Discussions
Categories
- 196.9K All Categories
- 2.2K Data
- 239 Big Data Appliance
- 1.9K Data Science
- 450.4K Databases
- 221.7K General Database Discussions
- 3.8K Java and JavaScript in the Database
- 31 Multilingual Engine
- 550 MySQL Community Space
- 478 NoSQL Database
- 7.9K Oracle Database Express Edition (XE)
- 3K ORDS, SODA & JSON in the Database
- 546 SQLcl
- 4K SQL Developer Data Modeler
- 187.1K SQL & PL/SQL
- 21.3K SQL Developer
- 295.9K Development
- 17 Developer Projects
- 138 Programming Languages
- 292.6K Development Tools
- 107 DevOps
- 3.1K QA/Testing
- 646K Java
- 28 Java Learning Subscription
- 37K Database Connectivity
- 155 Java Community Process
- 105 Java 25
- 22.1K Java APIs
- 138.1K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 18 Java Essentials
- 160 Java 8 Questions
- 86K Java Programming
- 80 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.3K Java SE
- 13.8K Java Security
- 204 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 443 LiveLabs
- 38 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 171 Deutsche Oracle Community
- 1.1K Español
- 1.9K Japanese
- 232 Portuguese
two (2) way SSL comunication over t3s from an applet to weblogic
787175
Member Posts: 6
Hi,
I currently have a pile of complex applets that I need to provide 2-way encryption (preferably TLS but SSL is fine for now).
They communicate via 1-way SSL over t3s to weblogic at this time.
How can I get the applet to pull the users certificate from the browser keystore?
Perhaps I can somehow get javascript to pass it to the applet's parameters?
Or do I have to re-write everything to use https and get/post ?
I would rather NOT use a signed applet since this would allow the applet to do things my customers don't want.
Any help is greatly appreciated, searching for this topic is not providing much.
Seems that I want to do somethat that is not very popular
-Fred
I currently have a pile of complex applets that I need to provide 2-way encryption (preferably TLS but SSL is fine for now).
They communicate via 1-way SSL over t3s to weblogic at this time.
How can I get the applet to pull the users certificate from the browser keystore?
Perhaps I can somehow get javascript to pass it to the applet's parameters?
Or do I have to re-write everything to use https and get/post ?
I would rather NOT use a signed applet since this would allow the applet to do things my customers don't want.
Any help is greatly appreciated, searching for this topic is not providing much.
Seems that I want to do somethat that is not very popular
-Fred
Tagged:
Best Answer
-
While RMI can definitely work over SSL (http://download.oracle.com/javase/1.4.2/docs/guide/rmi/socketfactory/SSLInfo.html), and since SSL includes ClientAuth capability, logically RMI can work over client-authenticated SSL. However, as wtih all things in technology, until you have verified this, take all suggestions with a grain of salt: this may very well work only with a Java application and not a Java applet (because of the security restrictions around applets).
Arshad Noor
StrongAuth, Inc.
Answers
-
If all you're looking for is Client SSL Authentication, then you don't need to access the digital certificates through an applet; just enable ClientAuth on your web-server and let the browser handle it for you. While I haven't tried this with Chrome, Safari or Opera, I know for a fact that this works on Firefox and IE.
If you're trying to access the digital certificates/keys in the browser-keystore for digitally signing some content that the applet creates, you're going to have far more difficulty. About 10-12 years ago, Netscape provided an API that allowed you to digitally sign text-content through JavaScript. That died a quiet death, I think, since I don't know of anyone who used that capability (outside of test environments).
Years later, Mozilla added the ability to digitally sign XML content using XForms; there is even an add-on for Thunderbird (which uses the same libraries as Firefox for PKCS work): https://addons.mozilla.org/en-US/thunderbird/addon/4522/.
However, to the best of my knowledge, the only way you can get an applet to access the borwser's keystore today is to have the security policy on the client-machine modified to provide access to the local file-system, and the applet then pretty much deals with the keystore and its objects through JCE.
But, if I'm reading your post correctly, I think all you're looking for is SSL ClientAuth, for which you don't need to do anything other than enable it on your web-server that hosts the applets, and let the browser do the heavy lifting.
Arshad Noor
StrongAuth, Inc. -
I am a little confused on how to build a T3s RMI connection to weblogic using the browser's configuration.
Could you provide details? What do I pass to the InitialContext?
I was expecting to somehow pull the certificate from the browser and pass that in the InitialContext.
-Fred -
You may find this Introduction to Public Key Cryptography paper (http://docs.sun.com/source/816-6154-10/index.html) very useful.
When the browser connects to a site that has SSL ClientAuth turned on, the client must prove ownership of a trusted Private Key by digitally signing a nonce (number used once) sent by the server. Browsers that support ClientAuth know how to do this without the applet having to get involved.
Once the client-authenticated SSL session has been established, you dowload the applet and establish your RMI connection to the same URL:port using the previously-established SSL session. At that point, your applet is effectively using the client-authenticated session the browser established for you.
You still won't be able to digitally sign anything in the applet unless the Java security policy is modified on the client to enable access to the keystore by the applet - but if you don't need to sign anything in the applet, it won't matter - you'll have accomplished your objective of strong-authentication between the applet and the server by then.
Arshad Noor
StrongAuth, Inc. -
But (a) how is an RMI connection to an HTTPS port going to actually work? and (b) who said anything about RMI?
-
Good point EJP; I missed the RMI part.. Sorry about that. To the OP: why RMI? Why not a web-service that works over HTTPS and can leverage SSL ClientAuth?
Arshad Noor
StrongAuth, Inc. -
Yes RMI.
As stated in the initial msg, I have a pile of pre-existing applets that need RMI connectivity (well, really T3).
So.... How about I tunnel the T3 connection through the existing https? Will that work? Supposedly weblogic supports this 'out of the box'.
-Fred -
Hi,
I have a question that is patrtially related? (:
Is using client side SSL auth. effective when working (via webservice) with a load balancer (SSL termination) that passes requests to a server connected to it?
Is this ok? considered a best practice? does the client side certificate add any security?
THANKS! -
While RMI can definitely work over SSL (http://download.oracle.com/javase/1.4.2/docs/guide/rmi/socketfactory/SSLInfo.html), and since SSL includes ClientAuth capability, logically RMI can work over client-authenticated SSL. However, as wtih all things in technology, until you have verified this, take all suggestions with a grain of salt: this may very well work only with a Java application and not a Java applet (because of the security restrictions around applets).
Arshad Noor
StrongAuth, Inc. -
By some amazing oversight in the API, it is impossible to attach a handshake completion listener to an RMI/SSL socket, or to get the peer certificate in any other way, e.g. via the SSLSession. This makes RMI/SSL rather useless for any serious cryptological purpose, as you can't perform an authorization step against the peer identity. You have to build your own auth & auth on top of it all.
This discussion has been closed.