 968690 RSS

Two way ssl (how to validate the client running machine)

968690 Newbie
Currently Being Moderated
Hi all,
i'm new in java and need help.

We are developing SOA application based on Oracle service bus, and using Transport level security with two way ssl between service consumer and proxy service. The customer using our jar library(which retrieves data from proxy service) and client certificate issued by us. As i known, in "two way ssl" server validates client certificate by CN=Hostname and certicate's validity period.

But the customer wants use our jar library on the only one particular computer, because of data confidentiality.
Is there any way to include macaddress or machine id etc.. in the certicate file? If no, how to accomplish customer request?

Thank you.
  • 1. Re: Two way ssl (how to validate the client running machine)
    EJP Guru
    Currently Being Moderated
    As i known, in "two way ssl" server validates client certificate by CN=Hostname and certicate's validity period.
    It does a great deal more than that. It checks whether the peer owns the certificate, whether the certificate signer is trusted, whether the certificate is intact, ...
    But the customer wants use our jar library on the only one particular computer, because of data confidentiality.
    So he should only put the keystore containing the private key on that machine.
    Is there any way to include macaddress or machine id etc.
    No.
  • 2. Re: Two way ssl (how to validate the client running machine)
    968690 Newbie
    Currently Being Moderated
    Hi EJP,
    thanks for quick reply.
    EJP wrote:
    But the customer wants use our jar library on the only one particular computer, because of data confidentiality.
    So he should only put the keystore containing the private key on that machine.
    The customer is already using successfully our jar lib.
    Is there any way to include macaddress or machine id etc.
    No.
    Is there any way to allow access to proxy service from only one particular machine?

    Thank you.

    Edited by: user2362134 on Oct 16, 2012 6:48 PM
  • 3. Re: Two way ssl (how to validate the client running machine)
    EJP Guru
    Currently Being Moderated
    So he should only put the keystore containing the private key on that machine.
    The customer is already using successfully our jar lib.
    I don't see what that has to do with it. Do you? I am talking about the keystore, not the .jar file.
  • 4. Re: Two way ssl (how to validate the client running machine)
    968690 Newbie
    Currently Being Moderated
    EJP wrote:
    So he should only put the keystore containing the private key on that machine.
    The customer is already using successfully our jar lib.
    I don't see what that has to do with it. Do you? I am talking about the keystore, not the .jar file.
    Sry for confuse, customer already putted certificate to their keystore and succesfully consuming proxy service using our jar lib. But they want consume proxy service from only one particular machine.

    Edited by: user2362134 on Oct 16, 2012 7:26 PM
  • 5. Re: Two way ssl (how to validate the client running machine)
    EJP Guru
    Currently Being Moderated
    So he should only put the keystore containing the private key on that machine.
    The customer is already using successfully our jar lib.
    I don't see what that has to do with it. Do you? I am talking about the keystore, not the .jar file.
    Sry for confuse, customer already putted certificate to their keystore and succesfully consuming proxy service using our jar lib. But they want consume proxy service from only one particular machine.
    So he should only put the keystore containing the private key on that machine.

    As I said.

    In any case which client machine can run your code isn't your problem. It's strictly the client's problem, and he has a large number of tools available to deal with it, starting with who has physical access to the workstation, what is installed on it, etc. There is certainly nothing in the SSL domain that will deal with it except restricting the availability of the private key, which again is entirely the client's responsibility. It's his key.
  • 6. Re: Two way ssl (how to validate the client running machine)
    968690 Newbie
    Currently Being Moderated
    EJP wrote:
    So he should only put the keystore containing the private key on that machine.
    The customer is already using successfully our jar lib.
    I don't see what that has to do with it. Do you? I am talking about the keystore, not the .jar file.
    Sry for confuse, customer already putted certificate to their keystore and succesfully consuming proxy service using our jar lib. But they want consume proxy service from only one particular machine.
    So he should only put the keystore containing the private key on that machine.

    I just said that.
    Maybe its not related with this topic,
    customer worries about case of they loss keystore file and jar library.
  • 7. Re: Two way ssl (how to validate the client running machine)
    968690 Newbie
    Currently Being Moderated
    Okay, thank you for explanation.
    EJP wrote:
    It's strictly the client's problem, and he has a large number of tools available to deal with it, starting with who has physical access to the workstation,
    Can you suggest one of these tools ?
  • 8. Re: Two way ssl (how to validate the client running machine)
    EJP Guru
    Currently Being Moderated
    customer worries about case of they loss keystore file and jar library.
    Still not your problem, is it? It's their private key, they have to safeguard it. You can always re-supply your JAR. I don't know what this question is really about.
  • 9. Re: Two way ssl (how to validate the client running machine)
    968690 Newbie
    Currently Being Moderated
    EJP wrote:
    Still not your problem, is it? It's their private key, they have to safeguard it. You can always re-supply your JAR. I don't know what this question is really about.
    Ok, now i understand. Thanks for the explain.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points