Forum Stats

  • 3,827,736 Users
  • 2,260,814 Discussions
  • 7,897,363 Comments

Discussions

two (2) way SSL comunication over t3s from an applet to weblogic

787175
787175 Member Posts: 6
edited Dec 17, 2010 6:36AM in Cryptography
Hi,

I currently have a pile of complex applets that I need to provide 2-way encryption (preferably TLS but SSL is fine for now).
They communicate via 1-way SSL over t3s to weblogic at this time.

How can I get the applet to pull the users certificate from the browser keystore?
Perhaps I can somehow get javascript to pass it to the applet's parameters?
Or do I have to re-write everything to use https and get/post ?

I would rather NOT use a signed applet since this would allow the applet to do things my customers don't want.

Any help is greatly appreciated, searching for this topic is not providing much.
Seems that I want to do somethat that is not very popular :D

-Fred

Best Answer

  • arshadnoor
    arshadnoor Member Posts: 429
    Answer ✓
    While RMI can definitely work over SSL (http://download.oracle.com/javase/1.4.2/docs/guide/rmi/socketfactory/SSLInfo.html), and since SSL includes ClientAuth capability, logically RMI can work over client-authenticated SSL. However, as wtih all things in technology, until you have verified this, take all suggestions with a grain of salt: this may very well work only with a Java application and not a Java applet (because of the security restrictions around applets).

    Arshad Noor
    StrongAuth, Inc.

Answers

  • arshadnoor
    arshadnoor Member Posts: 429
    edited Dec 13, 2010 12:34PM
    If all you're looking for is Client SSL Authentication, then you don't need to access the digital certificates through an applet; just enable ClientAuth on your web-server and let the browser handle it for you. While I haven't tried this with Chrome, Safari or Opera, I know for a fact that this works on Firefox and IE.

    If you're trying to access the digital certificates/keys in the browser-keystore for digitally signing some content that the applet creates, you're going to have far more difficulty. About 10-12 years ago, Netscape provided an API that allowed you to digitally sign text-content through JavaScript. That died a quiet death, I think, since I don't know of anyone who used that capability (outside of test environments).

    Years later, Mozilla added the ability to digitally sign XML content using XForms; there is even an add-on for Thunderbird (which uses the same libraries as Firefox for PKCS work): https://addons.mozilla.org/en-US/thunderbird/addon/4522/.

    However, to the best of my knowledge, the only way you can get an applet to access the borwser's keystore today is to have the security policy on the client-machine modified to provide access to the local file-system, and the applet then pretty much deals with the keystore and its objects through JCE.

    But, if I'm reading your post correctly, I think all you're looking for is SSL ClientAuth, for which you don't need to do anything other than enable it on your web-server that hosts the applets, and let the browser do the heavy lifting.

    Arshad Noor
    StrongAuth, Inc.
  • 787175
    787175 Member Posts: 6
    I am a little confused on how to build a T3s RMI connection to weblogic using the browser's configuration.
    Could you provide details? What do I pass to the InitialContext?

    I was expecting to somehow pull the certificate from the browser and pass that in the InitialContext.

    -Fred
  • arshadnoor
    arshadnoor Member Posts: 429
    You may find this Introduction to Public Key Cryptography paper (http://docs.sun.com/source/816-6154-10/index.html) very useful.

    When the browser connects to a site that has SSL ClientAuth turned on, the client must prove ownership of a trusted Private Key by digitally signing a nonce (number used once) sent by the server. Browsers that support ClientAuth know how to do this without the applet having to get involved.

    Once the client-authenticated SSL session has been established, you dowload the applet and establish your RMI connection to the same URL:port using the previously-established SSL session. At that point, your applet is effectively using the client-authenticated session the browser established for you.

    You still won't be able to digitally sign anything in the applet unless the Java security policy is modified on the client to enable access to the keystore by the applet - but if you don't need to sign anything in the applet, it won't matter - you'll have accomplished your objective of strong-authentication between the applet and the server by then.

    Arshad Noor
    StrongAuth, Inc.
  • EJP
    EJP Member Posts: 32,920 Gold Crown
    edited Dec 13, 2010 6:11PM
    But (a) how is an RMI connection to an HTTPS port going to actually work? and (b) who said anything about RMI?
  • arshadnoor
    arshadnoor Member Posts: 429
    Good point EJP; I missed the RMI part.. Sorry about that. To the OP: why RMI? Why not a web-service that works over HTTPS and can leverage SSL ClientAuth?

    Arshad Noor
    StrongAuth, Inc.
  • 787175
    787175 Member Posts: 6
    Yes RMI.

    As stated in the initial msg, I have a pile of pre-existing applets that need RMI connectivity (well, really T3).

    So.... How about I tunnel the T3 connection through the existing https? Will that work? Supposedly weblogic supports this 'out of the box'.

    -Fred
  • 803417
    803417 Member Posts: 73
    Hi,
    I have a question that is patrtially related? (:

    Is using client side SSL auth. effective when working (via webservice) with a load balancer (SSL termination) that passes requests to a server connected to it?
    Is this ok? considered a best practice? does the client side certificate add any security?

    THANKS!
  • arshadnoor
    arshadnoor Member Posts: 429
    Answer ✓
    While RMI can definitely work over SSL (http://download.oracle.com/javase/1.4.2/docs/guide/rmi/socketfactory/SSLInfo.html), and since SSL includes ClientAuth capability, logically RMI can work over client-authenticated SSL. However, as wtih all things in technology, until you have verified this, take all suggestions with a grain of salt: this may very well work only with a Java application and not a Java applet (because of the security restrictions around applets).

    Arshad Noor
    StrongAuth, Inc.
  • EJP
    EJP Member Posts: 32,920 Gold Crown
    edited Dec 17, 2010 6:36AM
    By some amazing oversight in the API, it is impossible to attach a handshake completion listener to an RMI/SSL socket, or to get the peer certificate in any other way, e.g. via the SSLSession. This makes RMI/SSL rather useless for any serious cryptological purpose, as you can't perform an authorization step against the peer identity. You have to build your own auth & auth on top of it all.
This discussion has been closed.